Many web site owners have noticed lately that browsers are now displaying a "not secure" warning when they try to login to the back end of their own Wordpress, Joomla, or other CMS. What's going on?! Well, don't worry -- nothing has changed on your server or in your web site's code. What's happening is that browsers are now issuing warnings on login pages that aren't secured via an SSL certificate. Your site's actually as secure as it always was; it's just that now you're being shown an example of a page that's a little more vulnerable (if only technically / potentially) than other pages on your web site. If it's just you using your site, there may be no actual need to take action. But, many site owners nevertheless do not like to see such warnings. So, this article will explain what an SSL Certificate is, why you might want to get one, and the costs involved in doing so. It'll be pretty basic and straightforward, and also customized to Array Web Development's approach. So, take this advice for what it's worth. :-)
First, What Is SSL?
The easiest explanation is that it means that all of the URLs on your site will now begin with "https://" instead of just "http://". Depending on the type of SSL certificate you have, it might also turn part of the address bar green on some browsers and display a little lock icon. You've probably seen this on larger sites, like this:
Others look like this:
Still others look different depending on the certificate and the browser being used to view the site. The above examples are from Chrome, but IE, Firefox, Safari, etc. may present them differently.
Why Get an SSL Certificate?
Technically, having a SSL Certificate means that the connection between the user's browser and the web server is now encrypted, which eliminates some primary ways that hackers could interfere. (Usually, that would involve those login screens, which is why you see warnings on those screens when other screens on your site have no warnings.) More practically, it offers two additional benefits:
- seeing a green "secure" notice in the address bar provides a certain level of assurance to site visitors as to the legitimacy and security of the site (great for ecommerce sites and sites where users login), and
- there's a bit preference SEO-wise that Google awards sites that have SSL Certificates.
Do I *Need* an SSL Certificate?
No, most sites do not need one; and frankly, I don't yet believe that the SEO benefits are major enough to do it for that reason alone. However, it certainly couldn't hurt as just an extra bit of good Google karma, so to speak -- especially in competitive keyword-phrase environments. (My own sites, however, do not have or need SSL.)
However, if you're an ecommerce site (meaning that you accept and process payments on your site), then yes! And, even if you're not processing payments, you may also want to seriously consider having the SSL certificate if you have a lot of users logging in, and you do not wish for them to see a notice that your site is "insecure". For example, since ALL login screens will now show this, you may notice that your own site's Joomla login looks like mine:
That would also show on other login screens, such as ones your users may be using. So, yes, this is another good reason to have an SSL Certificate.
How Much Does Getting an SSL Cost?
Prices vary widely across the internet. However, it's a bit of a technical process, so my goal is to approach it with the most standard means out there to ensure that this works smoothly for clients year after year. As such, one of the most well-respected and longest-running *quality* SSL Certificate providers is Comodo. (I stressed *quality* there because SSL isn't just a commodity. Comodo uses 2048-bit encryption and has 99.9% browser recognition, which are two outstanding metrics to go by.) Their pricing, and all other related charges for this, is as follows. (Note, the below pricing is as of this writing, May 1, 2017, and is subject to change. This also applies for shared-hosting clients. Those on Linode, etc., would need to inquire separately.):
SSL Certificate Fees Per Web Site:
First, you would need to decide what type of SSL Certificate you want:
- The basic SSL Certificate is $99.95 / year for 1 year, $88.95 / year for 2 years, or $76.95 / year for 3 years.
- The "EV" SSL Certificate (has your company name in green): $249.00 / year for 1 year, or $199.50 / year for 2 years.
- The next charge is a hosting change. SSL Certificates need to live on dedicated IP addresses. This means I have to order one for you via the hosting company, and they charge me $2/month for each one. So, that adds $24 / year, which can be bundled into the SSL cost. This cost would be charged based on the duration of the SSL certificate (1 year, 2 years, etc.) times the # of months therein, times $2.
- The next cost is a $25 installation cost charged by the hosting company (Inmotion Hosting). This is a fee they charge for all SSL installs, as their tech people have to do them. This would also be charged each time we install or reinstall / renew a certificate.
* Note: For all of the above, I'm simply passing along those third-party costs, without markup. It's just what they charge...
- This is my company's charge for handling all of the above, as it does take a fair bit of time because I have to generate some server files in order to apply for the SSL, order the server changes, and administer all of the above as it progresses through the install, and then make some configuration changes needed after that to force the SSL connection for all visitors. In all, it will generally take me an hour of time, all totaled. So, you can expect an hour's fees to show up on an invoice for any sites for which you want SSL. For 90% of clients, that's about it.
- This is an hourly charge from me, at your normal rate. For some clients, it may take some extra TLC to get a site running via https. This is because when the site was originally done, SSL wasn't an issue, and there may be various components, stylesheets, font settings based on outside APIs like Google Fonts, etc., that may be hard-coded to http:// connections instead of https:// ones. Also, some images or files may be loading onto various pages hard coded to http://. What happens in these cases is that the https:// will not fully engage, and thus the site will not register as secure. For https:// to work, all resources of a given web page need to use relative links or be hard-coded to https://. So, we may need to do a one-time adjustment on that, for some sites. Usually, when I see this sort of thing, it's only ~15-minutes or a half-hour's work. Occasionally, I've seen some third-party components that are not SSL-friendly, and have needed to modify their code in order to ensure they're loading resources correctly. If this level of service is required, I would notify you if/when I see the need for it. Again, most people won't need this -- and, if anyone does, it's generally a one-time thing. But, it's a possibility, nonetheless, that I can't foresee, so I'm mentioning it.
Sample One-Year vs. Multi-Year Cost Consideration
Below is a chart showing current pricing, which may help site owners decide on whether multi-year price-breaks make sense:
The only unknown is that potential for problem fixing, which could vary depending on whether your site may have some components hard-coded to load resources via non-SSL. But, those things are usually quick fixes, if needed.
Hopefully, the above outlines all that's involved in the whats, whys, hows, and how-much's of SSL. I tried to keep it basic, so if anyone has questions, please fire away. If you'd like me to get an SSL certificate for your web site(s), please let me know which site(s), and if you want the basic (to simply make your site(s) SSL-compliant), or the more deluxe version to get your company name there as well. Not sure if it's worth it for that extra level, but it's available. Again, I would not recommend SSL unless your site has one of the needs described above, or if you're interested in a *possible* additional SEO boost.