Is SSL set up on my website properly?
Use Qualys SSL Labs SSL Test to determine if your website/store is properly configured after installation of an SSL certificate. Enter your domain, and click submit.
It also grades the web server configuration and tells you what should be changed to be more secure. Typically these changes need to be handled by your web host.
Does SSL make my site PCI compliant?
It’s a step in the right direction, but SSL alone does not make your site PCI compliant. We have documentation on PCI compliance at: PCI DSS Compliance and WooCommerce.
My web host told me free/cheap SSL certificates are not secure.
SSL certificates come in many variations and prices, ranging from free to more than $1000/year. Unless your business has revenues high enough to warrant extras offered by the expensive SSL certificates, you do not need them.
The three most important pieces to consider are the:
- Level of Encryption (256 bit is recommended)
- Browser Recognition
- Warranty
Compare two SSL certificates where one costs $10/year and the other costs $1000/year, and typically the only difference between the two as far as the three factors are concerned is the warranty and maybe browser recognition. Both SSL certificates most likely offer 256 bit encryption and 99%+ browser recognition.
You’re paying a higher price for brand name and insurance.
Where can I get a free or affordable SSL certificate?
You can buy affordable SSL certificates for less than $10/year.
- Let’s Encrypt (free, and available on some web hosts with a one-click install). More info at: Free SSL options – Let’s Encrypt
- NameCheap
- StartSSL
Do I need a dedicated IP address for SSL?
No. A dedicated IP address is not required for HTTPS connections to a web server. However, there are a few catches.
- Users running Windows XP or Internet Explorer 8 or older may see security warnings. Keep in mind that even Google has dropped IE8 support: http://support.google.com/a/bin/answer.py?hl=en&answer=33864
- Web hosts running cPanel or other control panels that have not yet been updated to support this technology may require your site to have a dedicated IP address.
I get non-secure content warnings when I am on the SSL version of my site
This is typically caused by your website loading your logo or other images from HTTP URLs instead of HTTPS. Replace the http with https in your logo URL and any other URLs, and this will solve the issue.
Most assets will automatically update with HTTPS URLs by WordPress itself. But some hosting configurations with a reverse proxy break this functionality.
A properly configured reverse proxy and web server will pass along the connection type and require no changes to WordPress or any other PHP files, some web hosts may require a patch at the top of your wp-config.php file, and others such as Network Solutions do not have a proper fix due to their broken setup.
Can I force my site to always load via SSL?
This is not recommended because a constant SSL connection typically breaks any caching you configured, and this causes trouble when scaling a website.
On a small or average site, it may not ever be a real issue for constant SSL connections. If you have questions about this, speak with your hosting provider.
Why do direct post (DPM) payment gateways not require SSL even though credit card data is entered on my website?
A common misconception is that the page where credit card details are entered needs to be SSL secured. This is definitely a good thing to do to build trust with customers, but it is not necessarily required.
The page that must be SSL secured is the URL that credit card details are being posted to. With DPM gateways, the form is being posted directly to the payment gateway’s secure servers so your own web server never sees those details. Because your web server never handles those details, it does not require extra security.
Even though DPM does not require SSL, should I buy one?
Yes. If you are doing business online, then you should definitely invest in an SSL certificate to increase customer trust in your site/brand. Ultimately you must decide if the cost will benefit you.
Is WooCommerce compatible with the free SSL provided by CloudFlare?
No, it is not. If you are running the free SSL by CloudFlare, you may not be able to access your admin if WooCommerce is active.
Does WooCommerce support shared SSL certificates?
WooCommerce is built on WordPress, and shared wouldn’t work with WordPress. WooCommerce supports dedicated SSL certificates.