When you add security to your website, you send a message to your audience that you care about their data and website experience. Prospects oftentimes perceive a greater level of trust because of the presence of security. How do they even know your website is secure? The browser tells them—by displaying the ‘s’ in the URL bar, and nowadays, displaying a visual queue like a lock, a key, and/or a colored background.
My intentions with this blog post are two fold; to help website owners better understand the process, and, to set their expectations about payments that need to be made when making their websites secure. And, although Adventures Online specializes in WordPress websites, the steps are the same for non-WordPress websites.
Let’s get started…Lots of non-technical info mixed with a little bit of technical
What is a security certificate?
A security certificate is an electronic bunch of code, formatted in a specific way, that is uploaded to a website hosting account. It is issued (sent via email) to a company from a security certificate vendor once an officer of the company has proven to the vendor that it is who it says it is.
Who sells security certificates?
Security certificate vendors are known as Certificate Authorities (CAs). CAs are companies that have been specially trained and authorized to determine a company’s online authenticity.
What is SSL and Why should I care?
SSL stands for Secure Sockets Layer. SSL is the ‘security’ technology applied to a connection between a browser and a website. So the conversation between your browser and a website happens in a secure way when a security certificate is installed (and, then, the SSL technology is recognized and invoked). I mention SSL because sometimes “adding security” and “adding SSL”, are used interchangeably.
A conversation occurs every time you click or enter data on a website. In nanoseconds, the browser and website are exchanging words while you are clicking. The conversations are what allow you to move from one page to another and to scroll to new areas on a page. SSL applied to those conversations is what keeps the conversations private (out of the hands of hackers and identity thefts)—and that is why you care. GlobalSign, a CA headquarted in the U.K., does a nice job of explaining SSL in non-technical terms. Watch the 3-minute video if you want to learn more.
SSL is “placed into service” on a website only after a security certificate has been purchased and installed, and a webmaster has ‘applied’ the security certificate to the website.
How to add Security to your Website
From a technological perspective, adding security to a website is a simple 3-step process. For website owners, however, it feels more complicated because they have to be very involved in the first step; way more involved than they have ever been with the technology part of their website.
What are the three steps to adding security to your website?
- Purchase a security certificate
- Install the certificate
- Apply the certificate
1. Purchasing a security certificate
Security certificates come in all shapes and sizes. A typical CA offers ‘lite” or “easy” versions, DV, OV, and EV versions. Each of these versions carry similar but different company validation requirements. These are sold for single and multiple domain names on the same certificate, and for one to three years. With each combination, the company validation requirements as well as the pricing change.
Which certificate a company needs, depends on:
- Whether or not the website stores sensitive data.
Websites that sell products and services, and may or may not collect credit card data as well as personally-identifiable data need SSL. - The image the company wants to portray.
For example, a high-end architectural firm seeking international work might opt to purchase the highest end of security certificates. They are not likely selling product online, but, need to portray an established, ‘trustworthy’ image. A high-end vehicle vendor might do this as well as large technology firms. These companies are thinking about the message they are sending as opposed to having any real need for online security. - The company’s competition and/or its business partners.
A company might need to match what its competitors are doing and/or meet the expectations of its business partners.
Recommendation Rely on a paid professional. Call your trusted Web adviser and ask her for a recommendation. Note: You may have to pay for this service. It is well worth it because once a certificate is issued, it is issued. There are no “tweaks” that can be made. If there is a mistake or a last minute realization, it is too late. To correct course, a new security certificate needs to be purchased which means a company starts at step 1 having to go through the entire validation process as if they had never done it before. (Several times, I have been called in to assist after a company made its initial purchase, and, believe me, it is very ugly, painful, and expensive the second time around.)
Once a company knows which security certificate to purchase, it must go to the CA’s website and make the purchase. The CA will then work with the company to validate that it is who it says it is. This first step must be completed by the company. The CA can only work with a company rep who has access to company documentation and legal info.
That said, it is during this step that the CA will request information (a CSR) that only the company’s hosting firm (or experienced webmaster) can supply. That portion of the validation process goes like this:
- The CA requests info (the CSR) from the Company.
- The Company passes the request to the Webmaster or hosting firm.
- The Webmaster gets the answer and returns it to the Company.
- The Company passes it on to the CA.
When the CA has completed the validation process and has satisfied the validation requirements of the purchased security certificate, it sends the validated security code in an email to the Company. The company forwards the email to its hosting firm or webmaster so that the security certificate can be installed at its website.
2. Installing a Security Certificate
So the webmaster or the hosting firm has received the validated security certificate email from the company. The webmaster/hosting firm logs into the website and uploads and installs the certificate. Installing the certificate can take 5 – 20 minutes depending on the experience of the person, the operating system (of the server), and the app loaded (or not) on the server. Note: You may have to pay for this service. Paying for installing an SSL Certificate on a hosting account is rare, but, has happened.
Now the SSL certificate is installed at the website.
If you test the website in the browser, you will see that it still says “Not Secure” or there is no indication of security being present. This is because it is not enough to just install the security certificate.
Installing a security certificate is like packing your sunscreen lotion when you go on vacation. You bought it. You packed it, but, if you don’t apply it to your skin, it does you no good. Your website works the same way.
3. Applying a Security Certificate
Once step 2 is completed, the webmaster edits and updates the website and the hosting account, “applying” security indicators throughout. This is a task for experienced web technicians, and, not the typical content updater. Areas of the hosting account that are familiar to technology professionals need to be accessed, and, those areas are typically unknown to content updaters. Note: You will definitely pay for this service.
To test the success of the application, go to the browser and enter the website address using “http://” before the address. When the application is applied correctly, the address in the browser’s URL bar will immediately change to “https://” ( and some security icon or color may display). That’s a good start.
Continue to test the application of the security certificate by viewing as many pages as you can. Be on the lookout for messages like “not fully secure” or “mixed content”. When you see one of these, have your webmaster make the edits to your page(s). It is common that a behind-the-scenes link to an image, a style file, or a PDF needs to have the “s” added to its address. Once, that/those are fixed, you should be all set.
Once the security indicators display in the browser and there are no “mixed content” messages, your website is secure.
What is the cost to add security to your website?
These are Northeast USA estimates.
- Security certificate recommendation: $50 – $150
- Security Certificate: $70 – mostly $300 for smaller businesses, but, into the $1000’s for some corporations
- Installation: $0 – $79
- Application: $100 – $200
Approx. $220 – $730
Top Three Add Security to your Website take aways:
- Website security certificates are not one-size-fits-all. There are a good number of versions, and, then many combinations added to those versions.
- A third-party cannot complete the SSL certificate validation. A company rep must work with the CA.
- Paying for the SSL Certificate does not cover the cost of all the work that needs to be done.