“...Hope is a pleasant acquaintance, but an unsafe friend."
Thomas Chandler Haliburton
So, Is SSL Security The Same As Website Security?
Let's start at the beginning with how we normally get asked to sort out a website which is insecure...
This is a typical telephone conversation...
'Can you help me, my website's been hacked?'
(Actually, it usually involves a lot more screeching than that)
When we ask how the caller how they know, the reply is generally that someone else told them their website is saying it's not secure.
What's happened is the website doesn't have an SSL certificate which means that when a visitor to the site has found the site in Google's Chrome browser, they've been met with something that looks like this:
Not pretty and it doesn't exactly inspire confidence in your website.
But...it doesn't mean your website has been infected with malware.
The 'not secure' is an alert posted by Chrome to warn potential users of the site. The insecure it's referring to is the one that relates to its security on Chrome and the integrity of any data in transit between the host (web server or firewall) and the client (web browser).
When an SSL Certificate is in use it makes sure no one is able to see or modify the data, what is known as a man-in-the-middle attack.
When an SSL Certificate is applied, this is how it looks in the browser:
Having An SSL Certificate Doesn't Mean Your Website Is Secure And Safe From Malware Infection.
Website security is an ongoing process involving a number of different processes, from protecting the files which can be seen by the outside world, keeping the WordPress, Theme and Plugin software up to date, WAF (Website Application Firewall) and access controls.
Just because a website has an SSL Certificate (and shows the HTTPS or secure certificate) doesn't mean it won't get hacked and be a danger to visitors.
Do I Need To Get An SSL Certificate Or Not?
Firstly, there is no specific legal requirement which means you are obliged to get an SSL Certificate. There are some industry bodies, often the financial and legal professions, which insist you have a particular level of SSL Certification.
If you're taking money through your website then yes you do and the more advanced certificates include a level of indemnity in the case of financial loss to a visitor using your website.
If you're not making payments, then it can come down to appearances. Do you really want your visitors being met with an alert telling them the website is insecure?
There Must Be More To SSL Certificates Than That!
Yep. There are different types of certificates, some of them are free and others offer different layers of protection by going beyond validating your domain name to extend to your actual business.
Many WordPress Hosting providers will add a free (Let's Encrypt) SSL Certificate to your domain. So give them a call and ask.
If you need something more elaborate and don't want to sort it out yourself, give us a call.
And here's a video by the guys at Sucuri (who deal with hacked sites) to explain a bit more about SSL Security Vs Website Security. Enjoy.