Disclosure: This content is reader-supported, which means if you click on some of our links that we may earn a commission.
Nothing screams “untrustworthy” more than a website labeled by web browsers as “Not Secure.” Getting rid of it requires an SSL certificate, which is a badge that assures visitors your website is safe to use. The best part is you can get it for free, and we’ll show the exact steps to set it up even if you’re not tech-savvy.
Why Getting an SSL Certificate is Worth It
Secure Sockets Layer (SSL) is a protocol that ensures whatever information is transmitted between the visitor’s browser and your website’s server is converted into codes that no third party can decipher.
Let’s say Location A (visitor’s web browser) wants to send sensitive data to Location B (your website server). With an SSL certificate, Location A encrypts the data with a public key to ensure only the intended receiver can read it. Once Location B receives the data, it can decrypt it using a corresponding private key.
Any data encrypted with a public key can only be decrypted by a private key and vice versa. This ensures every data transferred between the visitor’s web browser and your website will always remain confidential.
By contrast, a website without an SSL certificate means hackers can easily eavesdrop on every communication. Without security protocol blocking them, cybercriminals can steal credit card information and other sensitive personal data. If you own an ecommerce store, membership site, or any website requiring users to register or pay, an SSL certificate is a mandatory feature you can’t afford not to have.
Maybe you think you don’t need one because you only have a simple website that doesn’t accept payments. If you think you can get away without an SSL certificate, Google has a warning: Get the certificate or scare your visitors away with a “Not Secure” notification to users. Having an SSL is now also a ranking signal, so Google gives you a slight ranking boost as an additional incentive for switching.
The Investment Needed to Get an SSL Certificate
SSL certificates are issued by certificate authorities that offer them for about $50 to $100. Those prices don’t even include all the add-on services that can quickly inflate the total price. If you own a profitable ecommerce site, it’s easy to justify the cost. But what if your website has just started, and you’re trying to keep expenses to a minimum?
Fortunately, companies like ZeroSSL and non-profits like Let’s Encrypt offer SSL certificates for free. By giving away SSL certificates, they create social good and turn the internet into a safer place for everyone.
However, manually installing the free certificate on your own requires server system knowledge and coding skills. Most hosting companies are now SSL-ready, though, and you can easily add the certificate from your cPanel through a streamlined process.
If you’re looking for a web host that offers free SSL, we recommend Bluehost. It’s also our top recommendation for the best cheap web hosting, so it’s definitely a steal for anyone starting a new website. All of Bluehost’s hosting plans come with free SSL to help anyone with a website idea get off on the right foot.
Rather than having to get hosting and an SSL from two different providers, this Bluehost makes it so much easier—and it’s free with your hosting subscription.
8 Steps to Getting an SSL Certificate
Setting up an SSL certificate may require a small investment of your time, but the reward can be enormous for your website and visitors. Here, we go through how to make your website secure in a few steps.
#1 – Determine the level of security your website requires
SSL certificates come in many forms. Some are free, while others cost a few hundred dollars. The higher the price, the higher the level of security you’ll get.
You must know what you’re looking for. This way, you won’t end up buying a costly SSL when your website can thrive even with a free certificate. In summary, here are the four basic types of SSL certificate:
- Domain Validated (DV) Certificate – provides security to only one domain or subdomain. This is where most free SSL certificates fall under, making it the ideal choice for blogs, small business websites, and ecommerce sites with basic security needs.
- Organization Validated (OV) Certificate – as its name suggests, OV certificates are designed to verify that the domain name truly belongs to a business or organization it represents. If the website is owned by a legitimate business, government organization, or nonprofit, you can get this certificate to assure users they’re not dealing with an online impersonator.
- Wildcard Certificate – is a multi-domain certificate that covers your domain and all of its subdomains. If you have multiple subdomains, having a wildcard certificate is more practical than installing one DV certificate after another.
- Extended Validated (EV) Certificate – provides the highest level of security. It includes vulnerability scanning, a green address bar, a TrustLogo seal, and full validation of your business. This type of certificate will show your company or business name, giving users peace of mind that whatever information they share with the website always remains private. It’s best for websites that accept credit card payments and where sensitive user information is exchanged.
Once you have figured out the SSL certificate your website needs, it’s time to shop around for a certificate authority that issues it.
#2 – Check with your hosting company to know what SSL certificate is available for you
Securing a website typically involves getting an SSL certificate directly from a certificate authority. Fortunately, almost all hosting providers now offer or resell SSL, so you won’t have to deal with a third-party organization.
Bluehost, for example, comes with a free SSL certificate with all of its web hosting plans. The best part is that Bluehost also offers impressive and affordable web hosting, so you can start a secure, professional website even if you’re on a shoestring budget.
There’s only one exception—Bluehost’s entry-level shared Basic plan for $2.95 per month only comes with a free SSL certificate for one year. Your SSL will still be active, but you’ll need to pay the annual renewal rate for it at that time.
Otherwise, select the Choice Plus tier or higher. This starts at $5.45 per month, and the free SSL is included as long as your hosting subscription stays active.
You’ll see this during the checkout process when you’re signing up for a new hosting plan.
Bluehost automatically assigns and installs the SSL to the domains associated with your account. So you shouldn’t have to do anything other than confirm it’s active, which you can do directly from your account dashboard.
- Sign into your Bluehost control panel.
- Navigate to the Hosting menu on the left side of your screen, and click Manage next to your website’s name.
- Go to the Security menu and verify that the SSL certificate is Active.
- If you just signed up or installed a new SSL, it may say In Progress. In this case, give it a few hours and then check your email to see if you’re prompted to complete additional actions.
The vast majority of SSL certificates on Bluehost are installed automatically. But sometimes you need to do it manually, which is also very easy.
From your control panel, navigate to My Sites on the left side of your dashboard and select Manage Sites. Then navigate to the Security tab and toggle the SSL to On.
Once toggled on, it can take a few hours for the SSL to fully install and activate. Keep an eye on your email in case further instructions are required.
That’s it—you’re done!
But if you’re not using Bluehost or can’t get a free SSL from your hosting provider, continue with the remaining steps below.
#3 – Generate an SSL certificate
How you’ll procure the SSL certificate depends on whether you’ll buy it from a third-party certificate authority or avail of your hosting provider’s free SSL.
Type in the domain name of the website you want to secure and click Create Free SSL Certificate.
Register a new account using your email address and preferred password.
Double-check if you’ve entered the correct domain name, then click Next Step.
The system will then ask you to choose between a certificate with a 90-day validity or one that has one-year validity. Make your selection, and lick Next Step to proceed to the next section.
The Auto-Generate CSR option is selected by default. Simply uncheck this if you want to enter your contact details shown on the certificate manually. Then, click Next Step.
Pick a free plan and finalize your order. When you finish this step, the site will create a free SSL certificate for you. However, it won’t work unless you verify ownership of your domain.
#4 – Verify domain ownership
Before the certificate authority can issue you an SSL certificate, you must first ensure you own the domain name. You can verify ownership of the domain in three ways: Email Verification, DNS (CNAME), or HTTP File Upload.
For fast verification, completing the process through HTTP File Upload is recommended.
To do this, download the Auth File using the link provided. Then, open your control panel.
Once inside, go to your File Manager. Create a folder inside the public_html and name it .well-known and then a subfolder named pki-validation inside it. In this subfolder, upload the file you downloaded previously.
Go back to sslforfree.com and click the link provided in the third step of the verification process. If you’re able to open the link, it means you have successfully uploaded the Auth File. Click Next Step.
Finalize domain verification by clicking Verify Domain.
#5 – Install the SSL certificate
Now that domain ownership has been verified, your free SSL certificate is ready to install.
Click Certificates on the ZeroSSL menu and then select Download Certificate. Set the Server Type to Default Format, then download the zip file containing your certificate.
This file should contain three sets of keys:
- Certificate (certificate.crt)
- Private key (private.key)
- Certificate authority bundle (ca_bundle.crt)
Return to your control panel and navigate to the your SSL or Security menu (this will vary based on your host). Scroll down to the Custom SSL, where you’ll paste the keys you’ve obtained from ZeroSSL to their corresponding boxes.
Finally, click Install.
Take note that if you’re using a free SSL certificate, you will have to repeat the steps above every 90 days. Otherwise, you’ll need to pay for your certificate and enable auto-renewal.
#6 – Configure WordPress to use HTTPS
By default, WordPress serves images and media files in their non-secure HTTP versions, leading to mixed content errors. External links pointing to your website also don’t change automatically once you install an SSL certificate. As a result, anyone discovering your website through a social media link may end up running away from it once the “Not Secure” warning shows up.
To fix this, you must force WordPress to use HTTPS throughout your whole website.
A simple way to do this is by logging into your WordPress dashboard and going to Settings, then General. You’ll then see two fields named WordPress Address (URL) and Site Address (URL), both of which contain the non-secure HTTP URL of your website homepage.
Remove the HTTP prefix in both fields and replace it with HTTPS. Once you’re done, click Save Changes.
At this point, your WordPress site should already be showing the HTTPS version of its URLs. However, this update only covers the URLs within your website, not all the links pointing to your website that remains on the non-secure HTTP. To solve this problem, you can manually set up a 301 redirect by editing the .htaccess file in your web host account. This file is the direct link between your server and WordPress site, so one wrong move can have drastic consequences.
An easier alternative to altering your site codes is by installing a plugin called Really Simple SSL. Once activated, this plugin automatically detects your SSL certificate, fixes all mixed content errors, and redirects all HTTP URLs to HTTPS.
The only potential downside is a plugin takes up space. In addition, you also need to keep the plugin installed and active otherwise, the mixed content errors will persist.
#7 – Confirm if your SSL certificate is working
If everything is set up correctly, your website URL should already show the secure HTTPS instead of the non-secure HTTP.
To validate if your certificate is up and running, log out of WordPress and your web host control panel. Then, visit your website and check whether all the following security components are present:
- HTTPS address
- Lock icon next to the URL
- Security trust seal
- Business name (for EV certificate)
- Green address bar (for EV certificate)
To get more details, click the lock icon and then expand the Certificate. Verify if the certificate’s details, including the certificate authority and the certificate validity period, are correct.
If you’re unable to find any or all of the trust seals listed above, reach out to your hosting provider and ask for assistance. Depending on the type of error you encounter, the SSL certificate may have to be removed and reinstalled.
#8 – Submit your HTTPS site to Google Search Console
Google treats HTTP and HTTPS versions of a website as separate entities. Therefore, you need to let Google know that you’ve switched to the more secure HTTPS, and you want to set it as your primary domain. By doing so, Google will subsequently redirect all traffic to the HTTPS version of your website URLs.
The first step is to submit your HTTPS site to Google Search Console. Assuming you already have a Console account for your HTTP domain, go to the dashboard and look for a downward arrow next to the HTTP domain name.
Click on Add Property. Enter your HTTPS domain name and click Continue.
As with any website domain added to Console, you need to verify ownership of your HTTPS site. Choose the verification method you’re most familiar with.
Once your site is verified, and a sitemap is added, Google will start crawling your HTTPS site. As long as you correctly accomplished the redirection process, Google will gradually replace all the indexed HTTP links with their new and secure HTTPS counterparts.
Building a web-based business or an online presence used to require steep upfront fees. But as proven by this article, you can get your website ideas off the ground without breaking the bank.
However, getting cheap web hosting that comes with a free SSL certificate is just half the battle. Now you need a website builder that can help you create beautiful and professional-looking websites on a budget. See our top picks for the best free website builders to help you get started.