SSL Certificate: What It Is, Why You Need It

When someone fills in a contact form on your website, that data travels from their browser to your server. Without an SSL certificate, it travels as plain text. Anyone on the same Wi-Fi network can read it. Names, email addresses, passwords, credit card numbers. All visible.

An SSL certificate encrypts that connection so the data is unreadable to anyone except your server.

What SSL actually does

SSL stands for Secure Sockets Layer. The technology has since been replaced by TLS (Transport Layer Security), but everyone still calls it SSL. The name stuck.

When a visitor loads your site, their browser and your server exchange keys and agree on an encrypted connection. This takes milliseconds. Your visitor never notices it happening. But from that point on, everything sent between them is scrambled and unreadable to outsiders.

HTTP vs HTTPS: what your visitors see

The visible difference is small but powerful. Websites with SSL load over HTTPS (the S stands for Secure). Websites without it load over HTTP.

With SSL: Your browser shows a padlock icon next to the URL. The address starts with https://. Visitors feel safe.

Without SSL: Chrome, Firefox and Safari all display a "Not Secure" warning in the address bar. If your site has a form or login page, the warning gets louder. Chrome sometimes shows a full-page block telling the visitor the connection is not private.

That warning sends visitors running. People don't read it or investigate. They hit the back button.

Why you need an SSL certificate

Four reasons, any one of them enough on its own.

Browsers will scare your visitors away

Chrome marks every HTTP site as "Not Secure." Firefox and Safari do the same. If you don't have SSL, most of your visitors see a warning before they even read your homepage.

Google ranks HTTPS higher

Google confirmed in 2014 that HTTPS is a ranking signal. All else being equal, an HTTPS site outranks an HTTP one. If you're competing for local search traffic, skipping SSL gives your competitors free ground.

GDPR requires it

Article 32 of the GDPR requires "appropriate technical measures" to protect personal data. If your website collects any personal data through forms, encryption in transit is about as basic as it gets. Running a contact form over HTTP is hard to defend in front of a regulator. Our guide on GDPR and website security covers this in detail.

Payment processors require it

If you sell anything online, your payment processor requires HTTPS. Stripe, Mollie, PayPal, every major provider. PCI DSS compliance mandates encrypted connections. No SSL means no payments.

Types of SSL certificates

There are three types. For most small businesses, only one matters.

DV (Domain Validation) confirms you own the domain. The certificate authority checks that you control the domain, issues the certificate, done. Takes minutes. Free through Let's Encrypt and included with most hosting plans.

OV (Organisation Validation) confirms your organisation exists. The certificate authority verifies your business registration. Costs money, takes days. The padlock looks identical to DV.

EV (Extended Validation) involves full identity verification with legal documents and phone calls. It used to show a green company name in the browser bar, but browsers removed that in 2019. Now it looks identical to DV.

For a small business website, DV does the job. Same encryption, same padlock. OV and EV are for banks and large corporations with specific compliance requirements.

How to get a free SSL certificate

You don't need to pay for SSL anymore.

Let's Encrypt is a free, automated certificate authority. Most hosting providers include it by default. If you're on a modern hosting plan from TransIP, Antagonist, Versio, SiteGround or Hostnet, you probably already have it in your control panel. One click to activate.

Cloudflare offers free SSL through their CDN. Point your DNS to Cloudflare and they handle the certificate. Good option if your host doesn't support Let's Encrypt.

Your hosting provider may include SSL as part of your plan. Check your control panel for an SSL or security section. Many providers install it automatically when you add a domain.

If you're on WordPress and your host doesn't support one-click SSL, switch hosts. Any provider still charging for basic SSL in 2026 is behind the times.

How to check if your SSL is working

Open your website in Chrome. Look at the address bar.

Padlock icon visible? Good. Click it to see certificate details. Check the expiry date.

"Not Secure" warning? Your SSL isn't active or isn't configured properly.

For a deeper check, SSL Labs (ssllabs.com/ssltest) gives you a grade from A to F based on your certificate and server configuration. Aim for an A.

Or run a free scan on your site and we'll check your SSL configuration along with 30+ other security and compliance issues.

Common SSL problems

Even with a certificate installed, things can go wrong.

Mixed content warnings

Your site loads over HTTPS, but some images or scripts still load over HTTP. The browser flags this as mixed content and you lose the clean padlock. Fix it by updating all internal URLs to HTTPS. Check your WordPress settings, theme files and any hardcoded image URLs.

Expired certificate

Let's Encrypt certificates expire every 90 days. Paid ones usually last a year. When a certificate expires, visitors see a full-page warning. Auto-renewal prevents this. Most hosts handle it automatically, but verify it's on.

Wrong domain on the certificate

Your certificate must match your domain exactly. A certificate for www.example.com won't work for example.com without the www. Most modern certificates cover both, but check.

Redirect loops

Sometimes activating SSL causes infinite redirect loops. This happens when your CMS is set to HTTP but your server forces HTTPS. In WordPress, update the site URL in Settings > General to https://. If you're locked out, change it in wp-config.php.

Certificate renewal: set it and forget it

Certificates expire. That's by design. If someone stole the private key from a forever-valid certificate, they could impersonate your site indefinitely.

Let's Encrypt certificates last 90 days. This sounds short, but renewal is automatic. Your hosting provider handles it without you doing anything. Check once that auto-renewal is working, then forget about it.

Paid certificates typically last one year. Turn on auto-renewal with the provider so you never have to think about it.

An expired certificate on a live website is one of the worst things that can happen. Visitors see a full-page warning that looks like your site has been hacked. Everyone leaves.

What to do right now

Open your website in your browser and look for the padlock. If it's not there, contact your hosting provider and ask them to activate SSL. It's usually free and takes five minutes.

Want a more thorough check? Run a free scan. We'll test your SSL certificate, check for mixed content and flag 30+ other issues that affect your website's security and compliance.

For more on fixing security warnings, read our guide to fixing the "Not Secure" warning. For a broader overview, check our security checklist for small businesses.

FAQ

Do I need to pay for an SSL certificate?

No. Let's Encrypt provides free certificates that work just as well as paid ones. Most hosting providers include them at no extra cost. Paid certificates only matter if you need OV or EV validation for corporate compliance.

Will adding SSL break my website?

It shouldn't, but you need to update your site URL to HTTPS and make sure all internal links and images use HTTPS too. The most common issue is mixed content. A good hosting provider will handle the switch for you.

How do I know if my SSL certificate is about to expire?

Click the padlock icon in your browser and view the certificate details. You'll see the expiry date. Let's Encrypt auto-renews 30 days before expiry. You can also run a scan and we'll flag certificates that are close to expiring.

Is SSL enough to make my website secure?

SSL encrypts data in transit, which is one part of website security. You also need software updates, strong passwords and security headers. Our security checklist for small businesses covers the full picture.