Do I need to pay for an SSL certificate?

Usually not. Let's Encrypt provides free SSL certificates that are perfectly adequate for most websites. Premium paid certificates (£50-500/year) offer additional features like warranty, extended validation, or wildcard coverage for subdomains - but free certificates encrypt just as effectively.

Why does my site show 'Not Secure' even though I have SSL?

This usually means 'mixed content' - your page loads over HTTPS but includes some resources (images, scripts) over plain HTTP. All resources need to use HTTPS. Your developer can fix this by updating URLs or adding proper redirects.

Will getting SSL break my website?

Properly implemented, no. Issues can occur if internal links and resources aren't updated to HTTPS. A competent host or developer will handle this during setup. If switching an existing site to HTTPS, plan for a proper migration.

How long does an SSL certificate last?

Certificates are typically valid for 90 days (Let's Encrypt) to 1-2 years (paid certificates). Most hosting setups auto-renew certificates before they expire, so you shouldn't need to think about it once configured.

SSL Certificates Explained | What is HTTPS & Why You Need It

Everything you need to know about SSL certificates and HTTPS, explained without the jargon. Why you need one, how to get one, and what it actually does.

You've probably noticed that websites start with either "http://" or "https://" - and that some show a padlock icon in the browser bar. That 's' makes a significant difference, and here's why it matters for your business.

🔴

"Not Secure" warnings drive visitors away before they read a word

Chrome, Firefox, Safari, and Edge all flag HTTP sites with visible warnings. For a business website, that warning is the first thing potential customers see — and often the last.

HTTP = "Not Secure" label in the address bar HTTPS = padlock icon and encrypted connection 85% of users won't submit a form on an insecure site

What is an SSL Certificate?

SSL (Secure Sockets Layer) is a security technology that creates an encrypted connection between a web server and a browser. When a website has an SSL certificate installed and properly configured, its address changes from HTTP to HTTPS - the 'S' standing for 'Secure'.

In simple terms: SSL scrambles the data travelling between your website and your visitors so that no one else can read it.

Technical note: SSL has technically been replaced by TLS (Transport Layer Security), but everyone still calls it SSL. You might also hear it called an "SSL/TLS certificate." They mean the same thing.

Why Every Website Needs HTTPS

1. Browser Warnings

Modern browsers (Chrome, Firefox, Safari, Edge) actively warn users when they're on an unsecured site. Chrome displays "Not Secure" in the address bar, and some browsers show even more alarming warnings.

For a business website, this is disastrous. Visitors see the warning and leave, often before they even see your content.

2. Data Protection

Without encryption, any data sent between your site and visitors can potentially be intercepted. This includes:

Contact form submissions
Login credentials
Payment information
Personal details

With HTTPS, this data is encrypted. Even if someone intercepts it, they can't read it.

3. Trust Signals

The padlock icon has become a universal symbol of website security. Visitors have been trained to look for it. Its absence suggests something is wrong - even if they can't articulate why.

4. SEO Benefits

Google has confirmed that HTTPS is a ranking signal. It's a minor factor compared to content quality and backlinks, but it's an easy box to tick. There's no downside.

5. Legal Compliance

GDPR and other data protection regulations require you to implement appropriate security measures when handling personal data. SSL is considered a baseline expectation.

🔐

The padlock is now a baseline expectation, not a bonus

Users have been trained to look for the padlock. Its absence doesn't just mean "less secure" — it signals to visitors that something is wrong with your site. HTTPS also protects form submissions, login credentials, and payment details from interception.

How SSL Actually Works (Simply)

When someone visits your HTTPS website:

Their browser requests a secure connection from your server
Your server sends its SSL certificate - proving it's really your website
The browser verifies the certificate - checking it's valid and not expired
They agree on an encryption method - a secure way to scramble data
All data is now encrypted - secure from interception

This happens in milliseconds, invisibly to the user. They just see the padlock.

Types of SSL Certificates

Domain Validation (DV) - Most Common

Verifies you control the domain
Issued in minutes
Free (Let's Encrypt) or cheap (£10-50/year)
Shows padlock - looks identical to more expensive certificates
Perfect for most small business websites

Organisation Validation (OV)

Verifies your organisation exists
Takes a few days to issue
Typically £50-200/year
Minimal visible difference to users
Rarely necessary for small businesses

Extended Validation (EV)

Rigorous verification of your business
Takes weeks to issue
£200-500+/year
Used to show company name in green (browsers stopped this)
Only valuable for high-security applications (banks, etc.)

Wildcard Certificates

Covers your main domain AND all subdomains
Useful if you have many subdomains (shop.yourdomain.com, blog.yourdomain.com)
Available at all validation levels
Only needed if you use multiple subdomains

How to Get an SSL Certificate

Option 1: Through Your Host (Easiest)

Most modern web hosts include free SSL certificates and install them automatically. This is by far the simplest approach.

Check if your host offers:

Free Let's Encrypt SSL
Automatic renewal
Automatic HTTPS redirect

Popular hosts with free SSL: Vercel, Netlify, SiteGround, Cloudflare, most managed WordPress hosts.

Option 2: Cloudflare (Free)

If your host doesn't provide SSL, you can use Cloudflare's free tier:

Create a Cloudflare account
Add your domain
Update your nameservers
Enable "Always Use HTTPS"

Cloudflare sits between your visitors and your server, providing SSL (and other benefits like CDN and DDoS protection).

Option 3: Let's Encrypt (Free, More Technical)

Let's Encrypt provides free certificates, but installation requires server access and some technical knowledge. Most hosting control panels (cPanel, Plesk) have Let's Encrypt integration that makes this easier.

Option 4: Buy a Certificate (Usually Unnecessary)

You can purchase certificates from providers like DigiCert, Comodo, or GoDaddy. Unless you need extended validation or specific features, there's no security benefit over free certificates.

💸

SSL is free — there's no excuse not to have it

Most modern hosts include free SSL and auto-renewal. If yours doesn't, the fix is simple.

Easiest: your host includes free Let's Encrypt SSL (most do now)

Alternative: use Cloudflare's free tier for SSL + CDN + DDoS protection

Manual: install Let's Encrypt via your hosting control panel

Paid certificates (£50-500/yr) offer no extra encryption — only for extended validation

Common SSL Problems and Solutions

"Not Secure" Despite Having SSL

Cause: Mixed content - your page loads over HTTPS but includes some resources (images, scripts, stylesheets) over plain HTTP.

Solution: Update all internal URLs to use HTTPS, or use relative URLs (starting with // instead of http:// or https://). Your developer can find and fix these.

Certificate Expired

Cause: The certificate wasn't renewed before expiration.

Solution: Renew the certificate. With most hosts using auto-renewal, this shouldn't happen. If it does, check your renewal settings or switch to a host with automatic SSL.

Certificate Not Trusted

Cause: Usually a self-signed certificate (not from a trusted authority) or an incomplete certificate chain.

Solution: Use a properly issued certificate from a trusted authority like Let's Encrypt.

Wrong Domain on Certificate

Cause: The certificate was issued for a different domain (e.g., www.example.com but not example.com).

Solution: Ensure the certificate covers all versions of your domain you use, or set up proper redirects to the version that's covered.

Checking Your SSL Status

Quick Browser Check

Visit your website and look at the address bar. You should see:

A padlock icon (click it for certificate details)
"https://" at the start of the URL
No warnings or error messages

SSL Checker Tools

Use online tools for more detail:

These will identify issues like expiring certificates, weak configurations, or mixed content.

After Installing SSL

Once SSL is working, ensure:

All Traffic Uses HTTPS

Set up a redirect so http:// visitors are automatically sent to https://. Most hosts have a "Force HTTPS" option.

Update Internal Links

Old links within your site might still use http://. Update them to https:// or use relative URLs.

Update External Services

If you use Google Search Console, Google Analytics, or other services, update your website URL to the HTTPS version and verify the new property.

Update Your Sitemap

Regenerate your sitemap to reflect HTTPS URLs and resubmit to Google Search Console.

The Bottom Line

SSL certificates are no longer optional. Without HTTPS:

Browsers warn visitors your site isn't secure
Sensitive data is vulnerable to interception
You lose trust and credibility
You miss a (minor) ranking benefit

The good news: SSL certificates are now free and most hosts install them automatically. If yours doesn't, switching to a host that does is often the simplest solution.

Check your site right now - look for the padlock. If it's not there, make it a priority to fix.

Key Takeaways