WooCommerce SSL – Securing Your Store
If you’re setting up a store you might have noticed that there are some specific WooCommerce SSL settings. Likewise, many payment gateways need WooCommerce running over a HTTPS protocol to work (such as Stripe and other credit card processors).
So do you need an SSL certificate for your WooCommerce store? And if so, where do you get one and what other things do you need to know?
Well, for starters, if you’re just using WooCommerce out of the box with standard PayPal, payments are shifted off to their site and technically speaking you don’t need an SSL certificate.
But for many other payment gateways, you will need an SSL certificate to take payments securely.
SSL certificates also provide a level of trust for consumers because over many years of buying things online we’ve been trained to subconsciously look for the little lock icon or green bar in your browser’s address bar before hitting “pay”.
So is a WooCommerce SSL certificate worth the trouble?
I’m going to make the case that yes, you should install an SSL certificate for WooCommerce stores that take payments online even if your payment processor doesn’t require it.
This article will go through everything you need to know as a store owner about WooCommerce SSL. At the end of it, you’ll have a pretty good idea about whether you need one for your store or not.
What Is The Difference Between WooCommerce SSL & WooCommerce HTTPS?
Let’s do a bit of edu-ma-cation for the uninitiated :)
Comparing SSL and HTTPs is a bit hard because they’re on two different layers. Without getting too technical, I’ll try to explain the difference in layman’s terms.
SSL stands for Secure Socket Layer. It is used to provide a secure connection between your computer and the web server.
HTTPS stands for Hypertext Transfer Protocol (Secure), it is basically the combination of the HTTP protocol, which is what your browser uses to look up pages on the internet, and SSL. In other words, HTTPS uses SSL to create a secure HTTP connection.
Another way to think of the difference is how the protocol stack on top of each other. This StackOverflow answer describes it well:
In regular, non-encrypted HTTP, the protocol stack can look like this:
When using HTTPS, the stack looks like this:
- TLS (SSL)
Is WooCommerce Secure?
WooCommerce is one of the most stable and sophisticated e-commerce platforms to run your store on.
As the most prominent e-commerce plugin running on the most prominent content management system (WordPress) in the world, there is a huge focus on security.
While no system is infallible, WooCommerce is updated frequently and is audited for security on a regular basis.
WooCommerce PCI-DSS Compliance
You might have heard of the term “PCI Compliance”, so I thought I’d add a quick word about PCI compliance and WooCommerce to clear up a few myths.
PCI-DSS stands for Payment Card Industry Data Security Standard, it’s often referred to just as PCI.
While WooCommerce core itself is not PCI-DSS certified, that does not mean it isn’t secure.
The most common misconception is that the software itself needs to be PCI compliant. However, it is the responsibility of the site owner to ensure their website meets all the PCI certification requirements (if it is indeed required), not WooCommerce.
PCI Compliance is mostly about how payment data is stored and communicated.
You can use WooCommerce and be PCI compliant. The compliance part often comes down to the web host and the payment gateways being used.
Do you need to be PCI compliant?
If you are taking payments off-site by using a gateway that uses its own servers to take payments (Authorize.net, PayPal, Stripe, etc.) then you are not transmitting card data and do not need to take steps to comply. These companies take care of compliance for you.
If you are coding your own merchant gateway and transmitting data directly to a merchant account, then yes, you do need to be certified.
Can You Run WooCommerce Without SSL?
Yes, you can run WooCommerce without having an SSL certificate.
WooCommerce itself is all about managing product data and taking orders, it actually doesn’t require a secure protocol to do that.
Additionally, if you’re using a payment gateway that takes care of the security side for you, such as PayPal Standard, then you don’t need an SSL certificate to take payments for your orders. Customers are transferred off-site, complete their payment, then they are transferred back to your site to see their completed order details.
Should you still get an SSL certificate? Now you’re asking the right questions!
I personally believe that any site can increase its perceived trust by installing an SSL certificate. So even if you don’t strictly require one, I urge you to consider installing one anyway.
WooCommerce SSL Certificate
Is there a specific SSL certificate for WooCommerce that you need to get? No, there is no such thing as a WooCommerce SSL Certificate.
You can use any SSL certificate for WooCommerce stores because SSL is installed at the server level and actually doesn’t have much to do with the setup of your store at all.
What Is The Cost For An SSL Certificate?
Costs range depending on the type of SSL certificate. You might have noticed that some certificates can cost up thousands a year while others are quite cheap.
Why is that exactly? Well, it is a bit of a tricky answer.
The short story is that vendors can charge whatever they want for an SSL certificate. Some hosts even give it away for free now.
The main reason some certificates cost thousands is that the more expensive SSL certificates come with a level of insurance. This can help provide some protection against fraud.
For most basic stores, you won’t need an SSL certificate that costs more than $100 a year. If you are paying more than that, shop around for a cheaper one. Or ask your host if they provide one for free.
There’s a number of hosts that offer free SSL with their hosting plans such as:
How Do You Install An SSL Certificate Into Your WooCommerce Store?
An SSL certificate is not installed in WooCommerce itself, or even in WordPress. You install it on your web server.
Most web hosts will install your SSL certificate if you forward them the correct information.
If you are using a cPanel server control panel you can actually do it yourself by following these simple instructions:
First, you’ll need to buy your SSL certificate. I recommend you look at somewhere like Namecheap.com who sell certificates quite affordably. Once the certificate has been issued and activated, you will have access to (or have been emailed) the certificate files needed for install.
1. Login to your cPanel and click on SSL/TLS Manager in the Security section:
2. Next, click on “Manage SSL Sites”
3. Open the certificate file (.crt) in Notepad (or TextEdit on Mac) and copy the certificate data including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and paste it into the “Certificate: (CRT)” area.
4. Click on the Autofill by Certificate button.
5. Click on the “Install Certificate” button and you’re all done.
This should have successfully installed your certificate, if you ran into problems, submit a support ticket with your host as there might be additional steps required.
How To Make Your Site Show As HTTPS instead of just HTTP
Next, you will need to get your site showing as https protocol instead of http. Only do this after you have correctly installed your certificate.
You can check by trying to visit your website using https instead of http at the start. If you see an error, then the certificate is not installed correctly yet – contact your host.
There are two ways to make your site display as HTTPS by default:
- You can export your database using something like WP Migrate DB. This plugin lets you export your website’s database and change the URLs stored in the database to https instead of http while you do it. Once you have exported, reimport it so you are now running your site on the new https URLs. If you are a developer I suggest this option but make sure you take a database backup!
- You can install a plugin like WordPress HTTPS (SSL) and follow the instructions. I suggest enter * in the URLs field to apply the change sitewide. You can selectively do certain pages if you wish (this might cause issues down the track). Once done the plugin will ensure all of your http URLs will be redirected to the https version. It will also attempt to fix any URLs to images and scripts on the page too.
If you have difficulty with this, it might be easier to get a web developer involved for an hour or two to tidy up any insecure resources errors and make sure its all working as it should.
WooCommerce SSL Seal
An SSL seal is a small verification image that you can display on your store to let people know that your store is secure.
Do you need one? While it’s not necessary to have a special WooCommerce SSL seal, you might like to look into including at least some basic indicators that your store is secure.
Adding visual information, especially to the checkout screen, that indicates that your store is secure can increase the perceived trust of your store in your customer’s eyes dramatically and have a positive effect on sales.
An SSL seal can be added to the footer of your site, or just on the checkout page. You can also add more visual cues such as payment icons, little lock icons, and other non-security related details like your phone number and street address. These all add to the legitimacy of your store.
I hope that this article has convinced you to explore adding SSL to your WooCommerce store. If you went through the process and secured your store, tell us about it in the comments! We’d love to hear about how it improved your sales or brought about more trust with your customers.
6 thoughts on “WooCommerce SSL – A Guide To Securing Your WooCommerce Store”
Thanks. Good article. Today all WooCommerce websites should use SSL.
Thanks Sergeo! 100% agree! :)
Updated in October 2018, after SSL was made no longer a valid protocol when securing a site for payments. should TLS 1.1 or higher not be in place now as standard and you should be steering customers away from SSL?
The security flaws in SSL which have been known for a number of years are staggering. yet the article is still pushing it as suitable towards PCI compliance? a site using it wouldn’t make it through a assessment, especially following June 30th 2018 where it’s no longer a viable security protocol.
With SSL in place there is still a possibility that a MIM attack could take place and even if that woocommerce link takes the consumer away from the website, it could be changed to take the consumer to a near identical page that captures the card data. whereas if TLS 1.1 or higher is implemented, it would reduce the chance of anyone doing so.
You are right, SSL was superseded by TLS. However I use the wording SSL here in the context of “certificates”. Certificates and protocols are different things, so just trying to simplify using common language. Certificates for SSL/TLS are commonly refered to by store owners as SSL certificates hence why. But yes, technically you are 100% correct :)
Hey Josh, Great post. This post will definitely help in implementing SSL. Siteground is indeed the best suggestion here!