What is an SSL Certificate? Why Your Website Needs HTTPS

SSL certificates are one of those things that seem technical but are actually quite simple to understand — and critical to get right. If your website still runs on HTTP rather than HTTPS, you're losing visitors, search rankings, and trust. This guide explains everything.

What is an SSL certificate?

SSL stands for Secure Sockets Layer — a protocol for encrypting internet connections. The modern standard is actually called TLS (Transport Layer Security), but the term SSL is still widely used because it's what people recognise.

An SSL certificate is a digital certificate that:

• Authenticates your website's identity — it confirms you are who you say you are (that visitors are actually on your website, not an imposter site)
• Encrypts the connection — it enables HTTPS, which encrypts data transmitted between your server and the visitor's browser

When a website has a valid SSL certificate, browsers show a padlock icon in the address bar and display the URL with https:// rather than http://.

How HTTPS works

When a visitor arrives at your HTTPS website, a process called the "TLS handshake" happens in milliseconds:

1. The browser requests a secure connection from your server.
2. Your server sends its SSL certificate to the browser.
3. The browser verifies the certificate against a list of trusted Certificate Authorities (CAs).
4. If valid, both sides agree on an encryption method and exchange keys.
5. All subsequent communication is encrypted with these keys.

The result: even if someone intercepts the traffic between your server and the visitor (a "man-in-the-middle" attack), they see only encrypted gibberish — not passwords, payment details, or personal information.

Types of SSL certificates

SSL certificates come in different validation levels:

Domain Validation (DV)

The simplest type — the CA only verifies that you control the domain. Issued within minutes. Shows a padlock in the browser. Suitable for blogs, landing pages, and most websites. Let's Encrypt certificates are DV.

Organisation Validation (OV)

The CA verifies that your organisation is a legitimate legal entity. Takes 1–3 days. Shows the padlock. Used by businesses that want to demonstrate a higher level of trust than DV. OV certificates cost £50–200/year from commercial providers.

Extended Validation (EV)

The most rigorous — extensive identity checks on the organisation. Takes days to weeks. Previously showed the organisation name in a green bar in Chrome (that feature was removed in 2019, reducing EV's visual advantage). Still preferred by banks and financial institutions. Most expensive option.

Wildcard SSL

Covers a domain and all its subdomains (*.yourdomain.com). Useful if you run multiple subdomains (shop.yourdomain.com, blog.yourdomain.com, etc.).

Why your website needs HTTPS

• Browser warnings — Chrome, Firefox, and Safari all display "Not secure" warnings for HTTP pages that collect any form of input (login, contact forms, etc.). These warnings deter visitors and destroy trust.
• Google ranking — HTTPS is a confirmed ranking signal since 2014. It's a relatively minor factor, but in competitive niches, it matters.
• User trust — the padlock icon signals security to users. Its absence signals risk.
• Data protection — if you collect any personal data (names, emails, payment information), HTTPS is a legal requirement under GDPR in the UK and EU.
• Referrer data — analytics tools like Google Analytics strip referrer information when traffic goes from HTTPS to HTTP. This means traffic from HTTPS sites to your HTTP site appears as "direct" traffic in your reports — losing valuable attribution data.

SSL and SEO

Google confirmed in 2014 that HTTPS is a ranking factor. While it's described as a "lightweight signal," it's been growing in importance over time.

More importantly, there's an indirect SEO impact: HTTP sites that display browser security warnings have higher bounce rates. Users who see "Not secure" tend to leave immediately — and high bounce rates signal to Google that the page isn't serving users well.

If you're migrating from HTTP to HTTPS, make sure to:

• Set up 301 redirects from all HTTP URLs to their HTTPS equivalents
• Update your canonical tags to point to HTTPS URLs
• Update your XML sitemap to use HTTPS URLs
• Update your Google Search Console property to the HTTPS version
• Update any hardcoded internal links in your content

How to get an SSL certificate

Option 1: Let's Encrypt (free) — Let's Encrypt is a non-profit Certificate Authority that provides free DV certificates. Most major hosting providers (Cloudways, SiteGround, WP Engine, cPanel hosts) offer one-click Let's Encrypt installation. If your host doesn't, you can install it manually via Certbot.

Option 2: Cloudflare (free) — If you use Cloudflare (which you should — it's free and excellent), it provides a free SSL certificate automatically when you add your domain. Cloudflare also handles the HTTPS-to-HTTP communication between Cloudflare and your origin server.

Option 3: Commercial SSL — For OV or EV certificates, purchase from providers like DigiCert, Sectigo, or GlobalSign. Your domain registrar or hosting provider may also offer SSL certificates, though they're often the same underlying certificates at a markup.

How to verify your SSL is working

To verify your SSL certificate is correctly installed:

• Visit your site in a browser — look for the padlock icon and https:// in the address bar
• Click the padlock to see certificate details (issuer, expiry date)
• Use SSL Labs' free SSL Test (ssllabs.com/ssltest/) for a comprehensive report on your SSL configuration
• Run our free website audit which checks SSL status automatically

Mixed content warnings

A common issue after migrating to HTTPS: your site loads over HTTPS but still references some resources (images, scripts, stylesheets) via HTTP URLs. This is called "mixed content" and browsers either block the insecure resources or show a warning.

To fix mixed content: search your content and theme files for http:// references and update them to https://. For WordPress, plugins like Better Search Replace can update URLs in your database. Chrome DevTools Security tab will highlight any mixed content issues.

Also read our website security checklist for more steps to protect your site.