A long time ago, SSL/TLS was only used for e-commerce sites. Nowadays, every website is expected to use HTTPS with a signed certificate. But, how do you get that configured for free? Luckily, you have a few options.
In order to get HTTPS to work, your website needs an SSL certificate that is unique and verified(a.k.a. signed). This is because HTTPS ensures that not only is the connection encrypted, but also that the site is legitimate. Should an attacker on your local network try and intercept an HTTPS connection, your browser will warn you because it will realize the certificate is not verified. For a long time, you needed to pay to get a valid SSL certificate. But, that’s not the case anymore. While there are likely many more methods to get a free SSL certificate, I will be focusing on Let’s Encrypt and Cloudflare. Both options have their pros and cons, so hopefully this post will help you decide which is right for you.
Let’s Encrypt is the first free CA, or Certificate Authority, the organization which hands out and verifies your certificate. They are a non-profit, and are funded by many big corporations, including Google and Mozilla. The certificates they provide are valid for only 90 days, but should automatically renew. Many WordPress hosting providers offer an option for this in cPanel, while others don’t have this option quite yet.
Unfortunately, the host I chose for this site, Namecheap, does not offer native Let’s Encrypt support. What they offer instead is a free certificate for the first year, and then just $9 per year after. Overall, this is still cheaper than other shared hosting providers, but I digress. Should you also be on a host that doesn’t offer Let’s Encrypt support, you still have a few options. cPanel provides an option for you to copy and paste your own SSL certificate. This means that you can simply get your Let’s Encrypt certificate from another server, and copy it into cPanel. But, many shared hosting providers now offer a feature called Jailed SSH access. You can use that in combination with acme.sh, a shell script that makes generating a Let’s Encrypt certificate easy. You can then just copy and paste a certificate once every 90 days. While this is less than ideal, it is free, and isn’t that much work.
With this method, you can get all the benefits of using HTTPS without needing to pay for it.
How to set this up
The easiest way is to just install and run acme.sh. It supports wildcard certificates, but the easiest method is probably to just use its webroot mode. This mode just requires you to give it your website’s document root, and it will generate the certificate for you. From there, you just need to copy and paste it into cPanel if you’re on shared hosting.
Note About Let’s Encrypt
While Let’s Encrypt is definitely a great option, it may be annoying for some since the certificates are only valid for 90 days. If you want certificates that last longer, I suggest taking a look at Namecheap’s offerings. Their cheapest SSL certificate is just $9 and covers your bare domain name, and it’s www version. While they do offer wildcard certificates, they are considerably more expensive. But, if you’re like me, and just have a www version of your site, it’s a great option.
Cloudflare also offers a way to get free SSL certificates, which doesn’t require manually copying and pasting keys if Let’s Encrypt is not supported by your web host. Another reason to use Cloudflare is that you don’t have to worry about renewing the certificate, as they will do that for you. Cloudflare acts as a proxy and CDN for your website, making your site faster, while also protecting you against DDoS attacks. On top of that, they also offer two viable ways to get HTTPS for free: “Flexible SSL” and “Full SSL”.
Please keep in mind that using Cloudflare means that you can’t see the real visitor’s IP without installing their plugin. It’s also worth noting that using Cloudflare will require you to change your DNS records to point at them, and not all hosts have the Cloudflare cPanel addon. Without the cPanel addon, you will have to login to Cloudflare each time you want to make DNS changes, instead of making your changes in cPanel.
Flexible SSL is the easiest to set up, but also the less secure of the two options. According to the Cloudflare documentation, Flexible SSL is:
A Secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled.
Basically, the connection between Cloudflare and your website visitor is encrypted with TLS, but the connection between Cloudflare and your server is over plain HTTP. This is extremely easy to set up, and doesn’t require any setup on your host. However, there are some problems:
This option is not recommended if you have any sensitive information on your website. This setting will only work for port 443->80, not for the other ports we support... It should only be used as a last resort if you are not able to setup SSL on your own web server.
In other words: DO NOT use this if you process personal info such as payment information. However, for most WordPress sites, this should work fine because the most personal information you process is emails.
There is also the risk of redirect loops, so only make HTTP to HTTPS redirects in Cloudflare. The problem with redirects to HTTPS on your webserver is that Cloudflare connects to your site with “http://”, even though the visitor is on “https://”. Your webserver redirects to “https://”, which the visitor is already on, but Cloudflare still connects over “http://”, causing an infinite redirect loop. If you’re on WordPress, this can be solved by installing the Cloudflare plugin.
The more secure, nearly as easy option is Cloudflare’s Full SSL. Full SSL is
A secure connection between your visitor and Cloudflare, plus a secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with at least a self-signed certificate. The authenticity of the certificate is not verified
Basically, the connection between Cloudflare and your visitor is TLS encrypted, and the connection between Cloudflare and your server is TLS encrypted, but not verified. This means you need HTTPS working with any SSL certificate, valid or not. Even with an invalid certificate, your visitors will only see the valid Cloudflare-generated one. For many hosts, cPanel automatically creates a self-signed certificate for every domain. So, if you can access your site over HTTPS, even if you get a big red warning in your browser, you can use Full SSL.
There is also Full SSL(Strict), but this doesn’t help in getting HTTPS, as this requires your server to have HTTPS with a valid SSL certificate in the first place. This is mainly used if you already have a valid certificate, and want to use Cloudflare for its other features. This is also technically more secure, and it makes it harder to intercept traffic between Cloudflare and your website.
Always try the options going from most secure to least secure until your website works:
Let’s Encrypt or Cloudflare?
If you can change your DNS settings, using Cloudflare can be easier in the long term. However, you will lose the ability to edit DNS settings via cPanel in some cases, so it may not be worth it. If you can’t change your DNS settings, or don’t want all traffic to go through Cloudflare, stick with Let’s Encrypt. If integrated properly, it requires very little work and maintenance to secure your site.
Let me know any other options I may have missed in the comments.