Help Guide for SSL Certificates and Basic Website Security and What You Actually Need

What Is SSL/HTTPS?

The Simple Explanation

SSL (Secure Sockets Layer) encrypts the connection between your website and your visitors. When enabled, your site address changes from http:// to https:// and browsers show a padlock icon.

What it does:

• Encrypts data traveling between visitor and website
• Prevents others from reading that data in transit
• Verifies your website is actually your website
• Enables browser trust indicators

What it doesn't do:

• Make your website unhackable
• Protect your site from all attacks
• Guarantee your business is legitimate
• Fix other security problems

Why You Need It

1. Browser warnings

Without SSL, Chrome and other browsers show 'Not Secure' warnings. Visitors leave.

2. SEO impact

Google prefers HTTPS sites. It's a ranking factor.

3. Trust

Customers expect the padlock. Missing it raises concerns.

4. Legal/compliance

If you collect any personal data, encryption is expected (and often required).

5. It's free

There's no excuse not to have it.

Getting an SSL Certificate

Free Options (What Most Small Businesses Should Use)

Let's Encrypt

Free SSL certificates, automatic renewal, widely supported.

• Cost: £0
• How to get it: Most hosting providers include it automatically
• Renewal: Automatic (every 90 days, handled by host)
• Suitable for: 99% of small business websites

Cloudflare Free SSL

Free SSL through Cloudflare's CDN service.

• Cost: £0
• How to get it: Sign up for Cloudflare free tier, add your domain
• Additional benefit: Also speeds up your site
• Suitable for: Sites wanting extra features beyond SSL

Paid Options (Usually Unnecessary)

When you might need paid SSL:

• Extended Validation (EV) certificates for financial services
• Specific compliance requirements
• Warranty coverage (rarely relevant)

For most small businesses: Free SSL is identical in security to paid SSL. Don't waste money.

Setting Up SSL

If You're Using a Website Builder

Wix, Squarespace, Shopify, etc. include SSL automatically. You don't need to do anything—it just works.

Check: Your site should show https:// and a padlock. If not, check platform settings or contact support.

If You're Using WordPress/Self-Hosted

Step 1: Check hosting

Most good hosts include free SSL (Let's Encrypt). Look in your hosting control panel for SSL/HTTPS settings.

Step 2: Enable SSL

Usually a toggle or button in hosting settings. May take a few minutes to activate.

Step 3: Update WordPress

In WordPress: Settings > General

• Change WordPress Address (URL) to https://
• Change Site Address (URL) to https://

Step 4: Fix mixed content

If some images/resources still load over http://, use a plugin like Really Simple SSL to fix them.

Step 5: Redirect HTTP to HTTPS

Ensure all http:// requests redirect to https://. Most hosts handle this automatically, or Really Simple SSL can manage it.

What About 'Trust Seals' and 'Security Badges'?

The Upsell

You've seen them: badges claiming 'Norton Secured', 'McAfee Secure', 'Trusted Site', etc.

Providers charge £50-500/year for these badges.

The Reality

These badges:

• Don't make your site more secure
• Are mostly marketing
• Provide minimal actual protection
• Are rarely noticed by visitors

Exception: Some e-commerce sites see conversion benefits from certain badges. But for most small businesses, they're unnecessary expenses.

What Actually Matters

• Valid SSL certificate (free is fine)
• Site actually being secure (updates, strong passwords)
• Contact information visible
• Privacy policy present
• Professional design and content

These build trust more than paid badges.

Basic Website Security

The Most Common Attacks

1. Brute force login attempts

Bots try thousands of password combinations to access your site.

2. Vulnerable plugins/themes

Outdated software with known security holes.

3. Phishing/social engineering

Tricking you into giving up credentials.

4. SQL injection/XSS

Exploiting poorly coded forms and inputs.

What You Can Do

Use strong, unique passwords

• Minimum 12 characters
• Mix of letters, numbers, symbols
• Different password for each account
• Use a password manager (Bitwarden, 1Password)

Enable two-factor authentication (2FA)

• Adds a second verification step
• Available on hosting, WordPress, email
• Use an authenticator app (not SMS if possible)

Keep everything updated

• WordPress core
• Themes
• Plugins
• Hosting software (usually automatic)

Limit login attempts

• Use a security plugin (Wordfence, Sucuri)
• Block IPs after failed attempts
• Consider changing default login URL

Use reputable plugins/themes

• Download from official sources
• Check reviews and update history
• Remove unused plugins/themes

Regular backups

• Automated daily/weekly backups
• Stored off-site (not just on your server)
• Test that you can restore them

WordPress Security Essentials

Recommended Security Plugins (Choose One)

Wordfence (Free version)

• Firewall and malware scanner
• Login security
• Good free tier
• Can be resource-intensive

Sucuri (Free version)

• Security hardening
• Activity monitoring
• Malware scanning
• Less resource-heavy

iThemes Security (Free version)

• Login protection
• File change detection
• Database backups
• User-friendly

Quick Security Checklist

• [ ] SSL certificate active (https://)
• [ ] WordPress, themes, plugins updated
• [ ] Strong admin password
• [ ] 2FA enabled on admin accounts
• [ ] Security plugin installed
• [ ] Automatic backups configured
• [ ] Unused plugins/themes removed
• [ ] Default 'admin' username changed

Common Security Mistakes

Mistake 1: Using 'admin' as Username

Bots try 'admin' first. Use a unique username for your admin account.

Mistake 2: Weak Passwords

'Password123' is not secure. Neither is your company name or birthday. Use a password manager and generated passwords.

Mistake 3: Ignoring Updates

Updates often fix security vulnerabilities. Waiting weeks to update leaves you exposed. Update promptly (but have a backup first).

Mistake 4: Too Many Plugins

Each plugin is potential vulnerability. Only install what you need. Remove what you don't use.

Mistake 5: No Backups

Sites get hacked. Servers fail. Mistakes happen. Without backups, you lose everything. With backups, you recover.

Mistake 6: Shared Hosting Complacency

On shared hosting, other sites on the same server can affect yours. A compromised neighbour can sometimes compromise you. Choose reputable hosts with proper isolation.

Mistake 7: Ignoring SSL Mixed Content

SSL enabled but some resources (images, scripts) still loading over http://. This triggers warnings and reduces security. Fix with Really Simple SSL or manually update URLs.

When to Get Professional Help

DIY Is Fine For:

• Basic SSL setup
• Installing security plugins
• Following security best practices
• Regular updates and backups

Consider Professional Help For:

• Your site has been hacked
• You handle sensitive data (financial, medical, legal)
• You need compliance certification
• Security audits are required
• You don't have time to manage it properly

Finding Help

• Managed WordPress hosting includes security management
• WordPress security services (Sucuri, Wordfence Premium)
• Local IT support companies
• Freelance WordPress security specialists

The Bottom Line

Website security isn't complicated for most small businesses:

1. Get SSL (free through your host)

2. Keep everything updated (WordPress, plugins, themes)

3. Use strong passwords (12+ characters, unique)

4. Enable 2FA (on hosting, WordPress, email)

5. Install a security plugin (Wordfence or Sucuri free)

6. Maintain backups (automated, off-site)

These basics stop the vast majority of attacks. Don't overthink it, don't overpay for unnecessary 'protection', and don't ignore the fundamentals.

Security is about consistent basics, not expensive products.