It’s been a while since we’ve done an Ask SkyVerge question! This question comes from Sati:
What is the best SSL certificate for WooCommerce? Is there a particular SSL certificate that I should use for my store?
Most of the payment gateways available for WooCommerce will keep customers on your site during the checkout process, and therefore require and SSL certificate to secure your customers’ payment information. However, we recommend that all stores use an SSL certificate anyway, as they protect login information for you and your customers. Without an SSL certificate, these details are sent in plain text to your server and could be intercepted.
First of all, here are a couple of good resources we recommend checking out for payment gateway and SSL information:
You don’t need a certain kind of SSL certificate to use with WooCommerce, so the good news is you’ll be able to choose whichever is most appropriate for your business. There are 3 major kinds of SSL certificates (in order of increasing cost):
- Domain Validation (DV): Setup just checks on who owns the domain and displays the “lock icon” and
https://to site visitors. Quick and easy to install. - Organization Validation (OV): Checks into site ownership and displays the “lock icon” and
https://to site visitors. Takes a bit longer as some company details are vetted. - Extended Validation (EV): Requires in-depth vetting of company ownership and details. Displays the “green bar” over the company name and
https://to site visitors. Takes a couple of days to obtain and costs the most, but illustrates validity and encourages trust (which can lead to higher conversions). Here’s an example of what it looks like:
Extended Validation (EV) SSL Certificate browser display for one of our clients
The only other thing to consider is whether or not you need a Wildcard certificate. Let’s take WooCommerce as an example. Their main site is WooCommerce.com. However, they also have a support site (support.woocommerce.com) and documentation site (docs.woocommerce.com), which are subdomains of their primary domain name. If you purchase a regular SSL certificate, you’ll have to protect each of these domains with a separate SSL cert. If you purchase a Wildcard certificate, you can protect your primary domain along with any subdomains. As some store owners like to locate their store at shop.mysite.com instead of mysite.com/shop/, this can sometimes save money and be easier to manage.
Our favorite place to purchase SSL certificates is DigiCert, though they’re more expensive than most options (starting at $139 / yr). They offer excellent support if you have questions or issues, and also offer free certificate re-issues in case you change DNS services (who keeps the record of your domain name ownership). DigiCert certificates are compatible with almost any browser, and they offer excellent warrantees in case of issues resulting from improper certificates. This protects you if customers suffer damages from improper certification.
If DigiCert is too expensive, we also recommend purchasing from either Namecheap or DNSimple, both of whom resell SSL certificates for a lower price. We also typically purchase all domain names at Namecheap, then switch DNS hosting to DNSimple. SSL certificates from DNSimple start at $20 per year (you must use their DNS hosting already), and certificates from Namecheap start at around $10 per year.
Have other SSL questions? Ask in the comments!
Its nice to see an article about the importance to not only protect payment pages by SSL, but already use SSL on the checkout and login pages as part of the measurements to secure the data your customers provide you.
Concerning the different validation types of SSL certificates, it is important to note that even so all 3 types offer encryption only OV and EV certificates provide authentication.
But why should you care about authentication?
It all comes down to what one needs todo to get an DV, OV or EV certificate:
– DV certificate are issued after a “simple” domain control validation, where you basically prove that you have access to the server which is running your shop.
– OV & EV certificate are issued after you have passed the domain validation and you also have provided verifiable documentation of your company and that documentation must also contain your company address and phone number so that a member of the validation team can check your data and can perform a callback validation by phone.
The end result is that DV certificates can be ordered by anybody that has access to a domain name, while OV & EV certificates require a verifiable person / company to obtain the certificate.
This also means that customers that come to a web shop that use a DV certificate cannot authenticate who is behind the web shop, since the DV certificate only tells them that their data will be encrypted, but not to whom they are actually providing their data and who likes to give their personal data to a stranger?!
On the other side, as a shop owner you could think, I have a customer base that trusts my web shop and I am secure with encrypting their data in transit. Thats fine, but if you then think how easy it is to get a DV certificate and how easy it is to “copy” a web shop look, then you know that your customers trust is vulnerable to an attack…
Therefor the most important thing to consider is how much do you value customer trust and how much risk are you willing to take…
Once you have decided that, the next step is to look at which domain names you want to use SSL with, since there is actually more options to consider then a single domain or wildcard certificate, as you can save money without going on compromise with security.
For example, we at QualitySSL.com offer a unique feature on our single site certificates, as we always issue them to work with and without www, so if you order a QualitySSL certificate for myshop.com we add http://www.myshop.com at no extra cost and vice versa.
The other option is a Unified Communications Certificate, also called a Multi Domain Certificate, which allows you to have up to 100 domain names in one certificate, whereby you have the possibility to start with just 3 domain names and then change or even add domain names during the lifetime of the certificate.
You can read, more about this at
http://www.qualityssl.com/en/products/ssl-certificates/qualityssl-uc-certificate.lasso
So once you have taken the decision to implement SSL on your web shop, I am sure you will find it is money well spent since you will gain customer trust and as a result more sales.
Hey Pascal, thanks for the thoughts & extra detail! Great point about the multi-domain certs as it’s something we didn’t cover.