WooCommerce powers about 22% of the global ecommerce industry.
All the ease, simplicity and extensibility of WooCommerce comes at a cost. It is the favorite target of cybercriminals, and WordPress website owners often see attacks ranging from malware to DDoS to dedicated brute force login attacks.
Realizing this, WooCommerce store security is a serious concern for developers and site owners. You can find a host of dedicated advice on WooCommerce security, but often the simplest ideas work the best. A time tested (and essential for business) WooCommerce security tip is installing SSL certificates on the stores.
Now, many store owners think installing SSL certificates is something best left to the developers. If this is the case with you, this guide is for you. In this, you will learn what is SSL and HTTPS, and how you can easily add SSL certificates to the WooCommerce store.
Security Tips for WooCommerce Store
13 security tips to keep your WooCommerce store secure.
Your Ebook is on its Way to Your Inbox.
- What Is SSL?
- Why SSL is Important for WordPress Websites
- SSL for WooCommerce Stores
- Why Do WooCommerce Stores Require an SSL Certificate?
- Benefits of SSL Certificate
- Offer Your Customers a Secure Environment
- Easiest Way to Get SSL Certificates
- How to Deploy an SSL Certificate on WooCommerce Stores for Free
- How to Add Paid SSL Certificates on WooCommerce Store
What Is SSL?
Secure Socket Layer (SSL) is a layer of security protocol that lies between the browser and the web server and ensures that all communication between the two endpoints is encrypted, private and secure.
Have you noticed that the address of some sites start with http://, while others start with https:// and have a green padlock (something like the image below):
The green padlock and https:// means that there is an SSL certificate installed on the site.
Why SSL is Important for Websites
The SSL certificate is an integral and important factor in getting high rankings in Google SERPs. In fact, Google shows a clear bias for SSL-enabled WooCommerce stores. This is a clear signal that security is a long-standing issue for ecommerce industry and Google is taking SSL certification on WooCommerce stores very seriously.
To reinforce the point, Google’s Chrome started marking non-SSL enabled sites as ‘Not Secure’ from October 2017. This means that if there is no SSL certificate on your store, you can stand to lose a significant chunk of Chrome users, who will see your store marked in red.
“Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS,” said Emily Schechter from Chrome Security Team.”
SSL for WooCommerce Stores
If you see the top 1 million ecommerce sites, then according to the Builtwith, WooCommerce takes the highest percentage and that’s why it is the most popular eCommerce platform.
NOTE: SSL certificates are available to all Shopify offers; for WooCommerce, that totally depends on your hosting provider.
For a detailed comparison between WooCommerce & Shopify read this article.
Here is the reference image below:
By going online, store owners can now reach audiences far and wide using digital advertising media such as Google Adsense and Facebook Advertisement. This means that the need to advertise products physically is effectively minimized.
Due to this increase in online stores, transactions between sellers and buyers are moving from physical to digital payment options including online banking, credit cards, bitcoins, and other confidential payment gateways.
One of the things that newbie ecommerce store owners can miss out, is the security of the store. In this post, I will highlight the importance of using SSL certificates with online stores. These certificates change the underlying protocol to HTTPS and secure the sessions of the customers at the store.
Why Do WooCommerce Stores Require an SSL Certificate?
All communication over a traditional HTTP connection is sent in Plain Text and, the fact remains that any attacker can be read it, who manages to break into the connection between the user and the website. In case of an order, cart, or a form with login credentials, the attacker can easily gain access to the information because it is in plain text and is easily readable.
With an //https (SSL) connection, the communication between the browser and the website is encrypted. Even if an attacker manages to break into the connection, there exists an additional layer of encryption that denies access to the information.
Benefits of SSL Certificate
There are many benefits and advantages of having an SSL certified ecommerce store. With it, the online store owners get Customer information, such as credit card numbers, encrypted, thus the attacker is unable to intercept the information.
Visitors can verify that you are a registered business and that you own the domain.
Customers are more likely to trust and complete purchases from sites that have an SSL certificate.
Here is how https enabled sites would look like in Google Chrome.
Not only this, if a non-HTTPs page that collects passwords or credit card information, Chrome will mark it as Not Secure. Here is what it will look like in Chrome.
Offer Your Customers a Secure Environment
Customers value their privacy and security. Thus, if your store is not secured with an SSL certificate, you are losing potential customers. An SSL certificate is an important component of a broader store security policy. When you click on the SSL certified padlock icon, a popup notification will alert the visitors that the site is secured with an SSL certification.
If you are not providing an SSL certificate, the visitors will see the notification that the connection to this site is not secure.
If your site has no HTTPS, then, not only your customers’ data is insecure but there are significant threats to the integrity of the store itself.
Easiest Way to Get SSL Certificate
So what is the easiest way to getting an SSL certificate? You could thank the good people at Let’s Encrypt who provide FREE SSL certificates for online stores.
Why Let’s Encrypt?
To prevent online data theft, few security specialists launched an open-source platform called Let’s Encrypt — and link client’s browser to the server. It ensures that the client’s correspondence is encoded and secure over the Internet.
Let’s Encrypt team defines Let’s Encrypt as:
Tweet “Let’s Encrypt is a free, automated, and open Certificate Authority.”
When you protect your site with Let’s Encrypt SSL certificate, a green padlock appears in the address bar, and the URL then starts with HTTPS:// instead of HTTP://
Secure WooCommerce Stores With Let’s Encrypt Free SSL Certificates
We, at Cloudways always take care of our customers’ online privacy and security. Back in 2016, we integrated Let’s Encrypt certificate into our platform and offered a 1-click installation on all applications, and recently, we have introduced a single SSL certificate on multiple domains. For example, if you run a WordPress Multisite network, then this feature is very useful. Here is the proper guide, how you can add SSL on WordPress Multisite network.
How to Make an SSL Certificate WooCommerce Store for Free
Cloudways – A Manged Ecommerce Hosting Platform is providing a free SSL Certificate to the users, so I am using Cloudways as an example. I assume that you already have signed up on Cloudways and set up the server and application with WooCommerce installed and pointed your domain. If not then I would suggest follow this guide launch your server & application on Cloudways.
Issue Let’s Encrypt WooCommerce SSL Certificate
Under the Application tab, you can see all the applications listed.
Add SSL to WooCommerce for Single Domain
Navigate to your WooCommerce application, and then tap on SSL Certificate from the left-hand menu. Enter the email address, and primary domain name and hit the Install Certificate button. It will take only a few moments to install SSL on WooCommerce store.
Note: Before attempting to add SSL certificate, make sure the domain is working and propagated properly, otherwise the attempt to install certificate will fail.
Add SSL to WooCommerce for Multiple Domain
To add a single SSL certificate on multiple domains, click on the Add Domain button. Another text field will appear to enter another domain name associated to your particular application. By repeating the process, you can add as many domain names you want. Once done, click on the INSTALL CERTIFICATE button.
Get Free Wildcard SSL Certificate for Subdomains
Let’s Encrypt announced the support for Wildcard SSL certificates back in March 2018, and we have integrated the same into Cloudways platform as well.
You can see that the checkbox option available next to the domain name. You just need to check the checkbox to get Wildcard SSL certificate by Let’s Encrypt. It takes a few seconds to provide you with the CNAME record that you must add to the domain registrar.
For further information, see the screenshot below.
Next, go to your domain provider website and then login with your domain register id and add a CNAME record like below:
- Type: CNAME
- Host: _acme-challenge
- Value: Your WordPress staging URL
Once done, go back to back to your Cloudways account > SSL Certificate tab and click on Verify DNS. It will cross-check the settings and notify you accordingly. Then, click on the INSTALL CERTIFICATE button to get a free SSL certificate for WooCommerce.
Note: If you have generated Let’s Encrypt SSL before the free Wildcard SSL announcement on Cloudways (Aug 2018), you would require to Revoke the certificate to get the Wildcard SSL by Let’s Encrypt.
By default, Let’s Encrypt restricts the certificates to expire in 90 days and then you have to regenerate them. But, with Cloudways, you only need to Enable the above auto renewal option. You can also renew the certificate manually by clicking on “Renew Now” button. To remove an SSL certificate, click on Revoke button.
How to Add Paid SSL Certificates on WooCommerce Store
In this section, I will tell you about paid SSL certificates. First, you must navigate to the SSL Certificate tab and create a Certificate Signing Request (CSR). Next, you must submit that to your chosen SSL Certificate provider.
Next, Toggle the switch from Let’s Encrypt SSL Certificate to Custom certificate.
Next, click the Create CSR button and fill the form, then submit.
Note: If you want to use a single certificate on multiple domains, mark the checkbox where it says SAN and add the domain names in the form.
After successfully submitting the form, the CSR would be generated. Next, click to Download CSR button.
Next, you have to submit the downloadable file to your SSLCertificate provider to generate an SSL certificate based on your requirements.
After that, the provider will give you two files: yourdomain.crt (Certificate Code) and yourdomain.ca (Chain File).
Next, go to your SSL Management window and click Install Certificate button.
You will get pop up where you must add Certificate Code and CA Chain.
Next, click on the Submit button. That is it! You have successfully installed SSL certificate for your WooCommerce store.
WooCommerce demands and deserves SSL encryption because — if it is left unsecured – the risk of financial damage is unimaginable. Let’s Encrypt is the only solution whenever we think of FREE and POWERFUL data encryption. Besides your WooCommerce SSL store, there are 13 Security Tips For WooCommerce Stores that will help you to tighten the security.
After adding WooCommerce SSL certificate, don’t forget to make your store properly working with SSL.
It would not be an exaggeration to say that it is interestingly simple to add SSL on WooCommerce store. In any case, still, if you have any questions, don’t hesitate to ask in the comments section below.
Your WooCommerce Store Needs A Reliable Host
With no compromise on Performance, Security & Support.
Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at firstname.lastname@example.org