Table of Contents
When people contact me for a quote to do work on an existing website that I did not build, I always do a website security review. I then provide an optional add-on price for website security services. (Especially for sites built with WordPress)
Close to 100% of the time, there are website security issues that should be addressed. When I communicate this, they don’t always believe me. Some people make a comment, “I have a security certificate, so my site is secure.”
A security certificate does NOT make your site secure. Read on to understand why.
What is a security certificate?
A security certificate (also referred to as secure certificate, SSL certificate) is a small file that is loaded onto your web hosting account. It does a couple of things.
Authentication
A SSL cert. verifies/authenticates your domain name. This is similar to how a passport works verifying who you say you are. This prevents malicious activity where people copy your website and create a clone to try to trick users into providing information like passwords or credit card payments.
Like a passport, you need to renew it regularly to keep your site authenticated. If your SSL certificate expires, the web browser will show a warning to users. You should not use sites that say the domain can not be validated.
Encryption
SSL (secure sockets layer) is a standard security technology that encrypts data that you enter into a website form through your web browser. When you click the submit button, the data is encrypted when it is submitted over the Internet to the web server.
Do you remember the WonkaVision scene in the original Willy Wonka movie?? : )
The candy bar (and then the girl) get transported across the top of the TV screen in bits and pieces.
Think of this as your form data when you click submit. If you do not use https and see a locked padlock in the browser address bar, your data will be transmitted as you key it in and can be read and stolen by anyone snooping. Passwords, credit cards….
With a secure certificate you can use HTTPS. Using this, data sent over the Internet is encrypted and not readable while it is being transmitted.
What a security certificate is NOT
A security certificate has nothing to do with your website code / software. Having a secure certificate installed does nothing to protect your website code from getting infected with a virus. Or stop a hacker from brute forcing their way into your administration tools.
If you do not secure your website code and the maintain the code ongoing (like the WordPress core, theme and plugins), your site is vulnerable to getting hacked. A security certificate will not protect you from this type of malicious activity.
Security, but maybe not how you thought.
A security certificate protects your site identify and protects data submitted through your website forms.
It does not secure your website code from malicious activity like hackers trying to sneak in through vulnerabilities to infect your website with a virus, or generate spam.