Do you need an SSL certificate? HTTPS explained

If you’ve seen “Not secure” next to a website address, or wondered what the little padlock means, this explains it — and answers the real question: yes, every website needs one today, and it shouldn’t cost you anything.

What an SSL certificate actually does

An SSL certificate (technically TLS these days, but everyone still says SSL) does two things:

1. Encrypts the connection between your visitor’s browser and your website, so anything they type — passwords, contact details, card numbers — can’t be read by anyone snooping on the network.
2. Confirms the site is really yours, so visitors aren’t sending data to an impostor.

When a site has a valid certificate, its address starts with https (the “s” is for secure) and the browser shows a padlock. Without one, it’s plain http, and modern browsers actively label it “Not secure.”

Why it’s not optional anymore

A few years ago SSL was a nice-to-have for shops and login pages. That’s changed completely:

• Browsers warn against you. Chrome, Safari, and the rest flag http pages as “Not secure” — a scary message right next to your business name.
• Google uses it for ranking. HTTPS is a confirmed (if small) search ranking signal, and Google indexes the secure version of pages.
• Customers notice. “Not secure” is enough to make a visitor leave a checkout or a contact form.
• Some features require it. Modern browser capabilities and many payment integrations simply won’t run over http.

The upshot: even a simple brochure site with no login and no shop should be on HTTPS today.

”But I don’t take payments — do I still need it?”

Yes. Even if you only have a contact form (or no form at all), the “Not secure” label still shows, you still lose the ranking and trust benefits, and you’re still sending your visitors’ details in the clear. There’s no downside to HTTPS and a clear downside to skipping it.

How much should it cost? (Usually nothing)

Here’s the part worth knowing: a perfectly good SSL certificate is free. The Let’s Encrypt project issues them at no charge, and they’re trusted by every major browser. Most quality hosts — including us — issue and auto-renew a free certificate on every site automatically.

So be cautious if a host tries to sell you an SSL certificate as a paid add-on for $100–$200 a year. There are a few specialised cases where a paid certificate makes sense (organisation-validated certificates for large enterprises, for example), but for the vast majority of business websites, free is exactly right and just as secure for encryption.

On every WHC plan, SSL is provisioned automatically and renews itself — there’s nothing to buy and nothing to remember.

Getting HTTPS working properly

Having a certificate is step one. You also want every visitor to land on the secure version:

1. Make sure the certificate is issued (we do this automatically; you can confirm in the control panel).
2. Force a redirect so anyone typing the old http address is sent to https. For WordPress, our force HTTPS guide covers this.
3. Fix “mixed content” — images or scripts still loading over http on an otherwise secure page, which can break the padlock. Most are easy to update.

If you’d rather not think about any of this, hosting with a provider that handles SSL for you is the simplest path — it’s included and automatic on all our hosting plans. Stuck on a certificate that won’t issue or a padlock that won’t appear? Open a ticket and we’ll sort it.