SSL and website security basics

By the HostScope Editorial Team · Updated June 2026 · Researched from authoritative sources. General information, not professional advice.

Website security sounds intimidating, but most of it comes down to a handful of habits and a few settings your host probably already offers. This guide explains what SSL actually does, how to get it for free, and gives you a plain checklist for keeping the rest of your site safe.

This tool provides general estimates for educational purposes only and should not be treated as professional advice. Verify all figures with a qualified professional before making decisions.

What SSL/TLS and HTTPS actually do

When you load a site over plain HTTP, everything travels between the visitor's browser and the server as readable text. Anyone sitting on the same Wi-Fi or in between can read it, including passwords, contact-form messages, and what pages someone visits. SSL, and its modern successor TLS, fixes this by encrypting that traffic. HTTPS is simply HTTP running inside that encrypted TLS tunnel. The certificate also proves the browser is talking to the real server for your domain, not an impostor.

The visible payoff is the padlock icon in the address bar. The invisible payoff is that nobody between the visitor and your server can read or tamper with the data. This is why browsers like Chrome and Firefox now label plain HTTP pages as "Not Secure," which scares off visitors and tanks form submissions. Google has also confirmed HTTPS is a lightweight ranking signal: it will not rocket you to the top, but all else equal, the secure version of a page has a small edge, and many modern features (and the fast HTTP/2 and HTTP/3 protocols) require HTTPS anyway.

How to get SSL for free

You almost never need to pay for a basic certificate. Let's Encrypt, a nonprofit certificate authority, issues trusted certificates at no cost, and the vast majority of reputable hosts integrate it directly into their control panel. In practice that means:

Most shared and managed hosts issue and auto-renew a free certificate the moment you point a domain at them, often with one click or automatically.
Let's Encrypt certificates last 90 days but renew automatically, so you should never have to think about expiry once it is set up.
If your host charges extra for "SSL" on top of this, that is a reason to be skeptical of the host, not a reason to pay.

Paid certificates still exist, but mainly for organizations needing extended validation or specific warranties, not for typical blogs, portfolios, or small business sites.

Certificate types: DV, OV, and EV

Certificates differ by how much the issuer verifies before handing one out. The encryption strength is identical across all three; only the vetting and the displayed information change.

Type	What's verified	Issue time	Best for
DV (Domain Validation)	That you control the domain	Minutes, automated	Almost every site: blogs, portfolios, small business, most e-commerce
OV (Organization Validation)	Domain control plus basic checks on the registered business	Days	Companies wanting extra assurance shown in certificate details
EV (Extended Validation)	Rigorous legal and operational vetting of the organization	Days to weeks	Large enterprises and some financial institutions

The short answer: get a DV certificate. Browsers no longer give EV certificates a special visual treatment, so for the average website the padlock from a free DV certificate looks and works the same to visitors.

Redirect HTTP to HTTPS and kill mixed content

Installing a certificate is only half the job. You also need to force every visitor onto the secure version:

Set up a permanent (301) redirect from HTTP to HTTPS so old links and typed URLs land on the encrypted version.
Update your CMS site URL setting (in WordPress, the Site Address and WordPress Address) to the https:// version.
Fix mixed content: pages loaded over HTTPS that still pull images, scripts, or stylesheets over HTTP. Browsers may block these or drop the padlock. Update internal links and asset URLs to https:// or protocol-relative paths.

The broader security checklist

SSL protects data in transit. It does nothing to stop a weak password, an outdated plugin, or a missing backup. The following habits cover the threats that actually take sites down. Most of these map to the kinds of risks catalogued by OWASP, the open community that documents the most common web application vulnerabilities.

Keep everything updated. Outdated CMS cores, themes, and plugins are the single most common way sites get hacked. Enable automatic updates where you can and remove anything you no longer use.
Strong passwords plus 2FA. Use a password manager for long unique passwords, and turn on two-factor authentication (2FA) for your hosting account, CMS admin, and domain registrar.
Least-privilege accounts. Give each user only the role they need. Not every contributor needs administrator access, and shared logins make breaches impossible to trace.
Web application firewall (WAF). A WAF filters malicious requests before they reach your site. Many hosts and CDNs offer one; turn it on.
Malware scanning. Run regular scans so an infection is caught early rather than discovered by Google flagging your domain.
Automated backups with the 3-2-1 rule. Keep 3 copies of your data, on 2 different media, with 1 copy off-site. Schedule them automatically, and actually test a restore so you know it works before you need it.
Limit login attempts. Throttle or lock out repeated failed logins to blunt brute-force attacks, and change the default admin URL where practical.
Secure file permissions. Avoid world-writable files; typical settings are 644 for files and 755 for directories, with stricter limits on config files holding credentials.
Use SFTP/SSH, not plain FTP. Plain FTP sends your credentials unencrypted. Use SFTP or SSH so login details are protected the same way HTTPS protects your visitors.
DDoS protection. Confirm your host or CDN can absorb traffic floods that would otherwise knock you offline.

Shared responsibility: host vs you

Security is a partnership. Your host secures the infrastructure; you secure what you put on it. Knowing the line prevents nasty surprises.

Usually the host's job	Usually your job
Server OS patching and hardening	CMS, theme, and plugin updates
Network-level DDoS mitigation	Strong passwords and 2FA on your accounts
Free SSL issuance and renewal	Forcing HTTPS and fixing mixed content
Physical and data-center security	User roles and least-privilege access
Optional platform backups	Keeping your own independent backup copy

Never assume backups are happening just because you are paying for hosting. Confirm what is included, how far back it goes, and how restores work.

Signs of a hacked site and basic response

Catching a compromise early limits the damage. Common warning signs include:

Unexpected pop-ups, spammy redirects, or pharma/casino text that you never added.
A browser or Google Search Console warning that your site may be dangerous.
New admin users, unfamiliar files, or a sudden traffic spike from odd locations.
Your host suspending the account for sending spam.

If you suspect a breach: take the site into maintenance mode if you can, change every password and revoke active sessions, contact your host (they often have tools and logs), restore from a known-clean backup, then update everything before going live again. Once recovered, request a review in Search Console to clear any warning. The goal is to remove the malware, close the hole that let it in, and confirm it is gone, in that order.

Frequently asked questions

Is a free Let's Encrypt certificate as secure as a paid one?

Yes. The encryption is identical. Paid certificates differ in validation level, warranties, and support, not in how strongly they protect traffic. For most sites a free DV certificate is exactly right.

Do I still need security if my site has no logins or payments?

Yes. Attackers rarely target you personally; automated bots hunt for any vulnerable site to host spam, malware, or phishing pages. Even a simple brochure site needs HTTPS, updates, and backups.

How often should I back up?

Match the frequency to how often your content changes. A busy store may need daily or continuous backups, while a static site can manage with weekly ones. Whatever the schedule, follow the 3-2-1 rule and test a restore periodically.

Does HTTPS slow my site down?

No meaningfully. Modern TLS is fast, and HTTPS unlocks the faster HTTP/2 and HTTP/3 protocols, so a properly configured secure site is often quicker than its plain-HTTP equivalent.

← Back to the HostScope calculator · Read: common hosting mistakes to avoid