When customers buy something from your store, they share their private data — name, email, credit card details — with you. As a merchant, you want to keep this vulnerable data secure from hackers, scammers, and data thieves. That is crucial for building trust with your audience.
You can and should protect your customer data and increase the trust in your business with HTTPS protocol and an SSL certificate. Not only can those tools improve security and increase your trustworthiness, they can also help your store rank better in search engines.
If you sell online with Ecwid, you’ll be pleased to know that your customer data is already protected. Yet, using an SSL certificate can have a few additional benefits.
In this post, we’ll show you how the HTTPS protocol and SSL certificates work, and how you can get them for your website.
Understanding SSL Certificates and the HTTPS Protocol
On the internet, all data is transferred from device to device according to certain rules or protocols.
For websites, this protocol is called HyperText Transfer Protocol (HTTP). It transfers the data that your customers enter on your website to the server that hosts your website, and then it helps to send the response to the browser. For example, the user presses a button and a new page opens, or they fill in the email registration form and see the confirmation of a successful registration.
The problem with HTTP is that it doesn’t protect any data that’s transferred from browsers to servers. Any data going through HTTP is essentially naked.
A good analogy is to think of two students passing notes across a classroom. Any of their classmates can read, copy, or even replace the note. It’s the same with your customer data: a villain can steal credit card details and money from it.
That’s why a new protocol was created for protecting data: HTTPS (HyperText Transfer Protocol Secure). With HTTPS, all data transfers between a user and a web server are encrypted. This encryption is so complex that it is nearly impossible to hack and use the data.
In order to use the HTTPS protocol, your site first needs an SSL (Secure Socket Layer) certificate.
An SSL certificate is essentially a key for encrypting data. It protects data on three levels:
- Data encryption. Hackers won’t be able to see what information a user entered on the site or to track user actions on a page. Think of it as a note written with a cipher — it can only be read by someone who knows the key.
- Data integrity. Hackers can’t replace or distort the transmitted data. Further, without knowing the key, it is impossible to write, edit, or manipulate the data, just like in a ciphered note situation.
- Authentication. SSL ensures that a user is on a trusted site and not on a hacker’s page. If just two participants know the key, they are sure to know from whom they received the note. A stranger cannot pass their own note and get the information by cheating.
You can see if a site is protected by an SSL certificate via the HTTPS protocol in the URL address. Most browsers indicate it visually in the form of a lock icon:
SSL certificates are distributed by special organizations — certification centers.
Who Should Use SSL (and Why)
SSL is required for sites where users were entering sensitive information — such as credit card details.
But often, online stores only protect registration and checkout pages with SSL, because those are the only places where their customers share personal data. The rest of the website often works on the insecure HTTP.
Today, HTTPS is a must for every web page. There’s a number of reasons for it.
Browsers flag unprotected sites
Chrome and Firefox, two of the most popular browsers in the world, visually mark sites that don’t use SSL.
For now, only a gray information icon is visible. But in the future, browsers plan to change the security indicator to a red triangle for pages on HTTP. Your customers are used to seeing this as a warning indicator.
Consequently, not using SSL can make people afraid of buying from your website.
Using SSL improves rankings
Back in 2014, Google announced that it would consider using SSL as a ranking signal. This meant that sites using SSL would get a boost in search engine traffic.
Payment service requirements
A growing number of payment services have HTTPS as a requirement for working with them. For example, Apple Pay works only with HTTPS.
It increases trust
Concerns over payment security is one of the top 10 reasons for shopping cart abandonment. When you add an SSL certificate to your store, you visually communicate to users that their payment data are safe.
More trust, of course, equals more sales.
If you want your customers to easily find your store in search engines and trust you more easily, don’t put off switching to HTTPS.
How to Get an SSL Certificate and Switch to HTTPS
To switch to HTTPS, you first need to buy and install an SSL certificate on the website. This process can be either simple or more complex for some stores, depending on the kind of site you have.
1. You’re using an Ecwid Instant Site
Anyone who has registered with Ecwid gets a website with a
You might know this as the Ecwid Instant Site.
If you use this site, then you already have an SSL certificate by default. An online store on an Ecwid Instant Site conforms to the international standards for secure data transmission.
Try it right now — head over to your Instant Site and look closely at the address bar in the browser. You will see a green lock icon with the message Secure next to the URL. Rest assured that your online store is secure.
Do you want to link your Instant Site to your custom domain (so that it redirects to mysite.com and not mysite.ecwid.com)?
You get a free SSL certificate for this action as well. Just follow these steps:
- Login to your Ecwid store, then go to Settings → Instant Site and click on the Change Address button.
- Click on the Use your domain field and follow the instructions that appear
on-screen.
2. You’ve added Ecwid on your own website
You can set up an Ecwid store on any site and be cool with customer data security. For example, this can be a WordPress blog, an Adobe Muse website, or your own static HTML page.
In case you’ve taken this route, you don’t need to worry about the safety of your customers’ data at all. Since the data is transferred via our highly protected servers, all the data is kept and processed on Ecwid’s own
If you added Ecwid to your own website that doesn’t have an SSL certificate, your customers will not see the secure lock icon anywhere except during checkout, which they might find frustrating.
Here are a few ways you can buy and use SSL certificates for different website builders:
Wix: You can use an SSL certificate for free with Wix. You’ll have to first enable this certificate by going into the settings, then following the instructions.
Weebly: you can automatically add an SSL certificate to your Weebly site.
Joomla, WordPress, Drupal: you’ll need to buy an SSL certificate from your domain registrar or a hosting provider and install it on your website using the instructions (you’ll probably need a developer):
Follow the instructions below to learn about the different types of SSL certificates and where to buy them.
Types of SSL certificates
Essentially, there are 3 types of certificates. They differ in speed of issuance and the extent of the seller’s inspections.
1. Certificates With Domain Validation (DV)
The simplest option. Once you buy a DV SSL certificate, you’ll get a link to verify the domain ownership on your listed email address.
DV is issued almost instantly. It is also the cheapest option, with some sellers even offering it for free.
2. Certificates With Organization Validation (OV)
To get an OV SSL certificate, you need to confirm the existence of your corporation or LLC, by giving the
An OV SSL certificate can take
3. Certificate With Extended Validation (EV)
An EV certificate can be recognized by the name of the company on a green background near the website address. You might have seen them on financial websites:
Before an EV SSL can be issued, the certifying authority carries out a thorough check. It can take
This certificate is best suited for banks and payment systems.
DV, OV, EV
An SSL certificate will cost around $50/year. Some providers sell more expensive variants, but you should avoid overspending. The basic data security offered remains the same, regardless of whether you buy a $50 or a $150 SSL.
Although some providers offer free SSL certificates, they are severely watered down variants without any benefits. You should not buy the first one you see.
SSL certificates are issued by trust centers. Some of the more popular trust centers are:
- Comodo
- Symantec
- Digicert
- Geotrust
You can buy certificates issued by these centers from domain registrars, hosting websites, and SSL resellers. In addition, there are also free certificates.
Below, we’ll help you understand the options better.
1. Buy an SSL certificate from domain registrar or hosting service
Most domain registrars and hosting services sell SSL certificates as well. In some cases, the registrar might even issue a free certificate as a gift or purchase.
Buying from a domain registrar or a hosting service works great since it makes it easy to switch from HTTP to HTTPS.
Here are some popular options:
- GoDaddy
– $57/yr per website - Bluehost
– free to $49,9/yr - Namecheap
– starts from $9/yr - eNom
– $12,95/yr - SiteGround
– free SSL when buying hosting
If your domain registrar or web host also offers SSL certificates, we recommend buying one from them, even if it is slightly more expensive. This will save you hours when it comes time to install the certificate and switch to HTTPS.
2. Get a free SSL certificate
If your web host/registrar does not sell SSL certificates or if your budget is limited, you can opt for a free certificate. Free certificates come in only one flavor — Domain Validation (DV). That is enough to protect the data.
We recommend the following services:
Cloudflare
Cloudflare offers free SSL certificates with up to 15 years of subscription. Apart from data protection, it has other benefits like basic protection from DDoS attacks and the automatic speeding up of your website.
There are disadvantages as well:
- It works only in new browsers. If your customers use older browsers (older than Internet Explorer 11, Firefox 2, Opera 8, Google Chrome v5.0.342.0, Safari 2.1, Mobile Safari for iOS 4.0, Android 3.0 (Honeycomb), Windows Phone 7), they won’t see https on your website.
- One general certificate protects several sites at the same time. Though, it will protect your website just like an individual one.
- Cloudflare will ask you to use their own server data and your website traffic will be going through the Cloudflare servers, which may cause a decrease in loading speed (though not necessarily).
These drawbacks are not critical, and in general, Cloudflare is optimal for those who are not ready to spend money on an SSL certificate but want to start protecting their customer data. If you choose between remaining on HTTP or getting an SSL certificate from Cloudflare, we recommend you to choose the second option.
To get an SSL certificate from Cloudflare, sign up and follow the instructions.
Let’s Encrypt
This is a free service without Cloudflare’s cons, but it has its own limitations.
Let’s Encrypt offers certificates for three months only, so you’ll have to set up automatic renewal, which will require access to your website’s server settings (available on VPS hostings like Amazon AWS, Linode, Digital Ocean). That means you’ll likely need a system administrator.
There are two options for getting an SSL certificate from Let’s Encrypt:
- Manually on letsencrypt.org via the Manual mode section
Semi-automatically or automatically (depending on your online store’s server software) via Certbot.
3. Buy an SSL certificate from a reseller
If you don’t want to spend time on adjusting a Let’s Encrypt certificate and don’t feel like using Cloudflare, you can buy an SSL certificate from one of the resellers:
Choose any reseller you like, and remember that there’s not much sense in buying the most expensive option since they will all protect your website just fine.
How to Not Lose Traffic When You Switch to HTTPS
When you switch from HTTP to HTTPS, the site address changes for search robots (from → https://yoursite.com). This can negatively affect your rankings in search engines.
Read Google’s recommendations for maintaining your ranking, and even making it better. We strongly recommend you read them to avoid losing customers if you install an SSL certificate on your own. You can also ask the support team of your site builder if these conditions were met with their HTTP → HTTPS migration.
***
Let’s sum up our recommendations:
- If you use Ecwid Instant Site, you’re fine: the entire website is on HTTPS.
- For Wix and Weebly websites, enable your SSL certificate in settings.
- If you sell on your own website, check with your domain/hosting provider if you have an SSL certificate. If no, request for it.
- If your domain/hosting provider doesn’t sell SSL certificates, get a free one on Cloudflare or buy it from a reseller.
- Data Privacy in Ecommerce: Emerging Trends and Best Practices for 2024
- The State of Ecommerce Payment Security
- How to Use HTTPS Protocol and SSL Certificates to Protect Your Online Store
- Ecommerce Fraud: How to Protect Your Store From Online Shopping Scams
- How To Protect Your Online Store From Cyber Threats