We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

How to help secure your website with an SSL certificate

Securing data from your website is a relatively simple process that helps to protect your site and its users. We look at what you need to do.

In this article

Ensuring your website is secure is good practice. It’s doubly important if you’re collecting personal data from your customers or storing information, such as phone numbers, email addresses and passwords. A secure socket layer, or SSL certificate, is a mechanism that helps to protect data (or information) when it is transferred on or off your site.

Securing data is more important than ever with the new General Data Protection Regulation (GDPR) in place from 23 May 2018. Even if you don’t collect sensitive information, we’d recommend getting a security certificate for your website, as it’s generally good practice to have one.

Get your profile on our website, full access to all of Which?'s technology reviews and advice, and a host of other benefits when you become a Which? Trusted trader.

What is an SSL certificate?

An SSL certificate is a form of recognition that your site is trustworthy, and will share and receive data securely. It’s a bit like a virtual ID card to show that your site is what it says it is online. If you collect personal information on your site, such as credit-card details, you must have an SSL certificate.

In practical terms, it means that when you share or receive information with other sites, it will be encrypted, so it’s harder for a hacker to access, steal or misuse. Some web-hosting services will not allow people to access or download information from non-secure sites because it’s more easily corrupted.

How can you tell if a site has an SSL certificate?

You may have noticed that some websites have a URL (address) that starts with ‘http’, like this:


This would be a non-secure site. You should never put your own personal information (name, address, email address, credit-card details and so on) into a non-secure site. If your site is not secure, you shouldn’t ask your customers for any of their details, either.

A site with an SSL certificate will have an extra ‘s’ after the ‘http’, and a padlock indicating it is secure, like this:


You can see that the Which? Trusted Traders address has the extra ‘s’ and the padlock before it, to show it is a secure site.

How do you get an SSL certificate for your site?

The good news is that it should be relatively straightforward to get an SSL certificate.

You can talk to your web developer about getting a certificate if you don’t have one already. Alternatively, if you have built your own website and paid for website hosting, then the first port of call is your web-hosting company.

Large hosting companies, such as Wix, GoDaddy and SquareSpace, should be able to support you with buying and installing an SSL certificate. Talk to your website-hosting company and find out what is and isn’t possible with your current setup.

Some hosting companies will offer an additional facility to supply an SSL certificate, and do much of the work for you for a small additional charge. Others will be able to support adding an SSL certificate to your site, but you will need to source the certificate yourself.

There are three parts to the process:

  1. You will need to fill in a certificate request to the issuing body.

The certificate and private key will be generated together.

  1. When you pay the fee (it shouldn’t be more than around £50-£60 a year), you will be issued with the certificate. The certificate is a public document and can be shared.
  1. The private key should not be shared with anyone, other than your hosting provider (Wix, GoDaddy etc), so it can activate the certificate on your site.

Where do I buy an SSL certificate?

There are various services available online – a quick search should bring up any number of companies offering this facility. We’d recommend buying a certificate through a recognised Certificate Authority (CA) – some of the biggest and best known include Thawte, Comodo, GeoTrust and RapidSSL.

If in doubt, it’s a good idea to ask for a recommendation from your web developer, or others in your business network.

Once you’ve got your SSL certificate in place, remember to redirect your site pages to the new secure version, from the old non-secure site, so your visitors can enjoy the benefits of a more secure service.

More on this…