Securing data from your website is a relatively simple process that helps to protect your site and its users. We look at what you need to do.
Ensuring your website is secure is good practice. It’s doubly important if you’re collecting personal data from your customers or storing information, such as phone numbers, email addresses and passwords. A secure socket layer, or SSL certificate, is a mechanism that helps to protect data (or information) when it is transferred on or off your site.
Securing data is more important than ever with the new General Data Protection Regulation (GDPR) in place from 23 May 2018. Even if you don’t collect sensitive information, we’d recommend getting a security certificate for your website, as it’s generally good practice to have one.
Get your profile on our website, full access to all of Which?'s technology reviews and advice, and a host of other benefits when you become a Which? Trusted trader.
An SSL certificate is a form of recognition that your site is trustworthy, and will share and receive data securely. It’s a bit like a virtual ID card to show that your site is what it says it is online. If you collect personal information on your site, such as credit-card details, you must have an SSL certificate.
In practical terms, it means that when you share or receive information with other sites, it will be encrypted, so it’s harder for a hacker to access, steal or misuse. Some web-hosting services will not allow people to access or download information from non-secure sites because it’s more easily corrupted.
You may have noticed that some websites have a URL (address) that starts with ‘http’, like this:
This would be a non-secure site. You should never put your own personal information (name, address, email address, credit-card details and so on) into a non-secure site. If your site is not secure, you shouldn’t ask your customers for any of their details, either.
A site with an SSL certificate will have an extra ‘s’ after the ‘http’, and a padlock indicating it is secure, like this:
You can see that the Which? Trusted Traders address has the extra ‘s’ and the padlock before it, to show it is a secure site.
The good news is that it should be relatively straightforward to get an SSL certificate.
You can talk to your web developer about getting a certificate if you don’t have one already. Alternatively, if you have built your own website and paid for website hosting, then the first port of call is your web-hosting company.
Large hosting companies, such as Wix, GoDaddy and SquareSpace, should be able to support you with buying and installing an SSL certificate. Talk to your website-hosting company and find out what is and isn’t possible with your current setup.
Some hosting companies will offer an additional facility to supply an SSL certificate, and do much of the work for you for a small additional charge. Others will be able to support adding an SSL certificate to your site, but you will need to source the certificate yourself.
There are three parts to the process:
The certificate and private key will be generated together.
There are various services available online – a quick search should bring up any number of companies offering this facility. We’d recommend buying a certificate through a recognised Certificate Authority (CA) – some of the biggest and best known include Thawte, Comodo, GeoTrust and RapidSSL.
If in doubt, it’s a good idea to ask for a recommendation from your web developer, or others in your business network.
Once you’ve got your SSL certificate in place, remember to redirect your site pages to the new secure version, from the old non-secure site, so your visitors can enjoy the benefits of a more secure service.