Hi,
I'm searching for good and not to costly SSL certificate providers? Any recommendations? This is for a site for about 500+ members and maybe in the future there will be a payment option, through using paypal or something like that. I wonder also if there is other solutions for fixing the issue of securing a site like this.
Kyle answers:
There are tiers (essentially) that separate the best from those that don't go the extra mile. By 'extra mile' that means browser compatibility and security. With clients I start with the Geotrust SSL https://cheapsslsecurity.com/geotrust/quicksslpremium.html .
I just flat out avoid Comodo and RapidSSL and Thawte (all have had major breaches), while Symantec does the same for a larger $.
Kyle comments:
For basic PayPal (the one where you are sent to the Paypal site, and then redirected after payment) you actually don't even need an SSL. However, if you have any private information I think the $30-40/year is worth it for protecting information your users are submitting.
Plus if you want to upgrade to a higher level Paypal, like Pro, you have the SSL covered. Pro is where the users don't leave your site and enter their credit card information directly on your checkout page.
Kyle comments:
Although, you requested the basics. I consider Digicert the gold standard. They are more expensive than many of the others, but they have the strictest protocols and do a better job managing their licenses -- they are who I personally use.
Veritus comments:
oki, well mostly is the parts of making the passwords parts secure and the checkout. I don't see other parts that are so super super private.
Kyle comments:
Geotrust is your safe bet there. The others will probably 'get the job done'. The difference is that Geotrust has a higher browser compatibility, so with lower ratings, users on old browsers might be denied on checkout pages. Additionally, Comodo and RapidSSL have had more breaches where hackers get private information.. Geotrust has been better there.
My recomendation: pay the $3 per month for a higher certificate and peace of mind.
Veritus comments:
Yeah exactly what I'm thinking. You never know. Then using paypal on checkout, that should do the job. I don't need the top stuff yet. It's a free service right know.
Kyle comments:
Sounds like you know exactly what you need. Yeah, sticking with paypal is never a bad choice, otherwise Geotrust will cover you. Hope that helps you out!
Veritus comments:
Can you point to the right link for Geotrust. I don't see anything at their site for 3$ month or so.. or that was only an example? hehehe.. I saw that RapidSSL had something for about that total price and Comodo but not Geotrust.
:))
Kyle comments:
Cheapssl here is $36 for the year: [[LINK href="https://cheapsslsecurity.com/geotrust/quicksslpremium.html"]]https://cheapsslsecurity.com/geotrust/quicksslpremium.html[[/LINK]]
Veritus comments:
Thank you Kyle! :) Also I'm thinking of one more thing. Do I need any plugin for adding this to my site? Besides getting a csr on my host, and getting the ssl key at the vendor. Also what do you recommend, adding ssl to certain parts of the site or add it to the whole site? By adding it to the whole site, does it slow it down a bit because encryption?
Thank you again for your answers.
Kyle comments:
You're welcome! Glad I can help.
I personally go sitewide, there are some performance impacts with doing that, but the loss of speed is a bit over hyped and largely depends on the server you are using. This thread on SE goes over any questions you may have: [[LINK href="http://security.stackexchange.com/questions/258/what-are-the-pros-and-cons-of-site-wide-ssl-https"]]http://security.stackexchange.com/questions/258/what-are-the-pros-and-cons-of-site-wide-ssl-https [[/LINK]] and [[LINK href="http://stackoverflow.com/questions/149274/http-vs-https-performance"]]http://stackoverflow.com/questions/149274/http-vs-https-performance[[/LINK]]. At minimum I recommend using it on any form or login page (including lost password pages), and of course commerce checkout pages.
If you are using it with a commerce system like Woocommerce, it has settings for enforcing HTTPS on the checkout pages, so you wouldn't need a plugin. If you were using it with a less specialized commerce plugin like say Stripe for Gravity Forms you will need a plugin, Wordpress HTTPS will cover you there: [[LINK href="https://wordpress.org/plugins/wordpress-https/"]]https://wordpress.org/plugins/wordpress-https/[[/LINK]]
If you want to use it sitewide, all you would need is to include this in your functions.php file:
function my_force_ssl() {
return true;
}
add_filter('force_ssl', 'my_force_ssl', 10, 3);
All in all, once you have it loaded the best choice is usually to test the different configurations and see what results you get.
Kyle comments:
If you run into any issues with 'non secure elements', which is common when first implementing SSL. This plugin will also help you out: [[LINK href="https://wordpress.org/plugins/wordpress-https-test"]]https://wordpress.org/plugins/wordpress-https-test[[/LINK]]
Veritus comments:
Thanks a lot Kyle! That helps out a lot, great to have a conversation with you about this as you have a lot of experience with this type of things. It's not easy to get straight answers by searching the net about this.
Kyle comments:
You're very welcome. I totally hard, it is hard to find unbiased articles out there. Let me know if you have any more questions.
Yaufani Adam answers:
Hello,
For your needs, you can try Comodo SSL, its about 64,95/year for single domain or $334.95 for willcard SSL.
you can try to test the SSL first without cost at https://ssl.comodo.com/free-ssl-certificate.php
Veritus comments:
I'll check that out. See that they are having very low prices right now..