The internet dominates nearly every aspect of our lives and will continue to do so for years to come. And why shouldn’t it? It’s fun, informative, scary, and just downright useful for nearly all aspects of life as we know it. The fact that most anyone can fire up a website for any various reason is making the internet scalable and adding to available options.
The Internet runs on WordPress
Website creation is readily available to everyone: anyone can build a site using a content management platform like WordPress. WordPress is a framework that has many components and optional components for a website. It is extremely easy to configure, publish content and even create an e-commerce solution. Some suspect that webmaster use it for blogging and kind of a more personalized substitute for a social media page, but WordPress is so much more. Online stores are also a possibility, though they are typically a little more complex – with the need for payment methods, confirmations, etc.
But, when it comes to meeting the needs of the common website, WordPress acquits itself quite well.
Because of its great scalability, options and “ease of use,” a lot of websites on the internet are built with WordPress. In fact, WordPress websites account for 1/3 of the world’s websites.
But, what happens when technology gets popularized? It is attacked. It happens all the time. Hackers attacked Windows when it became popular. Apple started to come on strong and, despite people saying that there are no viruses/attacks for Apple, guess what happened? It accounted for much more attacks than earlier. So, when you have (currently) a website platform that facilitates 1/3 of all content for arguably the most popular communication platform in the world, can we expect focused attacks? Definitely.
There are many components of WordPress and, like most software, all those aspects have potential security flaws. Let’s examine some of those security vulnerabilities and see what can be done about them. We’ll go through this categorically, so each component is addressed. Some of this stuff is low hanging fruit, and some will be a little more complex.
Login stuff is one of the more obvious security needs, but let’s go over the details:
Secure password: Some hackers attack websites by simply trying thousands of passwords until they guess the right one. Make it hard for hackers to guess your password by choosing a long password (10+ characters) that includes a variety of words, numbers, and characters. It’s also best to change the password regularly.
Brute-force prevention: Hackers have a pre-guessed database of millions of user ids and passwords, which they keep applying with a script until the successful login attempt is made. In addition to a secure password, login limiters can fight brute force attacks. Use plugins like Loginizer, The iThemes Security, Limit Login Attempts Reloaded, WPS Limit Login, etc. that offer a lockdown feature. i.e., after a certain number of failed login attempts, these plugins automatically block the IP address of the user. Set a low login attempt amount. For example, lockout after five tries.
2 Factor authentication: This provides one more layer of security such as a secret code, secret question, or phone/email verification with a one-time password (OTP). Popular Plugins for the 2-factor authentication are Two-Factor, WordPress 2-Step Verification, Unloq Two Factor Authentication, and Google Authenticator.
Username: Do not use ‘Admin,’ as your login id. Rename it with your email id or use any unique admin name.
Modify the login portal URL: The default URL WordPress login page is either /wp-login.php or /wp-admin. Rename the login URL to a unique path like /mywordpress_login.php or /newpage_login.php etc. Only people with the exact URL can reach your admin login page.
Administrative panel for WordPress security
Dedicated accounts: The administrative panel of a WordPress site will control much of the management aspects of WordPress and not necessarily the end product. Settings, users, plugins, themes, etc. are all managed here. The power of the Administrative Panel is apparent. Treat it well. Have dedicated, specialized user accounts for distinct tasks. For example, have an account just to publish, and a separate account with admin rights.
Use encryption: Use an SSL certificate to activate HTTPS and padlock sign in the address bar and to encrypt the web sessions between users and server. An SSL certificate will only secure data transmission but also help you to gain the trust of your website visitors and get better rank in search engines.
Plugins: The plugin threat is real. Basically, anyone can create a plugin: plugins can come from anywhere. Plugins may have access to certain shelled and core functions, so they can be very dangerous. Follow these tips:
- Beware of where plugins are coming from. Try to use high-rated and highly-utilized plugins.
- Research vulnerabilities in plugins such as XSS (Cross Site Scripts).
- Remove unused themes and plugins.
- Keep plugins up to date.
- Review changelogs and security fixes.
If a user is logged in to the WordPress account and leaves his/her computer without logging out, someone can easily access and abuses the website during this time. If s/he is accessing your WordPress site from a public place or a public computer (cybercafé or a free wi-fi in a cafe), the risk increases up to a great extent. An attacker doesn’t even have to utilize any complicated hacking technique. It is like an open vault. It is the easiest way to log into and exploit any website.
To reduce such risk, you can use plugins such as Bulletproof Security, Inactive logout, an idle user log out, or any other that automatically logs out the user if s/he is inactive for a while. With such plugins, you can set a time limit for inactivity after which the user is automatically logged out.
Auto-logout definitely reduces the risk of abuse but is not a foolproof method. If the user’s browser has cached the id and password, the login fields will be automatically filled up when the attacker tries to log in after the original user has logged out.
So, if your WordPress site has multiple-user, it’s crucial to select admins carefully. Only give admin rights to people who are as sincere about your WordPress site’s security as you are.
Restrict dashboard access for a specific time
If you or admins of your website access the dashboard only at a specific time each day, you can lock down the dashboard for the rest of the day. iThemes Security has an ‘Away Mode’ which enables you to set a time duration in which access to the dashboard is restricted for everyone.
Even if the hacker gets the credentials of your website, s/he will not be able to access your admin dashboard. Unfortunately, it also means that you can’t access your own website in that particular time duration, even in times of emergency.
Distribution of privileges
WordPress has 6 default user roles:
Each role has its own powers and responsibilities. The Administrator has full control over the website and can create, edit and delete content, manage all plugins and themes and create, modify and delete user accounts.
The permission reduces as you go down the hierarchy. You must have a clear understanding of the rights and responsibilities of each of these 6 roles before you assign any of these roles to anyone.
The Administrator has the highest power. So only people for whom you can vouch for that they won’t abuse power and are not negligible should be appointed as the administrator of your website.
Code & database security
Prevention is key. Your WordPress database should be treated like any other database: Protecting the data will result in fewer frustrations when problems arise. Especially when WordPress is accessed by multiple contributors (co-authors, employees), database vulnerabilities are a real threat.
- These vulnerabilities can be typically avoided through strong database user hierarchies. Create separate accounts and passwords for all needed users and limit their permissions for what they actually need.
- Typical user management and permission auditing are often overlooked in many systems including WordPress. Everyone does it. Even if the management of users is too much, just be conscious of who has access to what. Any users that no longer have business with the system or organizational entity should be have modified permissions, at the least.
Choose a secure platform: Hosting platforms run from bare metal server solutions to the rising and popular cloud-based server platforms. Many security precautions are handled by your host, so, using a reputable hosting provider is a must.
Encrypted access: Use an encrypted protocol to control your server: SSH, SCP or SFTP; NO TELNET or plain-text FTP
Protect wp-config.php: Be careful about file permissions. In fact, all file and folders should be protected.
- Add this code to protect the active wp-config.php. For example, define(‘DISALLOW_FILE_EDIT’,true);
- Have a master copy and work on copies before elevating them to production.
More tips for WordPress security
WordPress security scan: There is a popular misconception among people that only big and popular WordPress sites get hacked. Many people don’t find it necessary to install a WordPress security scanner in the initial phase. And that’s why a malware injection can go unnoticed before it’s too late to take any preventive steps. Thus, you must install anti-malware scanners/security scanners from the very beginning. It will help you protect your website against future attacks by scanning your entire WordPress website. If there are any suspicious script, viruses, malware, it immediately removes them. Sucuri, WordFence, anti-malware security are some of the well-trusted WordPress malware scanners. CodeGuard also has a robust inbuilt scanner.
Backup: Backups and revision management is crucial. Make frequent backups of your WordPress site. This way, if you experience any significant problems, you’ll have a working restore point. You’ll inevitably be in a situation, even outside of WordPress management, where you will be glad you had revision management and backups and/or regret that you did not. Having a working copy of the wp-config.php file can also resolve problems quickly without the need to do a full restore. Backup and export data away from the production server.
Final tips for securing your WordPress website
Firewall protection: These are good ways to keep all non-public facing data and communication private. Implement software and/or hardware firewall on the hosting server and make sure it’s properly configured. Use other measures of the firewall. AWS, for example, has VPC which is an extra layer for the subnet and adds ACL and firewall-like rules.
Prevention of SQL injection attacks: To identify injection vulnerabilities, use a well-respected vulnerability scanner. Also, make sure local PHP is up to date. Older versions of PHP have many security flaws. As of May of 2018, around 25% of the PHP versions used is 5.6 or less.
Monitor carefully: Network logs and activity monitors will also give a good idea as to what may be happening. Audit logs inform you about other’s activities on your website. You can keep an eye on their every move and be assured that they are not doing something that they are not authorized to. WP Security Audit Log, Simple History, User Activity Log, Simple Login Log, WP Log Viewer are some popular plugins for audit logs.
WordPress is an excellent platform for websites. Keep your users safe and engaged on your site with proper WordPress security practices! Stay safe, happy WordPressing and happy scrutinizing!
Sam Patel is a technical writer at CheapSSLsecurity.com. He specializes in explaining WordPress, website security, and digital marketing topics in easy-to-understand language for business owners and marketers.
Imagine how rich you would be if you get a dollar for every time a data breach news gets published! If you are trying to figure out some reasonable ways to protect your online data, you are more alert than millions of other people living on this planet.
There are some popular misconceptions regarding data security among people. For example,
“It is 100% bank’s responsibility to protect my data”. “why someone would be interested in my personal data on social media?”, “only celebrities’ accounts get hacked, not a layman’s,” “how on Earth someone can misuse my personal details?”
How can you protect your online data?
In this article, we have uncovered the truth behind those misconceptions and provided some vital tips to protect your data online!
You should use different passwords for different accounts. If it is too difficult to remember hundreds of passwords, you can group the accounts with categories. For example, a separate group of social media accounts, financial institutes, shopping website, etc. and set a different password for each group. So, at least the hacker who got your Facebook’s password cannot log in to your bank account!
It is cliché to say that your password must contain an uppercase, lowercase, number, and a unique character. But if creating and remembering new passwords for different accounts seem a big hassle to you, you can be little creative with your password and use phrases for passwords. For example, 4Dogs@home, I<3Jalapenos. See, easy!
You can also use numbers for some words and letters or minimize the words. For example:
“I want to buy an iPhone!” will be Iw2biph!
“I use Facebook for 2 hours a day” will be IuFB42had
You can also use the password manager. They will generate strong passwords and automatically fill them into login fields with the click of a button. A password manager can also share single login credentials with other people without them being able to view the login information.
“Congratulations! You have won $1000000 lottery”-Everybody knows that these sort of emails are a fraud and should not be opened! Even my grandma knows it! The bad news is that even hackers know that and that’s why they are coming up with more creative ideas in their email hacking efforts!
You would certainly not share your SSN with that person claiming to be Nigerian prince on email, but what if you get an email from your bank asking to verify your SSN for the loan you have applied recently? Yes, at least the majority of us would share our sensitive information in such a case. Hackers know that. So, sending email wearing the mask of a financial institution is a popular email phishing trend. You would think that email is from your bank and the link in the email will lead you to the webpage that looks exactly like your bank’s official website. As soon as you log in with your credentials and submit the required details, and the hackers will get everything they needed!It is popular to send phishing emails, posing as a financial institution. Take extra precaution when you get an email from your bank, and if you are not sure, call them and confirm with them.Click To Tweet
To be on the safe side, do not click the links unless you are 100% sure about the sender. Directly go to the bank’s/financial institution’s website and log in there only. You can also call the customer care number and verify whether they have sent the email and the link in the email is safe to open.
Phishing emails do not only involve financial institute look-alike websites. There are many types of phishing emails. For example, you will get an email from a friend or relative telling you that they are in trouble and need money immediately! Or an email with product offerings that looks exactly like the email you usually get from your favorite eCommerce website. So, always be alert while clicking any links from your emails.
While downloading and installing any software from online, make sure you read the publisher’s name and security warning at the time of installation. All the genuine software publishers get code signing certificates to prove their authenticity and secure the software. If the software is signed by a code signing certificate, you will see this type of window at the time of installation.
If the software is not secured by a code signing certificate, it will show below type of window at the time of installation. Such software might be from a suspicious person and can bring viruses or malware along with them.
Public wi-fi – Working at the local coffee shop is so cool! Even J.k.Rowling used to write Harry Potter in a local coffee shop! But using public wi-fi to do your bank transactions or to send/receive other sensitive information might not be so cool! It is easy for other users to intercept your
data from public wi-fi ‘hotspots’ in places like cafés, airports, hotels, and libraries. So do not send and receive sensitive information when you are using public wi-fi. Avoid using free wi-fi that is offered by people you do not know or trust. Hackers generally attract the victims by setting up free wi-fi hotspots to steal users’ information.
Home or business wi-fi – Always have a strong password for your personal wi-fi. You can also hide your Wi-Fi network. Service Set Identifier (SSID) sets up your wireless access point or router in a way that it hides the network name.
5. Visiting websites
When you visit a website, always check whether it is encrypted. Encrypted site means the data you entire in the website (bank details, credit card/debit card information, SSN, Passwords, etc.) gets encrypted and cannot be decrypted and hacked in the middle of the transaction. Website owners get SSL certificates to encrypt their website. If a site is not encrypted, you will see HTTP:// (instead of https://, where ‘S’ stands for ‘Secure’) and ‘Not secure’ sign in the address bar. Do not write any sensitive information on such websites.
If a website is encrypted with an SSL certificate, it will show HTTPS:// and a padlock sign in the address bar.
Well, reputed organizations generally choose EV (Extended Validated) SSL certificate. It is expensive, difficult to get and hence, most trusted one. The address bar will show the official/legal name of the organization before the domain name. Most of the financial institutes take EV SSL certification. If you are interested in reading more about the benefits of SSL certificate, list of providers and what kind of options exist, we already wrote an extensive post about it and you can read it here.
6.Regular device security
What happens if your device gets stolen? It is an ugly scenario, and nobody wants to talk about it. Majority of people have a soothing misconception that they are always alert, and their device will never get stolen (until it actually does!). If we sound like some gloomy pessimists, let us show you some statistics from Kensington’s recent study report.
• One laptop is stolen every 53 seconds.
• 70 million smartphones are lost each year, with only 7 percent recovered.
We wish your device live long and prosperous, but you should also make sure that if it gets stolen, the damages are minimal. Always log off when you’re finished working. That way, if your laptop/mobile is stolen, the thief cannot log into your important online accounts. Secure your mobile with fingerprint, biometrics or unique codes. Have a strong password for locking your laptops. So, when they get stolen, the thief cannot enter into the system.
7.Device security when you are getting rid of it
Whether you are reselling your old mobile/laptop or throwing it in the garbage bin, delete all the data before doing so. Visit all the websites where you generally have login information and Log out from all the accounts. Make sure your login credentials are not saved there. For laptops, delete/rewrite all the data from the hard drive.
Two-factor authentication (also known as Two-step verification) allows you to use one another security method along with your regular password. It requires a second verification step, such as the answer to a secret question, a personal identification number (PIN), a secret code or phone/email verification with a one-time password (OTP). You can have Two-factor verification for your Facebook, Google, Dropbox, Apple ID, Microsoft, Twitter, bank account, shopping website accounts, and other important accounts. Even if a hacker gets your password, s/he cannot log in to your account because of this additional layer of security.
9.Firewalls, anti-malware, security scans
Malware is a malicious script that is designed to invade a device without the device owner’s consent. It includes computer viruses, spyware worms, trojan horses, etc. Hackers hide them in websites, emails, downloadable software, files, photos, videos, etc. Make sure your computers and mobile devices have robust anti-malware, anti-virus, and anti-spyware programs. Do Frequent scans for viruses. Avoid clicking on suspicious links.
You should also install Firewalls. A firewall protects websites and computers from viruses, malware, hacker attacks, etc. It assists in blocking dangerous programs, viruses or spyware before they damage your system. Hardware-based firewalls provide a robust level of security.
Just like with Autocorrect, everyone has a love-hate relationship with software updates! Hackers are always in search of vulnerabilities and security patches in current software. So, Software updates are created by fixing current software loopholes and critical security patches from recently discovered threats. Unfortunately, you can run, you can hide, but you can’t escape from software updates! You must keep updating all the operating systems and software whenever the latest updates are available. You can also automate updates.
11. Data encryption
Encrypt your data on your removable storage devices (USB drives, SIM cards) and cloud storage. Removable storage devices can simply be plugged into another device, and the holder of the device instantly gets access to all the data stored in it. But if you have encrypted your data, no other person can interpret the data if the storage device gets stolen or lost.
Cloud storage is always an attractive backup option. But not all the cloud storage service providing platforms are equally secured. So, you must choose a cloud service that encrypts the data you stored or at least offer you an encryption option. Some cloud service providers take care of both, encrypting your files on your own computer and storing them safely on the cloud. Therefore, no one (even the service providers) will have access to your files. It is called “zero-knowledge” privacy. Some of the well-known “zero- knowledge” cloud service providers are Spideroak, Tresorit, and Wuala.
12. Social media caution
“Who is interested in using my personal data? I am not a celebrity or any Richie rich!” Well, there are online marketers who are keen to know your age, nationality, geographical locations, likes and preferences, webpages you like to surf on, and your friend circle and family (a.k.a influencers). These details help them to decide which online advertisements to show you, where to place those ads to make maximum effects on your mind and influence your purchase decisions.
Not only marketing strategies are formed on the base of your personal information, but hacking can also be planned on the base of the information you share over social media. “How on Earth someone can misuse my personal details? What’s wrong with posting pictures of Fluffy-my cute little dog or vacation to my hometown and enjoying my favorite dish in my first school’s cafeteria?”
Well, people generally use their personal details to set passwords and security questions. Imagine you have set your password using your name, date of birth, your pet’s name or parents’ or spouse’s name, how easy it would for a hacker to guess your password. IF your security questions are “what is your pet’s name,” “what is your favorite food?”, “name of your hometown” or “which is your first school?”, don’t wonder from where hackers got the answers!
We are not saying don’t enjoy your social media. But be careful and don’t overshare.
- Only add people whom you know and can trust.
- Go to privacy setting/Account setting and carefully select the visibility of each post.
- Do not click on “too good to be true” sort of links. “know your future based on your birthdate”, “know your personality type based on your food habits”, “Find out who viewed your profile on Facebook?” type of posts are sometimes filled with malicious scripts and can easily hack your profile.
- If you get suspicious messages and links from your friends/relatives, call them to confirm before clicking on those links. There are high chances that your friends/relatives’ account got hacked, and they did not even know about it.
- If you get posts asking for charity, fundraising for a cause, you make sure to visit their official website, call the concerned person and check all the tiny details before sending the money.
If you think following data security steps is too much work and eats up a lot of your valuable time, we understand you! But do you know what is even more time consuming and frustrating? The procedures you need to follow after the actual data breach event takes place. For example, banks and financial institutes take responsibility only if the deficiency is on their part. If the fraud had taken place due to a customers’ negligence, bank/financial institutes do not assume any liability.
For example, if someone has used your debit card with the correct ATM pin, you need to go to the police and cybercrime department instead of the bank. It is a lengthy and exhausting process. The procedure becomes worst if the cybercrime is committed from other countries. Hence, prevention is always better than cure in all the areas of life, including online security!
Medha M. is working as a Content Marketing Specialist for SectigoStore. She is a Tech Enthusiast and writes about Technology, Website Security, Cryptography, Cyber Security, and Data Protection. She had held a Management Consultant role in a range of organizations.
Before listing several benefits of SSL certificates, let’s start with the basics. Like, the question that’s on everyone’s mind. What does SSL stand for? SSL is an acronym for Secure Sockets Layer and is a global standard security technology that enables encrypted communication between a web browser and a web server. In other words you and the website. The main objective of this cryptographic protocol is to keep the secured communication secured on the Internet. This global standard technology is used by millions of online businesses to reduce the risk of sensitive information from being stolen or hampered by unauthorized parties. In essence, it allows for a private conversation just between the two intended parties. Your browser (you), and the website (the server that holds the website).
An SSL certificate is a digitally signed file issued for a particular domain name. The certificate will have the issuer signature, serial number, and the expiration date. The certificate has to be first installed on the server, and once the installation is complete, you can access the services through HTTPS or any other SSL protocols like FTPs. So for example, if you want to upload files securely via your file transfer protocol (FTP) when you are updating your website, you can do it over your SSL certificate. It is very important the SSL is recognized by all major browsers, otherwise, the users accessing the website will just get a warning message (SSL not recognized) instead of the website.
To technical so far? What about the benefits?
If this is too technical for you, don’t sweat it! In most cases, this won’t even matter. The company that sells you the SSL certificate will most probably install it. After the installation, there’s not much work. The SSL certificate will be installed and always present in the background. With a little cost tied to it with a negligible negative impact on the website speed, benefits of SSL certificate clearly outweigh the cons. Besides, there are plenty of low-cost SSL certificates or even free ones that still take care of the job.
The only thing you do have to watch is that your SSL doesn’t expire! But don’t worry, that’s exactly why we built Webmaster Ninja monitoring. You will still get a notification from the SSL provider, but as we have learned with domain name expirations, it doesn’t hurt to get a backup notification from a third party source. Renewing an SSL for another year is a very simple process that should be done by a system administrator or the SSL provider. This process is slightly different based on the type of SSL certificate (check below), and the provider.
Be ahead of the curve, and enjoy a Google boost
SSL certificate allows data encryption before the data is being transmitted through the Internet. Furthermore, only the server where the data is being sent can decrypt the data. This ensures that the information you submit to websites will not be stolen. Back in 06/08/2014, Google announced that having an SSL installed on your website will increase your ranking position. This is one of the benefits of SSL certificates and why website owners have started using an SSL.
Today, there is a vast growth in communication technology to maintain a robust system for website security. Sensible website owners look for reliable security technology to protect their websites from being hacked, tampered or damaged by hackers or malware. But on the other side, still, there are website owners who do not have an SSL certificate. According to research conducted by WhoAPI, 61.8% of top 1000 websites do not have an SSL certificate. The website owners need to understand the importance of owning this certificate.
Types of SSL certificates
SSL certificates are divided into five validation groups.
- Domain validation certificates: They are cost-effective and can be issued in a few minutes. No extra paperwork required. They contain one domain or sub-domain that includes only email validation.
- Multiple domain validation certificate: This certificate is just what it says, it protects multiple domains.
- Wildcard SSL Certificates: This single SSL certificate will protect all sub-domains, including the main domain. For example: shop.domain.com, www.domain.com, and admin.domain.com
- Organization validation certificates: These certificates can be issued within 1 to 3 days. They contain one domain or sub-domain which includes business verification, thus providing a high level of security.
- Extended validation certificates: These certificates are issued within 2 to 7 days. They contain one domain or subdomain which includes business verification.
Personally, I would recommend EV SSL certificate for a company that has a growing online presence. Especially if it is an eCommerce. On the other hand, if it is a simple website for a small business I suppose right now any SSL would do. In most cases, it would put you in front of your competitors.
5 benefits of SSL certificates
Security from hackers
In the virtual world, there is no shortage of phishing websites. They look the same as original, authentic website and have many techniques to entice you into providing your confidential information. But SSL identifies these websites and ensures that these fake sites will never attack your website. Especially the EV (extended validation) SSL certificates. That green bar in your user’s browser will do miracles.
Google loves websites using SSL
There are companies that invest a lot of resources on search engine optimization without comprehending that simply having an SSL can boost its website ranking on Google search. It has been more than two years now that Google included SSL as a ranking factor in their popular PageRank algorithm. With all other things being same, a website having SSL will rank higher on the Google search than the one not having it. Why? Google has repeatedly stated that a user’s experience is the number one priority. Well, feeling secure while browsing a website impacts experience. If you have a properly installed SSL certificate it will be a positive security signal and a positive experience.
A website with an SSL is a mark of reliability. The certificates are only issued when the applicant passes the verification procedure. And most of the modern browsers trust the SSL certificates issued by the certificate authorities. Also, it shows that the website owner cares about their user’s security. It could be that he is more of a caring provider than the website owner that doesn’t install an SSL certificate. Surely that is one of the benefits of SSL.
Increase users loyalty
An SSL certificate is a must for you if your website has user accounts with personal data like contact numbers and credit cards. Visitors will come back again and again if they know their confidential details are secure. For example, if you see expensive Adidas shoes being sold on a large discount on a domain name with the keyword “adidas” (like adidas2018.com), there’s a good chance this is a fraud. If you are suspecting this, check if the website has EV SSL installed and check it’s credential and if the company selling this product is really Adidas.
More visitors to your online stores
Another benefit of SSL is if you are running an eCommerce store that’s built with a website builder and eager to have more visits on your website, you should definitely have an SSL. Today, most of the online shoppers are aware of this communication technology. The shoppers check whether you have an SSL or not. In its absence, they might not be interested to shop because they may fear their personal data may not be kept secure and confidential.
How to choose the right SSL certificate provider?
You may be thinking to yourself, sure, the benefits of SSL certificates are great, I want that. How do I proceed? Well, make sure you choose a trusted SSL certificate provider. Here we can share some numbers on five largest SSL certificates issuers. To be honest, the top two providers hold 71% of the market share according to W3Techs. But still, I will list several largest providers, and compare some of their pricing.
Comodo (as of November 1, 2018 – Sectigo)
They have been dominating the SSL certificates sector for a while and show no sign of slowing down. Their support sometimes gets a bad reputation, but handling so many clients and keeping the prices down has its setbacks. You just can’t get to 37% market share without any issues. The thing with prices for Comodo (now Sectigo) certificates is that you will probably get a better deal through one of their resellers, than on the main website. So for example, the EV SSL certificate will cost you €249 / year (approximately $300 US). Whereas on sslguru.com and thesslstore.com I found a Comodo EV SSL for $199 / year.
GeoTrust, Symantec, DigiCert, Verisign
ThomaBravo, a company that owns DigiCert acquired GeoTrust in 2018 from Symantec. Symantec is also a CA (Certificate Authority) just like GeoTrust, DigiCert, Comodo (now Sectigo) or GlobalSign. So although all three (GeoTrust, Symantec, DigiCert) are separate entities it is hard to set them apart clearly. Especially when GeoTrust is sold over and over again. For example, one of my friends that secured his website with a GeoTrust now has to renew its SSL due to the ownership change. It’s a hassle no one needs in their daily schedule.
As for Symantec, they had a dispute with Google (which was one of the reasons why they decided to sell the GeoTrust company). Obviously, an SSL certificate is no good if the browser (in this case Chrome) doesn’t recognize it. In the article I’ve just linked, you can read that Symantec is handing its infrastructure over to DigiCert. So that’s another proof that these companies are connected. Besides, Symantec’s EV SSL certificates prices start at nearly $1000. I am not saying the price is the deciding factor, but when something costs twice as much…
As for Verisign’s SSL certificates, they can be purchased at geocerts.com. There you can see that they are now under Symantec. Symantec purchased the SSL certificate division from Verisign back in 2010. As much as their (the quartet mentioned here) market share is significant, at the moment I wouldn’t recommend it to the everyday user. Some of them are quite expensive compared to other providers, and you don’t know where you will end up in a year. It’s hard to focus on the benefits of SSL when you are not sure who is your provider. That is also why the past few paragraphs might have been a little confusing.
I learned about GlobalSign during one of World Hosting Days Global events in Rust Germany. Their market share is significant, at nearly 5% and they are a reputable company based in Belgium/Japan and it is a subsidiary of GMO Internet. Just like Sectigo (formerly Comodo), on their website prices for EV SSL certificate start at $599 / year, while for example, SSL2BUY offers them at $429 / year.
That’s it for now. In the future, we may update this post with IdenTrust, Geotrust, Thawte, and other providers. This is more than enough of benefits of SSL to take in, and I hope this was a learning experience for you. I did my best to back up the text with facts since none of the links above are affiliate links.
I’ve been an online entrepreneur for more than a decade. Back in 2011, I sold my first small business. 500 Startups alumni. I love to read and write in every shape or form. Founder of WhoAPI and webmaster.ninja and website investor. I also blog on Duskic.com.