HostGator Free SSL Certificate Overview & How to Install It
Once again, we see a huge step for HostGator. The company recently announced that all their shared hosting packages will include an extra Let’s Encrypt SSL, making it an even better deal for their clients. It became so important for website owners to have an SSL that they are going to buy the package anyway, so why not merge it with the web hosting packages? HostGator did it, and it was a great idea.
Now by buying a shared hosting plan, you can fix two problems at once. If you visit the Shared Web Hosting section on their website, you can see that they added the free SSL certificate to the list of features in each package. This was a wise, yet risky move by them because while they made it more convenient for people to get online, they also gave up one of their main sources of revenue.
After all, every web hosting company is a bit different. While HostGator gives out SSL certificates for free, you can find different extras included in the packages of other hosting providers. The point is to provide what people really need for free, and HostGator made the right choice. By giving out free SSL certificates, the company has changed the game so much that many of their competitors have to adapt to it if they don’t want to lose a significant amount of clients.
Learn more about this company, read our detailed HostGator review here.
How Good is Let’s Encrypt SSL Exactly?
It is quite generous by HostGator to give a Let’s Encrypt SSL to their customers for free. It is always good to get something for free, right? But what are the benefits of such an SSL? It applies the following changes to your website:
- The data that your visitors send and receive while hanging out on your website will be encrypted. This allows them to share sensitive information without the need to worry about any leakage
- The SSL certificate will be applied to all your subdomains
It was not that long ago that Let’s Encrypt decided to extend their SSL to all of the subdomains under the same certificate. There was a high demand for wildcard SSLs, which is the package that gets all your subdomains covered. Another popular one is Auto SSL, an example for those types of SSL certificates that don’t extend to subdomains.
Companies that offered Auto SSL usually created additional SSL certificates for each subdomain under the client as compensation. Providing a wildcard SSL or an Auto SSL with additional certificates is almost the same thing, but it is still simpler to provide a wildcard SSL right away.
This is How Your Install a Let’s Encrypt Certificate
After going through the whole signup process, you can log in to your cPanel account at HostGator and the Let’s Encrypt SSL will be available right there. All you need to do is to start the installer and it will be ready in a couple of minutes. Let us show you how to set it up step-by-step!
Step 1: Find Let’s Encrypt in Your cPanel
This is the easiest step. You will see plenty of icons in different sections after logging in to your cPanel interface. Right now, you need to find the “Security” section where a handful of tools are available. Among them, there is the “Let’s Encrypt” icon displayed as a shining padlock. Click it and continue with the next step.
Step 2: Activate Your Let’s Encrypt Wildcard Certificate
The icon will lead you to a “Manage Let’s Encrypt Certificates” page. It lists all the domains that are currently available on your hosting account. If you don’t have any activated SSL certificates on your account, then the “Get Wildcard” / “Issue” button will be displayed next to all of your domains. This option is available since January 2018 when Let’s Encrypt decided to hand out Wildcard SSL certificates instead of basic ones.
By clicking the button, you won’t only activate the SSL on your main domain, but on all your subdomains as well. You pay for one certificate, but you get plenty of them, which make it an absolute bargain. Even if you have dozens of subdomains, a Wildcard certificate covers all of them with an SSL. For now, click the green button next to the domains you want to secure.
Once you click it, you will get a message informing you that your domain and subdomains will be affected by the Wildcard. However, it won’t cover your add-on domains. Make sure to read the message and then click “Confirm” if you agree. The setup process is quite straightforward; you pretty much just need to click through it until it lets you generate your Wildcard at the end.
The “Successfully Installed SSL” message is where you can finalize the setup. From then on, the SSL is activated on your site and anyone can see the padlock and the “Secure connection” tab when they click on it in the browser. Your website is now running via HTTPS and visitors can share their passwords and credit card numbers without any risk.
Step 3: Time to Completely Switch to HTTPS
Unfortunately, it isn’t enough to go through the previous two steps. Although people can visit your site through HTTPS, activating your Wildcard SSL doesn’t turn all requests into HTTPS. There is still some tinkering that has to be done because backlinks are still a big issue. The backlinks you have on your site are still going to point to the previous, HTTP version of it.
Another problem is that your regular visitors probably won’t even notice that you switched to HTTPS. When they decide to visit your site, they are going to type in the same old URL as before, and it is going to open the insecure HTTP version of your website. Fortunately, this little problem can be easily solved. All you need to do is to make sure that all HTTP requests are rerouted to the new, HTTPS protocol automatically. This way, even if people find or type in a HTTP version of your web page, they will be instantly redirected to HTTPS.
In the previous steps, we have already showed you where you can find the Let’s Encrypt plugin in cPanel. You can use the same plugin to set up the automatic redirect. Before we show you how to do it, you need to make sure that there is no active .htaccess rule. Such rule can only further complicate things by forcing all requests on your site to be HTTP. If this rule is active and you set the new HTTP > HTTPS redirect rule in the meanwhile, then you are going to end up in an infinite loop of HTTP > HTTPS > HTTP.
As a result, your traffic is never going to reach your site and going to end up in this redirect loop instead. So, if there is no such rule applied to your site, then you can start to redirect your HTTP traffic to HTTPS. Click the Let’s Encrypt icon again in the Security section, and pick HTTPS Settings from the drop down menu next to your domain. This drop down menu is only active if you have already activated the Wildcard SSL. Then, a Manage HTTPS Settings tab will appear where you should turn on the HTTPS Enforce option.
Your website constantly makes external requests as well, and those also need to be HTTPS links. For example, you might have a style sheet that points to an external CSS resource, but it is coded in HTTP. You can easily turn this into a HTTPS request in the same Manage HTTPS Settings tab. Below HTTPS Enforce, there is the External Links Rewrite switch. Turn that switch on and it will guarantee that there will be no mixed content on your website in the future.
From then on, every single outgoing link will be converted into HTTPS. Keep in mind that if there is any mixed content on your site, then it will get an invalid SSL status and you will lose the trust of your visitors immediately. In case you want to link to a resource, but the plugin detects that there is no way to do it via HTTPS, it is simply going to avoid the resource. This is pretty much the only way to keep your website away from HTTP. If you want an SSL secure site, your request need to be secure HTTPS requests.
Step 4: Find All Content with HTTP Links
If you want to link to resources that don’t have a HTTPS enabled URL, we have good news for you. You can always download these resources and add them to your website content. If it is your content, you can certainly serve it as HTTPS, right? In case you have links that point to that particular resource, then you will need to find those links and make sure that they point to the new location (your own server) of the resource through HTTPS.
You might find some themes or plugins that don’t support HTTPS. These can be also hosted on your website, but downloading such content will eventually require you to update in the future when the next version comes out. Each time there is a new version, you need to download and start hosting it on your website, replacing the previous one which is quite an annoying process. If you just simply update it, then the URL will change to insecure HTTP again so that’s definitely not a good option.
A better idea is to avoid HTTP based themes and plugins whatsoever. You have plenty of them available in the market anyway.
If you are running your website on WordPress, you don’t need to go through the Step 3 and Step 4. Just install the Really Simple SSL plugin and activate it. This plugin will do all the redirecting and URL rewriting for you.
Do You Even Need Let’s Encrypt Support?
The fact that you get a Let’s Encrypt with the HostGator shared hosting packages for free doesn’t mean that you can’t apply it to any other hosting package. In fact, the provider doesn’t even need to support Let’s Encrypt and you will be still able to install it.
However, we are not saying that it is easy to install it without support. It is rather complicated and you need to do a bit of research to get familiar with the technical part of it before you do it. Also, while it is complicated but totally doable, it is definitely not something we would suggest. When you get a Let’s Encrypt certificate for free, it will only be valid for 90 days. If you install it manually, you will need to renew it manually through the same complicated process.
The reason why you should pick a package that actually supports Let’s Encrypt is because it will be renewed automatically each time it expires. Once you activate it through your cPanel, you don’t need to worry about it anymore. No one guarantees that you are going to remember your SSL certificate when the 90 days will be about to run out and actually renew it in time. It is more than enough to forget it one time, as you can end up in some pretty unpleasant situations as a result.
If you don’t want any sensitive data to be leaked from your site, then go ahead and find a web hosting provider that supports SSL certificates.
Do You Ever Need to Buy an SSL Certificate?
So, why would you ever buy an SSL certificate if you can get it for free? It turns out that in most cases, you are indeed better off with a free SSL. Either you get Auto SSL or Let’s Encrypt, it makes little to no difference at the end. A lot of web hosting companies were making big money just by selling SSL certificates.
But now, as more and more people find out that there are packages with free SSL, these companies have to change their plans. An SSL itself can easily cost more than a shared hosting plan. This might surprise you a bit, but there are a couple of cases when we actually recommend you to pay for an SSL. These are the following:
- An SSL certificate is already a good way to gain the trust of your customers, but if they see that you have bought it separately, they will be even more convinced. A great way to make potential customers stay
- You can protect yourself against fraud by ensuring yourself a warranty insurance
It is always a bit more reassuring if there is that green SSL bar on the left of your URL. There are plenty of well-known companies that take the green bar very seriously. For example, check out PayPal’s website. Besides the green padlock, the green bar also displays the company name written in green text. You can get the same type of SSL for your website if you get an Extended Validation (EV) certificate.
Once your visitors see your company name written in green, they will have no doubt in your credibility whatsoever. There are also many websites with similar domain names on the Internet. If you have an EV certificate, then at least people can be sure that they didn’t mistype the domain by accident. However, you should still be careful because an EV certificate is something that even scammers can buy if they want.
Not Every HostGator Subsidiary Provides Free SSL
HostGator is a huge brand that is divided into many smaller companies. Thanks to these subsidiaries, HostGator’s services are available worldwide. The problem is that the company still doesn’t provide free SSL in some of the countries where their services are available. For example, you can get the same old packages from HostGator if you reside in India. It might still take them some time to make their subsidiaries switch to the new packages and provide Let’s Encrypt SSL for free.
Every time HostGator changes something in their packages, it takes some time until every subsidiary takes the necessary steps and applies the same changes. But despite that, we can conclude that free SSL certificates were made available for everyone. If you want a basic SSL, you only need to sign up to a web hosting plan and they will give it to you right away.