Why your church website needs a SSL Certificate

What’s a SSL Certificate?

Before we get into why your church website needs an SSL certificate, let’s talk about what it actually is. SSL (Secure Sockets Layer) is a global standard security technology that enables encrypted communication between a web browser and a web server. If you’ve used the internet, then you’ve used a site that utilized SSL. It helps protect important data (like credit card numbers and passwords) from being stolen by allowing a private back and forth transmission of the data between your church website and the site visitor.

The SSL Certificate is installed on your web server and, in addition to encrypting the data that’s transmitted, it prevents unauthorized parties from altering the data that’s being transmitted (also known as a “Man in the Middle Attack”). While those protections are happening behind the scenes, most people likely recognize SSL Certificates in relation to seeing a URL begin with https:// as opposed to http:// or when they see a little green lock in their Google Chrome browser. That’s because an SSL certificate also authenticates the identity of your church website, which helps legitimize the site to your visitor.

The different ways Google Chrome displays if a site’s connection is secure

There are different types of SSL Certificates, but the most common one (and the one the average church needs) is a Single SSL Certificate. “Single” just refers to how many domains the certificate is securing.

Where do I get one?

For years, a Single SSL Certificate would cost you at least $100 per year and sometimes into the hundreds of dollars. It was a way for a lot of website hosts to make money. That is until a few years ago something came along called Let’s Encrypt, a joint initiative by a few huge companies and organizations like Mozilla, Google, Cisco and others, including a few Universities. The goal was to simplify the setup and application process and make everything free so that no web host could have any excuse not to offer an SSL Certificate with every site. In early 2016, Let’s Encrypt officially launched and has since issued hundreds of millions of free SSL Certificates.

Because Let’s Encrypt has had such a success, your web host likely offers a free Single SSL Certificate (if they don’t, you should probably consider switching). If your site is on Squarespace, you can follow this tutorial to enable SSL throughout the site. If you’re on WordPress, you should talk with your host. The three hosts that we recommend (Flywheel, WPEngine and SiteGround) all include a free SSL Certificate and make the process extremely easy to enable it. If you’re using another website builder and host, then just reach out to them to see if it’s included with your plan and how to enable it.

If your website provider doesn’t offer one for free then you can also signup for a free account with Cloudflare. They’ll not only provide you with a basic SSL Certificate, but they’ll also give you access to a CDN (Content Delivery Network) that caches your website data on their servers and can help make your church website load faster for visitors. Millions of sites use Cloudflare for both SSL and CDN, so it’s a great and reputable option. If you’ve used a web browser today, then you’ve likely visited at least one site that’s utilizing Cloudflare.

Why do I need one now?

Well, you actually should have always had an SSL Certificate (see our first point). Over the last few years, mainly thanks to Google, more and more sites have started using them to protect both their own interests and that of their visitors. But the big change and the reason you need to add a certificate ASAP is that Google is about to start using their browser market share to bully you into doing the right thing (it’s for your own good). Earlier this year Google announced that, beginning in July 2018, they would start marking all HTTP sites as “not secure.”

So, imagine you’re someone who just moved to a new city and you’re checking out church websites. You come across one that you might be interested in, begin to fill out the “Plan Your Visit” form and then you see that Chrome is telling you the site isn’t secure. It won’t deter everyone, but it will for some.

While it’s still somewhat subtle (for now), I believe Google will eventually make the “Not secure” text the same bright red it does when you go to a site that’s hacked.

How I think Chrome will eventually display HTTP sites

In addition to the Google Chrome enforcement, Apple recently emailed podcasters encouraging them to use “a secure podcast feed with a SSL certificate.” While it’s just a recommendation for now, Apple will eventually require all feeds to be HTTPS. If you host your church sermon podcast on your WordPress or Squarespace site, then this is just another reason you should go ahead and set up a free SSL Certificate.

Lastly, over the last few years Google has also made HTTPS a small factor when it comes to search engine rankings. It’s not going to make or break your search ranking, but it could be the difference in pushing you up a spot.

Oh, and one last tip: if you are using WordPress and are preparing to make the switch to HTTPS, then consider using a plugin like Force HTTPS so that all of your old links and all of your images will now load as HTTPS.

Remember, an SSL Certificate is free (thanks to Let’s Encrypt), it helps protect your site and your visitor’s data, it could help your SEO and your website provider should make it extremely easy to set up. Every church website should have an SSL Certificate and you should have it before Google rolls out their latest Chrome update that will shame you if you don’t.

Casey Fulgenzi

Founder of Church Web Guide and Churchlancer.com, a directory of creative freelancers and agencies that work with churches. Casey also works at Redeemer Presbyterian Church in NYC, where he runs Gospel in Life and assists with Communications.

Recent Posts