- HTTPS is no longer optional.
- This guide explains what SSL/TLS certificates do, the different types available, why Google penalises HTTP sites, and how to install SSL correctly on any hosting environment.
The Shift from Optional to Mandatory
In 2014, Google announced HTTPS as a ranking signal. In 2018, Chrome began labelling all HTTP sites as "Not Secure." In 2026, most modern browsers block form submissions on HTTP pages and actively warn users away from visiting them. If your website still runs over HTTP, you are losing traffic, trust, and search rankings every day.
This guide explains SSL/TLS certificates plainly — what they do, which type you need, how to install one, and how to verify it is working correctly.
What Does SSL/TLS Actually Do?
SSL (Secure Sockets Layer) was the original protocol; TLS (Transport Layer Security) is its modern, more secure successor. Despite SSL being technically obsolete, "SSL certificate" remains the common term. They accomplish three things:
- Encryption: Data between your visitor's browser and your server is encrypted. Attackers intercepting the connection see scrambled ciphertext, not readable content (passwords, credit card numbers, form data).
- Authentication: The certificate proves your server is the legitimate owner of the domain — it prevents man-in-the-middle attacks where an attacker impersonates your site.
- Integrity: TLS includes message authentication codes that detect if data was tampered with in transit.
Without HTTPS, any device between your visitor and your server — coffee shop Wi-Fi routers, ISP equipment, corporate proxy servers — can read and modify the traffic.
Types of SSL Certificates
| Type | Validation Level | Browser Indicator | Best For | Cost |
|---|---|---|---|---|
| DV (Domain Validated) | Domain ownership only | Padlock icon | Blogs, informational sites, portfolios | Free (Let's Encrypt) |
| OV (Organisation Validated) | Company identity verified | Padlock + company info in cert | Business websites, SaaS | NPR 3,000–15,000/year |
| EV (Extended Validation) | Rigorous legal verification | Green padlock + company name | E-commerce, banking, finance | NPR 15,000–50,000/year |
| Wildcard | DV or OV for all subdomains | Padlock | Sites with many subdomains | NPR 5,000–20,000/year |
| Multi-domain (SAN) | DV/OV for multiple domains | Padlock | Hosting multiple domains on one server | NPR 8,000–30,000/year |
For most websites — including small business sites, portfolios, and even e-commerce (when hosted on a reputable platform) — a free Let's Encrypt DV certificate is completely adequate. The level of encryption is identical across all types; only the identity verification level differs.
Let's Encrypt: Free SSL for Everyone
Let's Encrypt is a non-profit Certificate Authority that issues free DV certificates, renewable every 90 days, via the ACME protocol. It now secures over 400 million websites globally.
On cPanel/WHM hosting (including WebsNP plans), AutoSSL handles Let's Encrypt installation and renewal automatically — no manual action required. Check your SSL status at cPanel → Security → SSL/TLS Status.
To install on a VPS with Nginx:
apt install certbot python3-certbot-nginx -y
certbot --nginx -d yourdomain.com -d www.yourdomain.com
# Test auto-renewal:
certbot renew --dry-runHow Google Penalises HTTP Sites
The impact of running HTTP in 2026 is multi-layered:
- Search ranking penalty: HTTPS is a confirmed ranking factor. Two otherwise identical pages will have the HTTPS version ranked higher.
- Chrome "Not Secure" label: Displayed in the address bar for all HTTP pages — especially prominent when any input field (search, login, contact form) is present.
- Mixed content warnings: If your site has HTTPS but loads HTTP resources (images, scripts), browsers block the insecure resources and display a broken padlock.
- Referrer data loss: When a visitor navigates from an HTTPS site to your HTTP site, the referrer header is stripped — you lose the data showing which website sent that traffic.
- HTTP/2 blocked: All major browsers only support HTTP/2 over TLS. HTTP/2 is significantly faster than HTTP/1.1. Running HTTP means running on an older, slower protocol.
Installing SSL: Step-by-Step for cPanel
- Log into cPanel → Security → SSL/TLS Status
- Click "Run AutoSSL" if your domain shows as uncovered
- Wait 2–5 minutes for the certificate to install
- Verify the padlock appears in your browser for
https://yourdomain.com
To force all traffic to HTTPS, add these lines to your .htaccess file (Apache):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]For Nginx, add this to the HTTP server block:
return 301 https://$host$request_uri;Verifying Your SSL Installation
After installation, check for common issues using these free tools:
- SSL Labs Server Test — comprehensive TLS configuration report, graded A–F
- WhyNoPadlock.com — identifies mixed content issues causing broken padlock
- Browser DevTools (F12) → Console tab → look for "Mixed Content" warnings
A healthy SSL installation should score A or A+ on SSL Labs and show zero mixed content warnings.
Common SSL Issues in Nepal
- "Certificate expired" error: AutoSSL renewal failed, usually due to DNS propagation issues or HTTP access blocked. Check WHM → SSL/TLS Status → AutoSSL logs.
- SSL not covering www version: Ensure both yourdomain.com and www.yourdomain.com are included in the certificate's Subject Alternative Names.
- SSL active but site still shows "Not Secure": Mixed content — some resources (usually images or old plugin assets) are still loaded over HTTP. Search your page source for "http://" and update those URLs.
- WordPress admin not redirecting to HTTPS: Check wp-config.php for correct HTTPS settings and ensure your WordPress Site URL includes https://
All WebsNP hosting plans include free AutoSSL (Let's Encrypt) with automatic renewal. If you're having SSL issues or want to install a commercial certificate, our team can help within the hour.
