SSL/TLS is what puts the padlock in the browser and encrypts everything your visitors send you. A valid certificate on a modern protocol is fundamental to trust and to your Data Protection certification.
See how your domain is doing in your dashboard under Domains, then open the report for step-by-step recommendations.
Almost every host now offers free automatic certificates via Let's Encrypt. Turn on "free SSL" or "AutoSSL" in your hosting panel, or if you use Cloudflare, SSL is included. The key is auto-renewal: expired certificates are one of the most common trust failures, and they throw a scary browser warning that drives visitors away.
Check that your certificate covers both yourdomain.com and www.yourdomain.com.
Having a certificate is not enough if visitors can still reach the insecure http:// version. Force HTTPS everywhere. In Apache .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
On Cloudflare, turn on "Always Use HTTPS" under SSL/TLS, Edge Certificates. Most CMS platforms also have a setting or plugin for this.
Old protocols (TLS 1.0 and 1.1) are deprecated and insecure. Make sure your server offers TLS 1.2 and 1.3 only. Most managed hosts and Cloudflare already do this. If you manage your own server, set the minimum TLS version to 1.2 in your web server config, and enable TLS 1.3 if available.
If your HTTPS pages still load some images, scripts or styles over http://, browsers flag the page as "not fully secure". Update those references to https:// (or protocol-relative //). On WordPress a plugin can rewrite mixed content automatically; Cloudflare offers "Automatic HTTPS Rewrites".
Once HTTPS is solid, add the Strict-Transport-Security header so browsers refuse to connect insecurely at all. See the security headers guide for how, and only enable it when you are confident the whole site works on HTTPS.
Stuck or not sure how to apply this to your setup? Email [email protected] and a human will help you through it.