You may have noticed a small change on this website this week.
I have an extra letter “s” in the address bar!
It took me a few hours to do this.
Why did I bother?
Read on to find out:
- What is HTTPS?
- What is SSL?
- Why do all websites need SSL now?
- How much does a SSL certificate cost?
- How do you move a site from HTTP to HTTPS?
- What problems might you encounter going from HTTP to HTTPS?
What is HTTPS?
Have you ever noticed a padlock icon when you’ve been browsing a website?
You’ve probably seen them on ecommerce sites.
That’s because they’re using the HTTPS protocol for websites.
HTTP stands for HyperText Transfer Protocol and the S stands for Secure.
This means that your credit card number is protected from nasty people when you buy!
The technology enabling this is called SSL.
What is SSL?
Need an explainer video? You got one! Thanks to SSL.com.
Unfortunately, this video has no captions or transcript, so I’ll summarise.
- SSL stands for Secure Sockets Layer.
- SSL certificates keep the ever-growing number of connections between devices secure.
- SSL encrypts data – including sensitive data like passwords – making its movement safer.
- SSL stops the data being changed.
- SSL authenticates websites.
- Look for the closed padlock in the address bar of a site with SSL.
- Some sites using SSL will have a green address bar with the company name. (This means they’re using an EV certificate – see below. To get such a certificate they have to undergo careful vetting which proves they are the named legitimate company.)
- Safety, peace of mind, trust and better SEO are all benefits of a SSL certificate.
- A safer Internet is a better Internet!
Why do all websites need SSL now?
1. SSL is part of a drive to make the web safer
Wired reported in late January 2017 that over half the Web now uses HTTPS encryption.
As of July 2020, SSL is used by 63.3% of sites.
The technology can help prevent phishing attacks.
2. Google is starting to flag up insecure sites
With the launch of Google Chrome 56, some web pages that don’t use HTTPS will be labelled as insecure.
This applies at the moment to pages asking for password or credit card information.
I know I wouldn’t feel good about submitting sensitive data to an insecure site.
This warning will be rolled out in the future to all non-HTTPS pages.
Currently non-HTTPS sites on Chrome have a ! in the address bar before the domain name. Clicking on it brings up a security warning.
3. Sites with SSL have a small boost in rankings
As far back as 2014, Google called for HTTPS Everywhere and announced HTTPS as a ranking signal. It’s not a big factor, as there are so many ranking factors, but it’s worth bearing in mind.
4. SSL increases trust and peace of mind for your customers
Selling anything on your site? You should already be using HTTPS! 🙂
Anyone that runs a site that lets users log in or submit personal data should be moving their site from HTTP to HTTPS now.
How much does a SSL certificate cost?
SSL used to be quite expensive, which is why it tended to be used mainly for ecommerce sites.
Prices have lowered as more people are using SSL certificates.
There are multiple types of SSL certificate. Some are:
- Domain Validation (DV)
- Organisation Validation (OV)
- Extended Validation (EV)
The cost and authority level rises from domain validated certificates to extended validation certificates.
Namecheap retail SSL certificates starting at $5.88/year.
Many sites will find DV certificates sufficient for their needs. The good news for site owners is that there are now free DV SSL certificates issued by Let’s Encrypt.
In their words,
We do this because we want to create a more secure and privacy-respecting Web.
Let’s Encrypt certificates have a validity period of 90 days, after which they need renewing,
How do you move a site from HTTP to HTTPS?
I found some helpful guides online about migrating a site to HTTPS.
- Complete Guide – How to Migrate from HTTP to HTTPS – you can ignore steps 7 to 10 if not using a CDN.
- [14 Steps] My Step-by-Step Experience of migrating WordPress site to SSL – contains screenshots of what to do e.g. in Google Analytics.
- SSL Certificate Ultimate Guide to Secure Your Blog or Website – great overview of SSL with useful links.
The main steps are:
- Get your SSL certificate and install it on your host.
- Change all links on your domain from HTTP to HTTPS.
- Redirect all the HTTP links to https – a 301 redirect is best.
- Check for and fix mixed content warnings.
- Update settings in Google Analytics, Google Search Console and any other programs that you use to manage your site.
- Update the links in your social media profiles and email signature.
Luckily for me, I’m using SiteGround as my host.
They’ve made enabling SSL easy for WordPress site owners in two ways:
- Let’s Encrypt certificates are already installed, and they auto-renew.
- SiteGround have launched a 1-click install of SSL for users of their SG Optimizer WordPress plugin.
This allowed me to skip steps 1, 2 and 3!
If you’re not using SiteGround, but you have a WordPress website, check out these guides:
- How to Add SSL and HTTPS in WordPress
- How to Move a WordPress Website from HTTP to HTTPS/SSL
- Step by Step Guide on How to Enable/Install SSL (HTTPS) on WordPress Blog – Generate CSR and CRT (has screenshots)
- Ultimate Guide On How To Configure An SSL Certificate In WordPress
What problems might you encounter going from HTTP to HTTPS?
Mixed content warnings
Mixed content warnings occur when your site’s resources don’t all load securely over SSL. Instead, there’s a mixture of HTTP and HTTPS.
It’s often caused by images still loading over a HTTP connection.
Obviously, you want your site as secure as possible, so you’ll want to find and fix these.
Here are two tools you can use to check for mixed content.
To fix mixed content errors on WordPress sites, follow this guide.
How to Fix Mixed Content Error in WordPress After Adding SSL Certificate
Social share data gets reset
Social sharing plugins count the shares to a particular URL.
When you enable SSL on your site, all your URLs will change to the HTTPS version. This means they’ll be seen as new, and your social share counts will be reset.
BuzzSumo is showing no shares for a recent post I know is popular.
If you rely on social share counts as social proof for your blog posts, this could be a problem!
Fortunately, there is a solution for users of the Social Warfare WordPress plugin – the Share Recovery tool. You need an active plugin license which costs from $29/year.
Referral data may not be counted in Google Analytics
Does your site run ads referring users to other sites? If your site uses HTTPS and theirs HTTP, your referral data may not be passed on.
For advice if you’re affected, read this article: HTTPS to HTTP, how to recover the lost Google Analytics Referral Data
Problems using SSL with a CDN
Content Delivery Networks (CDNs) are used by websites to deliver content. The offer improved speed, availability and security.
Some users of Cloudflare have experienced issues using SSL. There’s a guide to fixing Cloudflare SSL problems here.
I had a problem with the iThemes Security plugin when switching my site to HTTPS – so it’s lucky that I tested things out first with a staging site.
The problem was that pages got caught in an infinite redirect loop between HTTP and HTTPS, so the web pages were never served.
When I made the change, I disabled the plugin first to be on the safe side, and ultimately decided to delete it and reinstall it.
Another issue is failing to implement 301 permanent redirects. This can hurt your SEO!
According to Ahrefs research from 2016, nearly a quarter of websites were not implementing permanent redirects after enabling SSL.
I hope I’ve convinced you of the case for SSL and HTTPS.
Now go get that padlock on your site!
Did you find this post helpful? Please share!