THIS ARTICLE MAY CONTAIN COMPENSATED LINKS. PLEASE READ DISCLAIMER FOR MORE INFO.
Thanks to Edward Snowden and increasing awareness of the impact of cybercrime, Internet security is getting more attention than ever before.
Major technology companies – like Google, Apple, Microsoft and just about anyone who makes a browser – have taken it upon themselves to make the internet safer. Their publically stated aim is to make all websites accessible over HTTPS (instead of HTTP) via SSL.
These companies have a lot of sway – they make the browsers and the search engines without which most sites are useless. Eventually insecure sites won’t rank in search engines and won’t display without scary warnings, if they display at all.
As a result it is important visitors can visit your site securely. Plus there’s benefits in doing so. To make it happen you’ll need to get an SSL certificate for your domain and set up your site to work correctly with people viewing it with HTTPS.
Read on for a basic explanation about what’s what and why it matters.
You will learn...
- What is SSL and HTTPS
- What are the benefits of HTTPS and SSL
- What are the benefits of SSL for me?
- How to move to HTTPS
- Tips for moving to HTTPS
1. What’s this SSL thing anyway?
Simply put the s in HTTPS stands for secure – as in HTTP Secure. SSL stands for Secure Socket Layer, which is a protocol that helps secure and encrypt internet communications at a low level.
Internet communication is a point to point thing: your device is sending and receiving data to/from somewhere else. However, that communication isn’t direct: it can (and almost always does) go through several intermediate servers who pass things along.
SSL ensures that the data going between your device and the server (or other device) you’re connecting to is secured from being read or modified by anything or anyone in the middle. HTTPS – and other things – can then use the secured connection to send its traffic along.
An SSL certificate is needed to make this happen. When a “client” (your phone, for example) says it wants to connect securely with a server that server needs to send the certificate to help establish a connection. The certificate contains some key information to help the connection happen as well as let recipients know that the site and it’s contents are genuine.
2. So what are the benefits of HTTPS and SSL?
Two things: security and trustworthiness.
First security: information between your site and the people looking at it is safe from what’s known as the Man In the Middle (MITM) attack. The MITM attack covers all the cases where someone or something between your readers and your site either reading the traffic or even changing it.
So things like passwords, comments, whatever are safe from people up to no good.
Next, trustworthiness: it’s (really) hard but it’s possible for some nasty cyber-crim/government agency to get a browser to load a different site when someone wants to visit yours. With an SSL certificate the browser can check that the certificate does belong to the domain name someone is visiting so that sort of imitation isn’t possible.
3. No, I mean: What are the benefits to me? Why should I bother?
Good question: what’s in it for you? In short search engine rankings, respect from browsers and improved site speed.
First, let’s look at the SEO aspect. Google – being one of the big tech companies that thinks SSL is awesome and should be used by everyone – are doing what they can to encourage SSL everywhere.
So they’ve offered a carrot: the ability to connect to a site securely is a factor in the formula that determines search results.
It won’t make a page rank dramatically higher (yet) but SSL will see a domain ranked higher than one that doesn’t use it if everything else is equal.
Google has gone on record and said that sites available over HTTPS will score better than those that don’t. They’ve been doing it since 2014. Right now the boost is slight but increasing – they’ve increased it since they’ve started doing it. And it’ll only get bigger.
When they want to, Google will one day turn that carrot into a stick. Instead of a boost, insecure domains will get penalised. The same way domains with other “untrustworthy” aspects get hit now.
All the major browser makers are on the “hooray for SSL/HTTPS” bandwagon. And browsers have started to reflect it; they’re choosing the stick approach.
When you visit a site using HTTPS the browser reflects that happy fact by making some aspect of the address bar green. A green lock or making part of the address green. Over time the plan is to make this indication more subtle (except for certain types of SSL certificates) so that secure is seen as normal.
Warnings or messages about a site not using HTTPS (or not being totally secure – that is not having all the content on a page use HTTPS) are slowly being made more prominent.
These indications that the page isn’t (totally) secure will get bigger. Like showing red in the address bar. Or warning pop-ups. There’s some speculation you’ll have to confirm you want to visit an unsecured page the same way browsers currently warn you that the page is somehow unsafe and doesn’t let you proceed unless you hit some sort of “I understand” button (or not let you proceed at all).
All of this will shape visitors impressions about your site – for the worse. And that’s the browser makers’ aim.
It’s a bit like warnings on cigarette packets. Right now browsers are in the small “Smoking is bad for your health” warning stage, like in the 80s. But the day looms when the warnings are more like pictures of cancerous eyeballs and “Smoking Kills!” in large type covering 70% of the packet.
Having your site accessible through HTTPS can have a big payoff in terms of your site’s performance. HTTPS allows your site to be loaded via HTTP/2, the new version of HTTP. Without getting into the technical details HTTP/2 allows browsers to load pages a lot faster. This requires that both the browser and the hosting server are able to “talk” HTTP/2 but all modern browsers do and most hosts have HTTP/2 capable servers and the almost all rest are upgrading them to be so.
The speed benefits will further help your site when it comes to ranking in Google.
4. So what do I do to fix it?
Transitioning your page to HTTPS has three broad steps:
- Getting and installing a certificate. If you’re using a hosting company they need to help you. You can’t do it on your own. Most companies will sell you a certificate and install them for you. If you buy a certificate from elsewhere (which you can do) then you’ll need to ask your hosting company to install it. Some hosts will offer free certificates and install them, too.An alternative is to use Cloudflare. Because of the way they operate Cloudflare sits between your server and visitors. Cloudflare is able to issue certificates for any site that uses its service – for free. The downside is that Cloudflare owns the certificate you use there and you can’t take it elsewhere if you decide to stop using Cloudflare at some point. This is unlikely to cause issues but it has the potential to. Some sites are also not set up in a way so they can use Cloudflare. This includes some WordPress themes.
- Getting your site set up for HTTPS. This can cover a lot of little pieces. Like making sure visitors are redirected from HTTP to HTTPS automatically. Or making sure everything on your site points to https://yourdomain. And finally making sure everything a browser loads to display your page also comes from a secured domain. Again, Cloudflare – if you’re using them – can help. They can redirect requests and rewrite the HTML from your site. It’s not foolproof, though. You may still need to edit bits of the site.
These are all things you can do yourself. Hosts usually don’t do any of this for you. Some of it can be quite tricky – like editing templates or fixing plugins. Sharon has had plugins and themes need editing to ensure all pages are secure.
So take care. Mistakes or oversights may stop your page being viewed as secure or stop your site working correctly at all.
- Make sure everyone knows and uses the new URL with https. Even though visitors might get redirected it’s important to make sure the new URL is used and known as widely as possible. Google likes to know (so it changes all the URLs its indexed). And there’s links in social media or other sites that may need to be fixed up – to help maximise the SEO goodness.
This step isn’t essential – after steps 1 and 2 your site is secure – but it helps you realize the benefits of the move to SSL sooner.
5. Tips for moving to HTTPS
My biggest tip for moving to HTTPS is to have a plan and think through what you are going to do before you do it. Some blogs are easy to move and there are no problems. Others have many more things that need fixing up.
Go into any blogging group and you will be able to find people who had their sites go down for days while they try to sort it out. This happened to one of Sharon’s niche sites and, 5 months later, it has still not recovered its Google rankings.
Some things you will want to consider:
- Do a full backup before you do anything.
- After getting the SSL certificate, set up the redirects and make sure they are working before you move on to anything else. You will also need to change your “WordPress Address” and “Site Address” to have the “s” in the Settings page in WordPress admin. There is more about this process in the SSL certificate part of this article.
- Update all hard-coded links from HTTP to HTTPS. This article has a script. Many themes have problems when moving over the HTTPS and this will help prevent it from breaking.
- Check all pages are secure. You can tell easily by looking at the address bar in your browser. If it is not secure, you will have to work out what is not loading securely. Common things I have found to be a problem is anything on your site where an image is coming from elsewhere or plugins that access feeds or social media. If you have a large blog, checking all pages may not be practical. Check any page that is a bit different, home page, about, etc and your most popular blog posts. You can use this site to check if your posts are secure.
- Sometimes a plugin or theme can cause issues. This will probably involve a code fix. You will have to decide whether to try to do it yourself, hire a developer or use a different plugin/theme.
- Enabling HSTS tand OCSP stapling can help with performance.
- Check for broken links. There are plugins to do this or you can use a site like this.
- Update your Google Analytics and Search Console accounts to show your new URL. To Google, the https://… version of your site is different to the http://… and everything will go more smoothly if you give them the correct version.You need to update this in Google Analytics settings. In search console, you will need to add two new properties, one for https://wwww…. version of the URL and one without the www. Once you have done this, submit the site to Google to be indexed again under the preferred https version of the domain name (whether that’s with www or without). It’s in Search Console under Crawl > Fetch as Google. Submit your home page and tell it to crawl that and all of its links. This will help get your site ranking again faster.
- Also update Google Adwords if you have ads running.
- Ideally, you would change all external links pointing to your website to the HTTPS version – by this I mean asking the website owner of every link to change the URL to your site to add the s. This is because Google sees these URLs as different. It’s estimated about 90-95% of the benefits of the links will still pass through but obviously 100% will be better. This is a huge task for most blog owners. I recommend asking people to change any that are easy to do (like from your blogging friends) and ones that are to important pages on your website. You should also change any that are easy to do, like the ones in your social media accounts.
- It is normal to lose search traffic temporarily after making this change. That’s obviously going to be stressful but try to relax about it. Most bloggers who have changed over recently are reporting a temporary loss for a few weeks and then an increase in search traffic. There is obviously no way to guarantee what will happen for you. But the earlier you move to HTTPS the better as there will be less that it can impact.
- Social media shares are affected as they see the link as the old HTTP version. This means you will lose your social media counts. There are ways to fix this. This plugin is reported to fix this. We have not used this plugin so this is not a personal recommendation.
- This article is helpful for step by step instructions for moving to HTTPS.
Thank you to Sebastien and Stefan from Nomadic Boys for helping compile these tips.
I hope this has helped de-mystify the world of HTTPS and SSL. They are here to stay and the sooner you can move your blog across, the better.
Feel free to ask any questions below and let us know how you go moving to HTTPS.