Why you need to secure your WordPress website with HTTPS
For years, Google has been actively seeking ways to encourage website owners to implement SSL certificates. SSL allows websites to be accessed over HTTPS, which encrypts information sent between the visitor and web server.
This move towards promoting better web security is gathering pace in 2017 with a concerted push by major web browsers such as Mozilla Firefox and Google Chrome to highlight “non-secure”(*) websites to users.
The WordPress team has also recently stated their intention to make only certain future features available to secure sites:
“We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” Source: WordPress.org blog
(*) A “non-secure” site in this context is one where the address begins with “http://”. A “secure” website is one where the address begins with “https://”.
What is the difference between a secure (https://) and non-secure (http://) website connection
When a website address starts with “http://” the information traveling between the user’s web browser and the internet is transmitted “in clear” without encryption and, if intercepted, can be read.
If the address starts with “https://”, and is properly configured to show a padlock, the connection between a user’s browser and the internet is “encrypted” and therefore secure. This is why sites like Amazon, Ebay and reputable online stores offer a secure “https://” connection to users.
What Google has been doing to promote web security since January 2017
“To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.”
What Google plans to do going forward
“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” Source: Official Google Security Blog
Benefits of using a secure HTTPS connection
There are a number of important benefits to implementing an https:// connection for your WordPress website.
An https:// connection:
- Reassures visitors – particularly when giving out details on a contact form or subscription form
- Reduces risk of your WordPress login details being compromised
- Improves Google search engine ranking – Google has stated that it favours secure sites over non-secure sites
What do I need to implement secure HTTPS on my WordPress website?
Implementing HTTPS requires something called an SSL certificate. This is an encryption tool which makes sure all the data sent between a website and a browser is secure and can’t be read by anyone if intercepted.
How much does an SSL certificate cost?
Prices for an SSL certificate are charged on a recurring annual basis and can vary significantly, depending on the type of certificate required and the provider.
However, thanks to the Linux Foundation “Let’s Encrypt” project started in 2016, a basic SSL certificate is now available free of charge and is being made available by most reputable website hosting providers, including my preferred hosting partner, Siteground.com.
How do I install an SSL certificate?
New WordPress installations (new websites) can now be configured to run over HTTPS with minimum fuss from the beginning. Since the availability of free SSL certificates, this is now my standard approach for any new website development and set up hosting for clients.
Existing installations (existing websites) require a little more work to implement coding changes on the server and to reconfigure your WordPress site to run over HTTPS.
Typically this involves:
- Activate Let’s Encrypt SSL certificate at website host
- Change WordPress website urls from http:// to https://
- Add redirection code to the server’s .htaccess file
- Update WordPress permalinks
- Analyse site for “mixed content” – not all website resources are easily updated, notably images
- Replace remaining non-https links in the database
- Update Google analytics configuration
- Check all pages are free from errors and display the “green padlock”
I can provide this service to my clients for a small one-off fee to cover the time taken to make coding changes, so do contact me if you’d like to implement a secure HTTPS connection for your WordPress website