Hugues Audouard Freelance web designer and wordpress consultant

Why you need to secure your WordPress website with HTTPS

For years, Google has been actively seeking ways to encourage website owners to implement SSL certificates. SSL allows websites to be accessed over HTTPS, which encrypts information sent between the visitor and web server.

This move towards promoting better web security is gathering pace in 2017 with a concerted push by major web browsers such as Mozilla Firefox and Google Chrome to highlight “non-secure”(*) websites to users.

The WordPress team has also recently stated their intention to make only certain future features available to secure sites:

“We’re at a turning point: 2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” Source: WordPress.org blog

(*) A “non-secure” site in this context is one where the address begins with “http://”. A “secure” website is one where the address begins with “https://”.

What is the difference between a secure (https://) and non-secure (http://) website connection

When a website address starts with “http://” the information traveling between the user’s web browser and the internet is transmitted “in clear” without encryption and, if intercepted, can be read.

If the address starts with “https://”, and is properly configured to show a padlock, the connection between a user’s browser and the internet is “encrypted” and therefore secure. This is why sites like Amazon, Ebay and reputable online stores offer a secure “https://” connection to users.

secure website with https

What Google has been doing to promote web security since January 2017

“To help users browse the web safely, Chrome indicates connection security with an icon in the address bar. Historically, Chrome has not explicitly labelled HTTP connections as non-secure. Starting January 2017, Chrome 56 will label HTTP pages with password or credit card form fields as “not secure,” given their particularly sensitive nature.”

Treatment of http pages by Google

What Google plans to do going forward

“In following releases, we will continue to extend HTTP warnings, for example, by labelling HTTP pages as “not secure” in Incognito mode, where users may have higher expectations of privacy. Eventually, we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.” Source: Official Google Security Blog

eventual treatment of http pages in chrome

Benefits of using a secure HTTPS connection

There are a number of important benefits to implementing an https:// connection for your WordPress website.
An https:// connection:

  • Reassures visitors – particularly when giving out details on a contact form or subscription form
  • Reduces risk of your WordPress login details being compromised
  • Improves Google search engine ranking – Google has stated that it favours secure sites over non-secure sites

What do I need to implement secure HTTPS on my WordPress website?

Implementing HTTPS requires something called an SSL certificate. This is an encryption tool which makes sure all the data sent between a website and a browser is secure and can’t be read by anyone if intercepted.

How much does an SSL certificate cost?

Prices for an SSL certificate are charged on a recurring annual basis and can vary significantly, depending on the type of certificate required and the provider.

However, thanks to the Linux Foundation “Let’s Encrypt” project started in 2016, a basic SSL certificate is now available free of charge and is being made available by most reputable website hosting providers, including my preferred hosting partner, Siteground.com.

How do I install an SSL certificate?

New WordPress installations (new websites) can now be configured to run over HTTPS with minimum fuss from the beginning. Since the availability of free SSL certificates, this is now my standard approach for any new website development and set up hosting for clients.

Existing installations (existing websites) require a little more work to implement coding changes on the server and to reconfigure your WordPress site to run over HTTPS.
Typically this involves:

  • Activate Let’s Encrypt SSL certificate at website host
  • Change WordPress website urls from http:// to https://
  • Add redirection code to the server’s .htaccess file
  • Update WordPress permalinks
  • Analyse site for “mixed content” – not all website resources are easily updated, notably images
  • Replace remaining non-https links in the database
  • Update Google analytics configuration
  • Check all pages are free from errors and display the “green padlock”

I can provide this service to my clients for a small one-off fee to cover the time taken to make coding changes, so do contact me if you’d like to implement a secure HTTPS connection for your WordPress website

Hugues

I'm a freelance web designer & developer, as well as a bit of a digital marketing expert. I love all things WordPress and helping people make the most of their website and digital marketing presence. You'll sometimes find me lurking at various WordPress meet-ups, Facebook groups or the WordPress.org support forum...

SIGNUP FOR THE NEWSLETTER

I don't send out newsletter very often at all, but when I do I hope you'll find them useful

Your details will never be passed on to third parties. You can unsubscribe from emails at any time using a link which will always be provided.
Privacy policy

Something went wrong. Please check your entries and try again.

Share this article