You may have noticed a small change on this website this week.
I have an extra letter “s” in the address bar!
It took me a few hours to do this.
Why did I bother?
Read on to find out:
- What is HTTPS?
- What is SSL?
- Why do all websites need SSL now?
- How much does a SSL certificate cost?
- How do you move a site from HTTP to HTTPS?
- What problems might you encounter going from HTTP to HTTPS?
What is HTTPS?
Have you ever noticed a padlock icon when you’ve been browsing a website?
You’ve probably seen them on ecommerce sites.
That’s because they’re using the HTTPS protocol for websites.
HTTP stands for HyperText Transfer Protocol and the S stands for Secure.
This means that your credit card number is protected from nasty people when you buy!
The technology enabling this is called SSL.
What is SSL?
Need an explainer video? You got one! Thanks to SSL.com.
Unfortunately, this video has no captions or transcript, so I’ll summarise.
- SSL stands for Secure Sockets Layer.
- SSL certificates keep the ever-growing number of connections between devices secure.
- SSL encrypts data – including sensitive data like passwords – making its movement safer.
- SSL stops the data being changed.
- SSL authenticates websites.
- Look for the closed padlock in the address bar of a site with SSL.
- Some sites using SSL will have a green address bar with the company name. (This means they’re using an EV certificate – see below. To get such a certificate they have to undergo careful vetting which proves they are the named legitimate company.)
- Safety, peace of mind, trust and better SEO are all benefits of a SSL certificate.
- A safer Internet is a better Internet!
Why do all websites need SSL now?
1. SSL is part of a drive to make the web safer
Wired reported in late January 2017 that over half the Web now uses HTTPS encryption.
As of July 2020, SSL is used by 63.3% of sites.
The technology can help prevent phishing attacks.
2. Google is starting to flag up insecure sites
With the launch of Google Chrome 56, some web pages that don’t use HTTPS will be labelled as insecure.
This applies at the moment to pages asking for password or credit card information.
I know I wouldn’t feel good about submitting sensitive data to an insecure site.
But beware!
This warning will be rolled out in the future to all non-HTTPS pages.
Currently non-HTTPS sites on Chrome have a ! in the address bar before the domain name. Clicking on it brings up a security warning.
3. Sites with SSL have a small boost in rankings
As far back as 2014, Google called for HTTPS Everywhere and announced HTTPS as a ranking signal. It’s not a big factor, as there are so many ranking factors, but it’s worth bearing in mind.
4. SSL increases trust and peace of mind for your customers
Selling anything on your site? You should already be using HTTPS! 🙂
Anyone that runs a site that lets users log in or submit personal data should be moving their site from HTTP to HTTPS now.
How much does a SSL certificate cost?
SSL used to be quite expensive, which is why it tended to be used mainly for ecommerce sites.
Prices have lowered as more people are using SSL certificates.
There are multiple types of SSL certificate. Some are:
- Domain Validation (DV)
- Organisation Validation (OV)
- Extended Validation (EV)
The cost and authority level rises from domain validated certificates to extended validation certificates.
Namecheap retail SSL certificates starting at $5.88/year.
Many sites will find DV certificates sufficient for their needs. The good news for site owners is that there are now free DV SSL certificates issued by Let’s Encrypt.
In their words,
We do this because we want to create a more secure and privacy-respecting Web.
Let’s Encrypt certificates have a validity period of 90 days, after which they need renewing,
How do you move a site from HTTP to HTTPS?
I found some helpful guides online about migrating a site to HTTPS.
- Complete Guide – How to Migrate from HTTP to HTTPS – you can ignore steps 7 to 10 if not using a CDN.
- [14 Steps] My Step-by-Step Experience of migrating WordPress site to SSL – contains screenshots of what to do e.g. in Google Analytics.
- SSL Certificate Ultimate Guide to Secure Your Blog or Website – great overview of SSL with useful links.
The main steps are:
- Get your SSL certificate and install it on your host.
- Change all links on your domain from HTTP to HTTPS.
- Redirect all the HTTP links to https – a 301 redirect is best.
- Check for and fix mixed content warnings.
- Update settings in Google Analytics, Google Search Console and any other programs that you use to manage your site.
- Update the links in your social media profiles and email signature.
Luckily for me, I’m using SiteGround as my host.
They’ve made enabling SSL easy for WordPress site owners in two ways:
- Let’s Encrypt certificates are already installed, and they auto-renew.
- SiteGround have launched a 1-click install of SSL for users of their SG Optimizer WordPress plugin.
This allowed me to skip steps 1, 2 and 3!
If you’re not using SiteGround, but you have a WordPress website, check out these guides:
- How to Add SSL and HTTPS in WordPress
- How to Move a WordPress Website from HTTP to HTTPS/SSL
- Step by Step Guide on How to Enable/Install SSL (HTTPS) on WordPress Blog – Generate CSR and CRT (has screenshots)
- Ultimate Guide On How To Configure An SSL Certificate In WordPress
- How to Switch Your WordPress Site from HTTP to HTTPS (with a little help from WP Migrate DB Pro)
What problems might you encounter going from HTTP to HTTPS?
Mixed content warnings
Mixed content warnings occur when your site’s resources don’t all load securely over SSL. Instead, there’s a mixture of HTTP and HTTPS.
It’s often caused by images still loading over a HTTP connection.
Obviously, you want your site as secure as possible, so you’ll want to find and fix these.
Here are two tools you can use to check for mixed content.
Why No Padlock?
JitBit SSL Check
To fix mixed content errors on WordPress sites, follow this guide.
How to Fix Mixed Content Error in WordPress After Adding SSL Certificate
Social share data gets reset
Social sharing plugins count the shares to a particular URL.
When you enable SSL on your site, all your URLs will change to the HTTPS version. This means they’ll be seen as new, and your social share counts will be reset.
BuzzSumo is showing no shares for a recent post I know is popular.
If you rely on social share counts as social proof for your blog posts, this could be a problem!
Fortunately, there is a solution for users of the Social Warfare WordPress plugin – the Share Recovery tool. You need an active plugin license which costs from $29/year.
Referral data may not be counted in Google Analytics
Does your site run ads referring users to other sites? If your site uses HTTPS and theirs HTTP, your referral data may not be passed on.
For advice if you’re affected, read this article: HTTPS to HTTP, how to recover the lost Google Analytics Referral Data
Problems using SSL with a CDN
Content Delivery Networks (CDNs) are used by websites to deliver content. The offer improved speed, availability and security.
Some users of Cloudflare have experienced issues using SSL. There’s a guide to fixing Cloudflare SSL problems here.
Redirect problems
I had a problem with the iThemes Security plugin when switching my site to HTTPS – so it’s lucky that I tested things out first with a staging site.
The problem was that pages got caught in an infinite redirect loop between HTTP and HTTPS, so the web pages were never served.
When I made the change, I disabled the plugin first to be on the safe side, and ultimately decided to delete it and reinstall it.
Another issue is failing to implement 301 permanent redirects. This can hurt your SEO!
According to Ahrefs research from 2016, nearly a quarter of websites were not implementing permanent redirects after enabling SSL.
Summing up
I hope I’ve convinced you of the case for SSL and HTTPS.
It fosters:
- Trust
- Safety
- Authority
- SEO
Now go get that padlock on your site!
Did you find this post helpful? Please share!
I swapped in 2014 when I moved to Siteground. For one reason or another it was never activated properly and I finally threw all of my toys out of the pram last week and got it working.
As always, even though it’s been talked about since 2014, it’s one of those jobs that everyone leaves to the last minute. A bit like EU VAT, 8 years to get a solution yet nothing is done until 6 weeks before implementation!
Have you seen an uptake in your rankings since making the switch?
Gosh – I’m surprised SiteGround didn’t implement SSL properly on your site, Sarah. They’re usually very good.
I know what you mean about last minute – it’s been on my radar for ages until I thought “this has to get done”.
It’s too early to tell about rankings, I think.
Hi Claire, I have thought about this a few times, but I have no clue where to start.
I have a static website and in a folder on there I have a WP blog and in another folder I have a phpBB forum. And that 3 times, because I have 3 websites with WP Blogs and phpBB forums.
I think the SSL for the WP blog is the easiest, but I assume that isn’t working if the static website isn’t secure?
Do you know of a way to search for the http links on a static website? Because when I do that in the search of the Dreamweaver software I obviously also get the https links.
And will my static site be secure if I don’t have the WP Blog and the phpBB forum secure?
Wow Johanna, that sounds complicated!
I would definitely start by asking your host for advice.
From what I understand, a SSL certificate will cover subdirectories on a domain i.e. example.com/blog/ and example.com/forum too. See this discussion: SSL certificate wildcard / single name – will it work for subdirectories?
This article might help with search and replace in Dreamweaver. I think you need to search for your exact domain, either starting http or https.
Hi Claire,
Yes it is complicated, but having said that I love a challenge.
Thank you so much for all the links and info! I understand everything a lot better now.
I think for me probably the biggest challenge will be the phpBB forum.
I just found out, that my hosting provider provides a free Let’s encrypt certificate. I know it isn’t perfect, but it is a start.
And for my WP blog I can use the Real simple ssl plugin and I can use the shared ssl from Maxcdn with that.
So I think next week I will start with 1 of my websites to see if I can get it to work.
Thanks again and have a great weekend!
Great info Claire! I didn’t realize switching to HTTPS could have such an impact on your blog’s existing traffic, SEO and such. You’ve answered a lot of questions here that my SSL Guide overlooks, so I will direct my readers here to get these answers.
Awesome article!
Chris
Thanks, Chris. There were more things to tweak than I thought.
I don’t think I understand it all, but it’s a start!
I recently moved my ecommerce site to Shopify and all this SSL stuff came up – I sort of understood what it was about but your post explains it very clearly so thank you. I wasn’t exactly sure how it worked but knew that it was required so am happy I have a padlock and that extra ‘s’! Thank you. 🙂
Thanks for commenting, Nicole.
Did Shopify handle all the technical aspects for you?
I realise this has to be done otherwise Mr Google will make things very difficult for us all but I hadn’t realised how much the financial cost would be!
Thank you Claire this is a very helpful guide.
Do you think all sites need to change or just those that take payments?
This is perfect timing as I am looking at doing this right now! Hope my host can help as it seems a bit daunting!
Hi Ilse, it is a bit of work, but you can relax when it’s all done. 🙂
Hope you have a friendly host.
Excellent advice, Claire, thank yo so much. This is a really thorough article. You are one of the very few articles on the subject mentioning the social share problem as well as providing the Social Warfare solution. Sharing this!
Thank you Piccia. Losing the shares didn’t bother me so much, but I knew it would bug others, so I was pleased to find an answer. 🙂
By the way, for those too attached to their social share plugin to change to Social Warfare, there is another solution: https://mediavidi.com/downloads/https-social-migration-pro/
I wished there was a solution that doesn’t cost so much money. We already have the costs for the hosting provider and for a cdn and if you have a couple of websites that is already a lot of money.
Ah, thanks for that. I wish I could find a review of HTTPS Social Migration Pro. It costs $97 for a single site.
Let me know if you try it out.
For those using the Really Simple SSL plugin, if you want to recover your FB likes, read the article here: https://really-simple-ssl.com/knowledge-base/how-to-recover-facebook-likes-after-moving-to-httpsssl/#comment-5671
I added the given code to the functions.php of my child theme and I got my FB likes back! So happy with this solution.
He also has a plugin for this, if you daon’t want to add the code yourself.
So for me it is one website done and 2 to go, but I am much more confident now, that I can get it to work.
That’s brilliant, Johanna! Thanks for the link.
Hi Claire,
I have an update about the retrieving of the FB like counts.
The solution I use on my 3 sites with the code in the functions.php works differently for each site.
For the first site it worked rightaway.
For my second site at first it didn’t work. I started looking for another solution. I had contact with the author of the Social Warfare plugin, because they advertised with the retrieving of the FB like counts after migrating from http to https: https://warfareplugins.com/
But it turned out that they no longer support that, since FB changed its API.
Then I had contact with Rogier Lankhorst about the Really Simple SSL Social plugin: https://really-simple-ssl.com/downloads/really-simple-ssl-social/
Because I already use the Really Simple SSl plugin, Rogier said this might help, if the solution of the code in the functions.php didn’t work.
Something to do with the og: url option.
I tried it out, but it didn’t solve my problem.
Then I contacted the author of the HTTPS Social Migration plugin from Mediavidi: https://mediavidi.com/how-to-switch-to-htttps-and-keep-your-social-share-counts/
I asked him if his plugin could retrieve my FB like counts. He said until now for 99% of the persons that bought his plugin it worked.
I also said, that his plugin is really expensive and I can’t afford it.
He asked what I would think the right price should be? I said 50 dollars and for 2 websites 75 dollars. And then a one time fee, not that you have to pay every year again.
He then changed the prices, which is really great of him of course! https://mediavidi.com/downloads/https-social-migration-pro/
But in the meantime for the second site that I had migrated the FB like counts returned. After 3 weeks or so. No idea how this is possible?!
So now the only remaining site, that hasn’t all his FB like counts is my 3rd site. I think I wait a bit longer and if then still the posts haven’t retrieved the FB like counts I think I will try the HTTPS Social Migration plugin from Mediavidi.
I hope this can help somebody.
All the best,
Johanna
Hi Johanna
That’s helpful to know. Nice of the MediaVidi plugin author to alter his pricing!
Let me know if you try it and if it works for you. 🙂
I will. 😀
Claire-
What was the impact on site speed? Your home page is presently loading in about 5 seconds in Europe and USA. About half of your page weight is BuzzSumo related. Is it worth it?
I’ve heard/read adding SSL slows sites down. But I haven’t done any experimentation yet. Got any ideas on that? And if so, how much?
Your fan-
Steve
Good question – I don’t have before/after stats for speed.
But I agree that Sumo (not BuzzSumo) is likely responsible for slowness. Sorting that is on my to-do list.
I found this article on HTTPS performance. It might interest you. 🙂
Claire-
I did speed testing. HTTPS / SSL adds about 400 to 500 milliseconds to every page and post of your site. That is horrific.
Don’t drink the Google Kool-aid.
http://pagepipe.com/httpsssl-and-its-negative-impact-on-mobile-speed/
-Steve
I have done some testing, but no stats for that. I don’t see much difference.
I think what will make the most difference is if you use a cdn or not. I am using Maxcdn, but I found out, that they don’t serve the entire world.
So I am looking into the Keycdn. That serves the entire world and isn’t too expensive. And they also offer a free trial.
So I might try that out.
Let me know how KeyCDN works out for you, Johanna.
I will. My Maxcdn has to be renewed in May 2017, so I probably will do a trial at KeyCDN in April 2017.
Hi Claire,
Great article, thanks for sharing! I agree completely that this is an important switch that impacts two very important things for sites: security and speed.
An option for 301 redirects is to use a URL redirection service. Depending on your needs it may be free or come with a small monthly fee. There are a few different options out there which can be found via Google.
Full disclosure: I work with EasyRedir, an easy to use URL redirection service. You can find us at https://www.easyredir.com
Cheers,
Sarah
HI,
Yippee!!! Siteground hosting is really awesome. I am able to install SSL successfully.
just got that green lock with my URL. But I used really simple ssl plugin to avoid mixed content warning. Have a look: https://topadnetworks.com
Obviously, SSL is the future. Google is pushing the use of SSL to make the internet more secure and soon many of WordPress features will stop working on websites without an SSL installed. For a blog or a website which will not collect payments or passwords, free SSL certificate from lets encrypt or a cheap SSL will suffice
HTTPS is slower because it does double the work. A normal HTTP request does a “2-leg” delay for network connections. This a round trip request and response. With HTTPS, you have 4-legs (2 round trips). It’s 100 milliseconds to travel between the client and the server. That means your first HTTPS request is at least 500 milliseconds. (That’s what were seeing happen.)
http://pagepipe.com/httpsssl-and-its-negative-impact-on-mobile-speed/
Steve
http://www.pagepipe.com
“Google gives preferential treatment to sites with HTTPS” was enough reason for me ;). And it’s so easy to do nowadays, you don’t really have any excuse not to!
Exactly what I thought, Bob! Thanks for dropping by from the States. 🙂
Google has stated HTTPS is only a tiebreaker if all other signals for SEO are equal. It has less that 0.5% effect on page ranking.
Hello Claire its a good guide. For fix the insecure resource and force the HTTPS redirect can do same time in one plugin only like https://wordpress.org/plugins/force-https-littlebizzy/
anyway working good for Nginx (or Apache) and with CloudFlare
Thanks Kristov – I haven’t come across that plugin before.
Thanks for sharing what is different between Http and HTTPS, and also I know require how important to our site.
Hi Claire Brotherton
Nice Article and thanks for sharing. From your article I am now clear that, this is very important. I am in new in this area. My question is that my wesite showing Green and https both automatically in address bar. That means, is my wesitesecure? My site link is given below.
https://tutoroftech.com
Hi Jobayer
It looks good to me! You can check individual pages at Why No Padlock?.
Thanks , great suggestions you have mentioned here. These ideas are really worth a lot for a website. I will definitely follow these tricks to my website and hope for better outcomes.
Hi Claire Brotherton,
Great suggestions you have mentioned here different between Http and HTTPS and I will definitely follow these tricks to my website. Nice Article and thanks for sharing for the beginner.
Thanks a lot Claire,
I never knew that it helps in getting more traffic &/or SEO.
Thanks for sharing. I really appreciate it.
Thanks,
Samantha
I would like to thank you Claire,
First time I learnt that it’s a help in SEO & driving traffic. Had no clue about it.
Thanks for this wonderful effort.
Regards,
Sandra Mithson
Thanks for reading, Sandra, and I’m glad you enjoyed the post.
Claire
Thanks Claire for sharing all this info. It helps in SEO as well, I had no clue at all about this and thanks for sharing the cost and the way to move to HTTPS as well. I think cost is also justified / economical.
Thanks for sharing