Over the last year or two, the big internet companies have started to encourage website owners to deliver their sites over a secure, encrypted connection. Read this article for a quick look at the benefits and how to get switched over properly.
Help! My browser says my website is insecure - what do I do?
Until relatively recently, encrypted website connections were saved for sites handling sensitive data. If you were handling payment details, banking information or health data, you paid for an SSL Certificate. The certificate allowed you to deliver your site over a secure connection, and gave you a warranty to protect your users against loss of money.
Most other sites didn't bother paying for this type of protection.
Then along came a revolution in website security, and its name is Let's Encrypt.
Let's Encrypt offer free SSL certificates that don't include technical support or warranties, but do allow any website owner to switch to an encrypted connection. Read on for why this is a good thing! But, now that you can get SSL for free, the big internet companies really want you to switch to an SSL-encrypted website.
You can tell these sites by looking in the address bar and checking whether the site's address starts with http or https. The secure sites are the ones that start https:
Why is having SSL encryption a good thing for my site?
There's lots of reasons!
Your visitors want to know their data is safe
It's not just about payment details any more. Your site visitors want to know that if they talk to you on live chat, or fill in an enquiry form, or use your search function, that their words aren't being received by anyone other than you. If someone is intercepting data sent to your website over an encrypted connection, they're just going to get a bunch of gibberish. If it's being sent over an http connection, then the data will be available for any hacker to read.
Browsers are warning visitors away from non-SSL websites
Starting in July 2018, Google started using its Chrome browser software to scare visitors away from websites that can't load over https. This is terrifying for web users and potentially damaging for website owners!
Google has factored SSL/https into its search ranking positions
That's right - just like when they started punishing websites that weren't mobile responsive, they're now giving an extra push to secure websites. If SEO is anywhere near your mind, this is a no brainer that you have to fix immediately.
You're less likely to get into a sticky GDPR or PECR conversation
I'm not a solicitor but after all the publicity around improved data governance laws, I reckon I want to be sure my website is taking good care of any personally identifiable data it stores.
Your website probably has some user accounts with people's email addresses. It probably has a contact form or two where people can put in their names and other info.
Yep - I'd want to be able to say all that was being transmitted securely.
OK, but my Wordpress site isn't secure - how do I fix it?
You may want to talk to your web developer to do this properly. But with most hosts, who tend to use an Apache server setup, the basic steps are:
1. Get an SSL certificate installed
You can request this through your web host. Your host should offer Let's Encrypt by now. If you're running a shopping site it might still be better to pay for one with a warranty though.
2. Change the URL of your Wordpress website
Head over to Settings -> General and change both URLs over to https:
On a brand new site, this might be enough to get your the magic padlock in your address bar. But for most sites, you've got some more work to do.
At this point you're possibly getting the closed padlock icon (it's green on some websites) on some pages, but on others you're still getting a 'Not secure' message or a 'mixed/insecure content' warning.
This is because you have lots of old http links throughout your website and - if you want to get the benefits - you're going to have to fix them.
3. Change all your old URLs - internal links, images and documents - to https
If you're good at this sort of thing, you can log into your site's MySQL database through software such as phpMyAdmin and do a Search and Replace. This can throw up one or two unexpected issues though, so go carefully, especially if you haven't been using well supported, up-to-date themes and plugins.
If you're not so good at that, you play cat and mouse with your old http links by changing every one you can find until you get the closed padlock. Everywhere you find an address starting with http://, change it to https:// (unless it's a link to an external website that's not yours).
You might need to check in all of these places in Wordpress:
- All your Pages, Posts and any custom post types - Use the Text editor and check all links to other pages and all URLs for images and other media that load in your content.
- Menus - If you've used the Wordpress pages then the URLs got updated as soon as you saved the screen in Step 2. But if you have any Custom Links or have things set up carefully in extensions like Ubermenu or ShiftNav, these will need looking at.
- Widget areas - Again, ignore links to other sites, but look carefully for URLs that relate to your own site.
- Theme files - If you have a custom theme, a custom child theme or have (heaven forfend!) manually edited any of your theme's core files, you might to check these through. You're probably looking for static links in your Footer or Header areas. If you're using Genesis you're probably using a plugin to edit your footer, so this is a common culprit when trying to get the coveted green padlock for a site.
Once that's done, your site should be perfect. Green padlock heaven!
But what if you forget about https in future? And what about all your precious inbound links - SEO backlinks, your customers' own bookmarks, and every time you've posted something linked to your site on social media?
4. Make sure this never happens again - force all visitors to connect over to https
There are plugins for this sort of thing, but really you want a permanent solution, not some extra software. The answer is 301 redirects.
301 redirects tell your visitors and the search engines that your pages have permanently moved to a new address. In your case, they've moved permanently from http://yourawesomewebsite.com to https://yourawesomewebsite.com.
If your site has an .htaccess file you can add a simple wildcard 301 redirect rule so that every old page on your site gets redirected to the exact new location. So http://yourawesomewebsite.com/mailing-list/sign-me-up-scotty/ automatically redirects to https://yourawesomewebsite.com/mailing-list/sign-me-up-scotty/.
There's no need to update all your backlinks around the web, or to bin all your flyers and business cards prematurely!
A simple block of code you could drop into your .htaccess file would be:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>
But be careful - if your site uses www. before the address, there's some other bits you should add in. There's hundreds of threads full of community-reviewed help in editing .htaccess on Stack Exchange.
Some hosts don't use .htaccess (usually because they run Nginx servers, which work differently to Apache). Those hosts will probably have their own 'force https' option right there in the hosting control panel, and their support people will help you through any hiccups it causes.
*Bonus Step 5. Update your properties in Google Search Console*
You want your new https home to be listed in the results pages in Google, like this:
Assuming you're already set up in Google Search Console (formerly Webmaster Tools), you will need to add and verify your https website as a new property. Google doesn't share the data between https and http properties, or between www. and non-www. properties, so you need to have every version in there.You may possibly want to setup a property set and choose the new one as your preferred default address, but Search Console has just been updated to a new interface and property sets can only be found by going to the old version, so put that in the maybe box for now. When they get round to updating the documentation, there's a load of help available on this on Google's support site.
So there you have it. Well done for making it to the end! You now have a secure website which loads over an encrypted connection. You protected your backlink integrity, made it idiot-proof for your visitors to load the new version, and your browser software has a happy padlock-shaped smile right next to your address.
Still got questions? Drop them below and I'd be happy to help out.
Leave a Reply