Sep 25th, 2017
Given the rise in hacking attacks and other forms of digital misbehavior, people are more cautious than ever about where they place their trust.
Google wants to help everyone manage their trust relationships and is making changes across their technology to nudge the Web onto secure platforms: https: and SSL.
https (httpsecured) is a version of the protocol web servers and user agents (browsers, apps, robots) use to talk to each other. SSL (Secure Sockets Layer) refers to the encrypted communication channel they use – the private side of the Internet.
SSL provides certificates website owners use to authenticate their websites. The certificate is a set of cryptographic keys your webserver uses to encrypt and sign the documents (webpages) it returns to your visitors. Their browsers verify the certificates and get the decryption keys. If all the various components of the webpage are from secure sources, the browser puts a “Secure” tag or icon in the location bar.
It’s actually a good idea for the 5 reasons listed below.
But the clock is running! Starting next month, visitors to http webpages using the latest version of Google’s Chrome browser will see a “Not Secure” tag appear in the location bar as soon as they start entering text in any input field on the page. This has been the case for pages containing a password or credit card number field since January.
This animated gif from the Chromium Blog explains it all:
Updates are automatic for most Chrome users and Firefox and Safari will be making similar changes. Starting next month (Oct. 2017) this becomes the default behavior.
This change affects every WordPress website owner and admin. Think about all the places you might have an in input element on your website. If you have a search field in your header or a newsletter subscribe form in your sidebar; that’s every page on your website!
5 Reasons why SSL/https is a good idea.
- Domain Authentication – Provides assurance to your visitor that the webpage they asked for is the webpage they got. That no man-in-the-middle has intercepted your visitor’s request URL and sent back a page pretending to be you.
- Data Integrity – SSL encrypts all communication between your website and your visitors. Any attempt to remove, modify or add data turns that communication into nonsense. Governments and telecom companies can still block traffic to your website through their networks, but they can’t interfere with the conversation if they don’t.
- User Privacy – It’s not just the newsletter signup form on your website that needs to be encrypted so spammers can’t steal names and email addresses. It’s also WordPress logins credentials, post comments and search terms. Think about how visitors connect through open WiFi and mobile data networks they know nothing about. Yet they ultimately hold you responsible for protecting their confidentiality.
- Load Speed – A new Web protocol version, HTTP 2.0, is replacing the very old version 1.1. HTTP 2.0 manages multiple connections over SSL more efficiently. Your website’s visitors will experience faster page loads. But this only works with secured websites. HTTP 2.0 falls back to the version 1.1 protocol for websites without an SSL certificate.
- Search Ranking – Google regards secured websites as more reliable, more serious in intent than unsecured websites, especially if the website requests user input via forms. Your secure website will appear in search result pages above insecure websites that would otherwise rank equally for a given search term. Not secure pages in SERPs will be labeled as such.
Migrating a WordPress website from http to https
The process will vary from one webhosting company to the next. So, the very first thing you need to do is check your hosting company’s documentation to see if they support https access for a website under your hosting plan. If they do, then ask them for help.
Make sure your WordPress installation and plugins are completely up to date and that the database and files are fully backed up before you start. Check what version of PHP your WordPress is running under. You’ll want PHP 7 or later to take full advantage of the speed improvements.
Here’s a overview of the steps:
- Get SSL certificates from a Certificate Authority for all domains and subdomains served by your website. Your webhosting company may do this for you.
- Duplicate your website & database. Enable the new website for SSL/https: and install the certificates.
- In the new website, change internal links from http://yourwebsite.com/ to https://yourwebsite.com/ . Do this for both the content in the database and the code in the theme template files.
- Find and replace non-secure external sources of content with equivalent secure sources. This has to be done on a case by case basis. Older plugins may not have secure sources for the assets they embed into your pages.
- When every page in the new website displays the “Secure” label, add a redirect directive to the old website to forward all http: traffic to the secure https: website.
- Update 3rd party services with your new URL, including: Google Analytics & Search Console, eMail marketing services, payment gateways and affiliate programs.
- Update your social media and other membership organizations where your URL is in a “profile”. While this isn’t technically required, you want the world to know you respect people’s privacy. Displaying a URL beginning with https: sends a subtle signal that you can be trusted.
Honestly, I’m not trying to make this look difficult; it really is a big job! For a webpage to be considered secure, every content component that goes into that page must come from a secure source. This includes: images, videos, embeds, objects, iframes, stylesheets and scripts. The more complex and content-rich your website is, the more problems you’ll encounter.
Not so long ago, the Internet was open territory populated largely by techies who shared a “Do No Evil” ethic. Now it’s an essential part of billions of lives and encountering people who don’t have your best interests at heart has to be expected. When you interact with your customers and prospects online, trust is no longer assured.
While implementing user security and privacy seems complicated—and I’ve only scratched the surface—migrating your website to SSL/https is well worth it. It shows respect for your audience.