If you have a website, it’s time to consider moving your site from http to https and installing a free SSL certificate. If you’re planning on starting a new website project, I highly suggest you set it up as https from the beginning.
Google will require all websites to be https sooner than later, and has already begun flagging websites that accept passwords or credit card payments, but do not have a SSL certificate, as Not Secure. As the benefits of securing your site with https increase and the drawbacks become less significant, more and more websites are leaving unsecured http behind. Internet users all over the world are coming to expect the security and assurance that comes from an https site. This means that the question isn’t if you should update to https, but when.
HTTP vs HTTPS
HTTP, which stands for hypertext transfer protocol, is the method your browser uses to communicate with the server holding the data for a particular web page, allowing you access to the internet.
HTTPS still uses hypertext transfer protocol to communicate, but the data that is transferred back and forth between your computer and the server is encrypted. Only your browser and the server can decrypt the signal, so your information can’t be accessed by a third party in transit. Additionally, http signals that a site has been authenticated, meaning you know that you’re seeing the correct site (as opposed to a clone or fishing site), and that the content hasn’t been altered.
In an https site, your data is secured by TLS (Transport Layer Security protocol) or SSL (Secure Sockets Layer). The terms are often used interchangeably because TLS was built using a later version of SSL as its foundation (also, the security certificates you will need to install are generally called SSL certificates). Be sure to check the fine print, recent security breaches have rendered SSL significantly less secure, so you’ll want to make sure you’re using TLS. Sites running SSL often carry security warnings, or their https bar contains a padlock with a line through it.
Google Chrome's Security Status Examples
1. The SECURE status in the chrome address bar of a website secured by a SSL certificate correctly installed.
2. The INFO or NOT SECURE status in the chrome address bar of a website which isn't using a private connection. This is generally websites currently using http that do not accept credit cards.
3. The NOT SECURE status in the chrome address bar of a website which has been flagged dangerous. Eventually Google plans for all websites not secured by a SSL certificate to display the Not Secure red triangle in chrome browsers.
To secure your site, you’ll need to start by getting a security certificate, which is issued to you from a certificate authority (often abbreviated as CA). These certificates are often called SSL certificates (sometimes they’re referred to as TSL/SSL certificates), but they’ll work even if your site uses the TSL protocol. This is because your server configuration will determine whether you are using SSL (1 or 2) or TSL.
After you purchase and install a SSL certificate, you can determine if you are using TLS using this free SSL Server Test. After you receive your results scroll down to the Configurations section to see whether or not you are using SSL or TSL.
Why you should use https on your WordPress site
Now that you have a general idea about how an https site works, let’s look at why https is good for your business.
The most obvious benefit of upgrading your site is improved security. Since only the server and your browser can decrypt the data being transferred, a third party who intercepts your data won’t be able to read it.
At an absolute minimum, https should be on any ecommerce pages on your site. Credit card information, addresses, and passwords are simply too valuable to send without the security of encryption that comes when you upgrade your site to https. And encryption doesn’t just protect sensitive information like credit card numbers. It also prevents third parties from reading messages or tracking your activities across multiple pages.
Https also indicates that the site has gone through at least some level of authentication. In some cases, that simply means that the owner of the domain has the right to use the site. In others, an extensive verification processes ensures that the company listed on the site controls it. Clicking on the padlock feature in most browsers will list the information that has been verified, giving visitors increased confidence in a site.
In 2014, Google decided to include whether your site is http or https in its search engine algorithm. That means they are now using https as a ranking signal, which along with quality content and page load speed, are important elements of search ranking. Upgrading your website to https is a quick way to get a boost so you’ll rank higher in Google’s searches. This is part of Google’s overall push to try and make the web more secure, and they state specifically that they want to encourage sites to switch to https.
4. HTTP2 Requires It
As you might have guessed, http2 has been developed to improve on the standard hypertext transfer protocol (http). Http2 websites have shorter load times and decrease the amount of data that is sent back and forth between your browser and the server, both of which are very good things for visitors and website owners.
Almost every browser that supports http2 requires sites to be secured using an SSL certificate. With http2 page load times ranging 50-70% faster than http, everyone will eventually be making the transition, and you will then have to switch to https.
5. Minimal Downsides
It used to be the case that https sites would noticeably increase server load, which caused increased load times. Additionally, security certificates were expensive.
These problems have largely been resolved. Improvements been made to ensure that https sites run much more quickly. And as for the cost, some very good SSL certificates are completely free. And if you need extra features or security, such as an EV SSL, many certificates are reasonably priced and it appears with the push to https, SSL prices will get even more competitive.
Types of Security Certificates
If you’re ready secure your site, you’ll need a security certificate (usually called SSL certificate) from a certificate authority. There are various kinds of security certificates available for you to purchase (or in some cases obtain for free), and the needs of your site will determine how much you’ll have to pay to get one. There are three main types of SSL certificates to choose from.
Domain Validation (DV)
These certificates establish that the owner has the right to use the domain, but verification doesn’t extend to the company itself. This is typically done through email. A https:// will usually appear at the beginning of the web address (sometimes in green text), and many browsers will display a padlock (also sometimes in green). The padlock can be clicked on to reveal what information about the site has been verified.
Organization Validation (OV)
In addition to verifying that the owner has the right to use the domain (as with DV certificates), OV certificates validate company (or organization) information. This validation will require additional work on the part of the Certification Authority as well as additional documentation from the company or individual requesting the certificate. As with DV, an https:// will appear at the beginning of the web address, sometimes in green text, and the browser will display a padlock. The company’s information will be displayed in the certificate details.
If you choose to purchase an EV SSL certificate I recommend the Comodo EV Certificate. Comodo has a great reputation and also has prices that are far below their competitors.
Extended Validation (EV)
EV Certificates certify the identity of the company that controls a website, reassuring visitors that the site that they are visiting is actually run by the company that they think it is. It involves the steps for both DV and OV certificates, plus extra steps to ensure certain legal criteria are met. In addition to an https and padlock, EV certificates will often have the name of the company in green text at the beginning of the address bar.
Some certificates extend only to a single domain, and others include subdomains or other connected sites. You’ll also likely run into different kinds of encryption being offered: RSA, DSA, and ECC.
Making the Switch
After you decide on the best security certificate for your website, you’ll need to install it on your site. Most web hosting providers offer SSL certificates, as well as performing the switch to https, for free. From there, you’ll have to make a few other changes, like configuring hard internal links, implementing 301 redirects, and updating plugins, email links, and Google Analytics as a few examples. If you’re familiar with WordPress and you have a small site, you can likely do most or all of this work on your own.
Whether you’re building a site from scratch or looking to upgrade an existing site, the benefits of https are clear, and they are becoming more important every day. The web is moving toward more security, and you will have to switch eventually, so you might as well start reaping the benefits of https today.