It Is Time To Switch To A Secure Website
Google Security Warnings
In case you haven’t heard, starting in October 2017 Google will slap warning labels on any site that has a form, regardless of whether the information being sent is sensitive, or not. Google has even started sending out emails to this effect, along the lines:
Chrome will show security warnings on http://domain.com
To the owner of http://domain.com
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in incognito mode. … and more
Historically, running a website on a secure server has really only been necessary for eCommerce sites and similar sites dealing with sensitive information. Regardless of whether you believe this approach from Google is right or wrong, it’s not a bad thing to start pushing for a more secure internet.
It has even been suggested that running on HTTPS provides a slight ranking boost for your website. However, our tests and those of many SEO professionals have not been able to clearly confirm this. In fact, some webmasters even notice a drop in ranking, though that may be due to errors during the switch.
So, if now is the time to commit to HTTPS, how can you plan the switch effectively, and how much will it cost?
Purchase The SSL Certificate
First of all, you’ll need to purchase a security certificate for your website. These are readily available from SSL providers and through your hosting provider. There are a number of options:
- There are free certificates available through companies such as Let’s Encrypt, SSL For Free, etc. These are fine for domain-based security. The usual drawback is that they have to be renewed every three months – still for free, but it does require extra work.
- There are plenty of inexpensive SSL certificates available through Comodo, NameCheap, and many more – just run a search for “cheap SSL”. Remember, there are different types of certificate. Some will authenticate you as a company and your name will appear against the certificate. However, this is usually only really necessary if you’re selling onsite. For most purposes domain security is sufficient. Also, if your website is properly redirected so that visitors only ever interact with either the www or the non-www version of the site, then our advice is that you do not need to secure both versions.
- When purchasing a certificate, do make sure that your host allows you to install a third-party certificate. Almost all hosts will allow this, but we have come across some exceptions (e.g. FatCow hosting) where you have to purchase through the host. Our advice here is that you should probably move to a more reputable host.
We will typically purchase a 3-year certificate, simply because it means we don’t have to worry about it again. In fact, with the pressure to move to HTTPS, it may well be the case that, within three years, certificates will be included free of charge with hosting.
Install The Certificate
Installation can vary between hosts. There’s a great list of installation instructions by platform here:
Though, your host will probably have instructions in their forum or knowledge base.
Plan For SSL
Before actually installing the certificate, it’s a good idea to plan what else is necessary for it to operate successfully. Every website can vary, but here are some common elements you should consider:
- You need to force HTTPS. How you do this depends on your platform. Most people run on Apache, so you’ll need to update your .htaccess file. If you’re running under WordPress, you just need to go to Settings > General and update the WordPress Address and Site Address.
- Unfortunately, this rarely secures the website. You’ll see that you’re running on HTTPS but will not have the green padlock and secure label. This is because the page(s) still has some unsecure elements. If you’re using the Chrome Browser, go to Developer Tools (Ctrl-Shift-I). The Security tab will allow you to identify what page elements are still causing a problem. It’s generally a matter of going through all the code (or WordPress database) and changing references.
- If you’re using canonical tags in your pages, you will need to update these.
- Next, it’s a good idea to update your sitemaps. In some cases this may be automatic, but it’s best to check.
- If you’re using Google Search Console (the webmaster tools), you should login and register the HTTPS version(s) of the site.
- Also, check whatever analytics you’re using to ensure that it’s tracking HTTPS correctly.
These are just the more common items you should check. There could be more, depending on your website and environment. All inbound links from social media, citation sites, industry directories, etc. should automatically redirect. However, over time, it’s a good idea to slowly work through these sources and update the information.
Do You Need To Test The Migration?
For simple sites we’ve found this to be unnecessary, but things can go wrong. We have seen problems where HTTP/HTTPS both show, or even show different content, when HTTPS is blocking bots, and more.
If you believe you have a more complex site it is always best to run the migration on a test/staging system to iron out any issues before migrating your live site.