Just a few years ago, an SSL certificate on your website was only necessary if you wanted to accept payments online. Having that lock symbol visible on your customers’ web browser assured them that they could submit their personal information securely. These days, even if your website doesn’t have a contact form, there is a push to have every website utilize HTTPS.
Google is one of these primary proponents pushing for this change. If you read their article, Why HTTPS Matters, it becomes clear just how important it is to have SSL installed. Especially for the privacy of your visitors. In fact, Google will begin to label websites without SSL/HTTPS as “Not Secure" when a new version of Chrome is released in July.
Distinguishing Security from Legitimacy
Most small business owners and organizations will be fine obtaining a Domain Validated (DV) SSL certificate. The other two types of certificates, Extended Validation (EV) and Organization Validated (OV), offer the same level of security. However, the process to obtain these two is much more involved than a DV certificate. The point is that they alert the visitor that the company or business is legitimate. They are also more expensive because of this.
Yes, there is a good chance that scam websites will start using https en masse. It is up to the visitor to do their due diligence and research on these websites, certificate or not. The fact remains, SSL establishes a secure connection between your website and visitors. Their data remains safe from network sniffing and other intrusive attacks. Therefore, the more websites with SSL, the better and safer it is to browse the internet.
Unless you own a major corporation, there really is no need to get an SSL certificate other than a Domain Validated one. There are plenty of other ways to establish credibility for your company. The primary concern should be for the privacy of your visitors.
Getting an SSL Certificate for Free
Typically, you can purchase a DV SSL certificate for around $15 to $100 per year. That is a reasonable cost to secure your website. Although, the only way to truly change the internet landscape from HTTP to HTTPS is to be able to obtain certificates for free. One such organization, Let’s Encrypt, aims to do just that.
Backed by sponsors such as Cisco, Mozilla, and Facebook; Let’s Encrypt is a non-profit organization that allows anyone to obtain an SSL certificate for free. Server software such as Web Hosting Manager by cPanel can automate the process of obtaining and renewing certificates. Websites hosted on shared platforms face some resistance from implementing Let’s Encrypt. They would much prefer to keep selling you their certificates. There are websites like SSL for Free which assist novice webmasters with setup and installation instructions on these shared servers. For instance, if your website is hosted on Godaddy’s shared platform, you can configure SSL for Free to use FTP and copy and paste the generated certificate into Godaddy’s control panel.
The one downside to using an SSL certificate from Let’s Encrypt is that it expires in 3 months. Again, if you have this process automated it shouldn’t make any difference. If you are manually installing these certificates then you will certainly want to set reminders a few days before expiration.
Making the switch from HTTP to HTTPS
Once you have installed the certificate for your WordPress site, you need to configure it to use HTTPS. While this isn’t automatic, there is a plugin I have used many times with great success that simplifies process.
Really Simple SSL
Really Simple SSL is a WordPress plugin that lives up to its’ name. Rapidly approaching 1 million active installations, it is by far one of the more easier ways to switch your website over to HTTPS. With just one-click, you can have SSL set up on your website in seconds.
Most of the time, after running the plugin, you won’t encounter any issues. It does a very good job of fixing insecure/mixed content warnings. Sometimes there are assets loaded that need to be updated with a text editor. Usually, these warnings come from stylesheets that are loading a font or image using HTTP. This is especially the case if you have an active theme that hasn’t been updated in awhile.
Before I get to identifying and correcting those warnings, take a look at the settings in the image below for Really Simple SSL. Make sure you have Auto replace mixed content and Enable WordPress 301 redirection to SSL checked. By default, they are already checked. However, it is best to be certain if you are encountering any errors.
I really appreciate the 301 redirect feature. Pages that have been indexed by Google as HTTP will automatically redirect to their HTTPS counterpart. This eliminates the frustration of having to manually re-index your website in Google and other search engines to avoid pages being served insecurely.
Detecting and Correcting Mixed Content Errors
If you’re not seeing the green “Secure" padlock next to your domain name in Chrome, don’t fret. There are a couple of different ways you can identify the issue. First, check all of your main website pages and see if the issue remains. If your website has many blog posts, I would recommend browsing through several of those to look for errors too.
No Padlock Error
In chrome, if you see a ⓘ (i within a circle) next to your domain (with https), you have mixed content. Click on that circled i and ensure that the certificate status says valid. If it does, you can proceed to troubleshoot the issue. If it isn’t valid, you’ll need to go over your installation and make sure it was set up properly.
On that same page in Chrome, right-click and choose Inspect. At the top right of this window, click on the red circle with the white x. This will open the console drawer in Chrome’s developer tools. Make sure you scroll to the top of this list. One of the first things listed should be the mixed content warning. Clicking on this will show you all the instances of content being served over HTTP. Use this information to change the file paths in your theme or css files from HTTP to HTTPS. You can also test your pages with Why No Padlock. Results will be posted of each offending asset as a Soft Failure.
Warning as shown in chrome developer tools
Error as shown from the results of Why No Padlock
Insecure Content Blocked Error
This error also appears in Chrome. It looks like a shield with an X on top of it. Clicking on that shield will allow the user to Load Unsafe Scripts. Of course, this is not an acceptable solution. The error should not appear at all.
You can apply the same steps to resolve this problem as the No Padlock Error. Either using Chrome developer tools or Why No Padlock to locate the troublesome files. If there are many file paths that need to be fixed, it might be worth it to do a find and replace to quickly correct the issue.
The Future of SSL and HTTPS
I truly believe that HTTP will decline in usage very much over the next few years. This is not a bad thing. While Google has confirmed that HTTPS is a small ranking factor today, I wouldn’t be surprised if HTTP websites start getting a penalty down the road.
Visitors are starting to associate trustworthiness with the green padlock symbol. It may be unfair to make a judgment one way or another on this attribute alone, but with user privacy and security all over the news these days, it is only natural.