As of July 24th, 2018, Google Chrome is now be marking all non-HTTPS sites as “Not Secure.” Regardless of whether they collect data or not. This is why HTTPS is more important than ever!
In today’s post we are going to dive deep into a HTTP to HTTPS migration and share applicable tips to hopefully make the transition for your WordPress site as smooth as possible. As some of you may know, Google has been working hard on their objective of moving everyone to a more secure web. For WordPress site owners it is always great if you can be proactive. Because of new protocols, SEO benefits, and even more accurate referral data, there has never been better time to migrate to HTTPS. Find out more of the why and how below.
What is HTTPS?
HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website. HTTPS is one of the measures to help keep your browsing safe and secure. This includes things like logging into your banking website, capturing credit card information, and even logging to the back-end of your WordPress site. HTTPS on your WordPress website requires that you have an SSL certificate for encryption. This ensures that no data is ever passed in plain text.
According to Builtwith, as of February 2018, 49.8% of the top 10,000 websites are using HTTPS. That is up from 5.68% back in September 2015.
Top websites HTTPS usage
As of February 2018, MozCast is reporting over 77% of search queries are over HTTPS, up from 26% in January 2016. That means there are a lot of sites migrating from HTTP to HTTPS.
MozCast HTTPS queries
Even Google themselves is pushing for that 100% encryption mark across all their products and services. As of January 2018 around 91% of traffic to Google is over HTTPS. That is up from 48% back in December 2013.
HTTPS traffic at Google
And according to Firefox telemetry data and Let’s Encrypt stats, over 66% of page loads are now HTTPS.
Why Should You Care About HTTPS?
There are actually quite a few reasons why WordPress website owners should care about HTTPS and think about migrating from HTTP to HTTPS now rather than later.
Of course, the biggest reason for HTTPS is the added security. By migrating from HTTP to HTTPS you are now serving your website over an encrypted SSL/TLS connection. This means that data and information is no longer passed in plain text. For eCommerce sites that process credit card information, this is a must have. It is not technically required by law, but it is your responsibility as a business to protect your customer’s personal data.
Besides eCommerce, this can even be applicable to your WordPress login pages on blogs. Especially for those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is being passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website.
Google has officially said that HTTPS is a ranking factor. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors. And because of Google’s push for everyone to migrate to HTTPS, you can bet that the weight of this ranking factor will most likely increase in the future. Here is a great article on the impact of TLS/SSL on rankings.
And just look at some of the other data surrounding SEO and HTTPS! Matthew Barby did an analysis of 1 million URLs and found that over 33% of all pages ranking 1, 2 or 3 in Google use HTTPS.
HTTPS usage vs Google ranking
3. Trust and Credibility
According to a survey from GlobalSign, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online.
HTTPS can help your business by building what we call SSL trust. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.
4. Referral Data
This reason is for all of you marketers out there. If you use Google analytics you are probably familiar with referral data. What a lot of people don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the “direct traffic” section. If someone is going from HTTP to HTTPS the referrer is still passed.
This is also important because if your referral traffic has suddenly dropped but direct traffic has gone up it could mean one of your bigger referrers has recently migrated to HTTPS. The inverse is also true. Check out this more in-depth guide from Moz on direct traffic.
5. Chrome Warnings
As of July 24th, 2018, versions of Chrome 68 and higher are marking all non-HTTPS sites as “Not Secure.” Regardless of whether they collect data or not. This is why HTTPS is more important than ever!
Chrome 68 not secure
And with Chrome 70 coming October 2018, they will be marking all non-HTTPS sites as “not secure” with a big red warning (on pages where users enter data). This is especially important if your website gets’s a majority of its traffic from Chrome. You can look in Google Analytics under the Audience section in Browser & OS so see the percentage of traffic your WordPress site gets from Google Chrome.
Chrome not secure red warning (Image source: Google)
Chrome holds over 56% of the browser market share, so this is going to impact a lot of your visitors. You can also check which browsers your visitors are using in Google Analytics under “Audience > Technology > Browser & OS.” As you can see in this example below over 63% of visitors to the site are using Google Chrome.
Chrome usage from visitors
Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection. Here are some tips from Google on how to avoid the warning.
Firefox also followed suit and starting with the release of Firefox 51 back in late January, they too will show a gray padlock with a red line through it for non-secure sites that are collecting passwords. And of course, if you migrate your entire site to HTTPS, then you don’t have to worry about this.
Firefox not secure warning
You might also start getting the following warnings from Google Search Console if you haven’t migrated over to HTTPS yet.
To: owner of http://www.domain.com
The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.
The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.
And last but not least, we have performance. Because of a new protocol called HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser support. The improvement is performance is due to a variety of reasons such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push. There used to be quite a bit of TLS overhead when it came to running over HTTPS, but that is now a lot less. TLS 1.3 which is coming out soon will speed up HTTPS connections even more!
It is also important to note that web performance optimizations such as domain sharding and concatenation can now actually harm your performance. These are obsolete and for the most part should no longer be used.
Everything on the web should be encrypted by default. – Jeff Atwood, Co-founder of Stack Overflow
HTTP to HTTPS Migration Guide
Now it is time to get down to the fun part, migrating your WordPress site from HTTP to HTTPS. Lets first go over some of the basic requirements that you will need and some things to be aware of.
You will need an SSL certificate. We will go more into detail about this below. Double check to ensure that your WordPress host and CDN provider supports HTTP/2. Kinsta has HTTP/2 support for all of our customers. This is not required, but you will want this for performance. You will want to set aside a good block of time to do your HTTPS migration
. This isn’t something that can be done in 5 minutes. Double check to ensure that all external services and scripts you use have an HTTPS version available. It is important to know that you will lose social share counts on all your posts and pages unless you use a plugin that supports share recovery
. This is because your share counts are based on an API that was looking at the HTTP version, and you have no control over 3rd party social networks. Depending upon the size of your site, it may take Google a while to re-crawl all of your new HTTPS pages and posts. During this period you could see variations in traffic or rankings. Don’t forget about local citations
We recommend turning off your CDN integration and disabling any caching plugins before beginning, as these can complicate matters.
1. Choosing an SSL Certificate
The very first thing you will need to do is purchase an SSL certificate if you don’t have one. Google recommends using a 2048-bit key certificate or higher. We recommend you buy certificates from vendors such as Comodo, DigiCert, GeoTrust, Thawte, Rapidssl or Trustwave. But there are also cheaper alternatives such as GoGetSSL, NameCheap, and GoDaddy. There are three primary types of certificates you can choose from:
As of April 2016, Let’s Encrypt also created a way to get free SSL certificates. Check with your WordPress host and CDN provider to see if they have a Let’s Encrypt integration. You can also follow the Certbot guide on how to install them manually. Let’s Encrypt certificates expire every 90 days so it is important to have an automated system in place.
- Domain Validation: Single domain or subdomain, (email or DNS validation), issued within minutes. These can typically be bought for as low as $9 a year.
- Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
- Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. This enables the full green bar like you see on banking websites.