So we’ve been up our tree shouting about this for a while to all our clients, but if you haven’t heard already, it’s time to move ALL your WordPress sites over to HTTPS …
If you haven’t moved to HTTPS by now, you’re going to get left behind.
Here are 4 compelling reasons to move your WordPress website to HTTPS:
- SECURITY — SSL protects your site’s data and your website visitors. It encrypts data transferred over the web, like form submissions and credit card transactions.
- SEO — Google says it’s time to move your sites over to HTTPS. They are now giving a search ranking boost to secure sites. Simply put, you’ll rank better with an HTTPS website.
- E-COMMERCE —If you’re taking any payments on your website, SSL is non-negotiable. SSL is an absolute must for e-commerce and membership websites.
- AFFORDABILITY — In the past, SSL certificates could get expensive, but the rapidly transforming web landscape has made switching to SSL practical and affordable.
But here’s the deal … most of us (me included) don’t know where to start and how to move to HTTPS without messing things up. You could potentially break your website, experience downtime or lose important analytics data if you do it incorrectly.
So lets run through some info to hopefully make this possible, actionable and affordable on your WordPress website.
What are all the types of SSL Certificates?
So to start with you have now realised that there are many types of SSL Certificates available in the market, and you make a choice based on 2 factors:
On the basis of validation level
- Domain Validation
- Organizational Validation
- Extended Validation
Number of Domains
- Single Domain validation
- Multi-domain validation
- Wildcard validation
How much does it cost?
Our most common question when we start discussing SSL as historically this has been a major expense to set up and maintain. But times have changed and you have a couple of options nowadays, some at no cost at all 😉
Buy an SSL Certificate from your Hosting Company
This is the easiest, fastest and actually the most secure way to do this, and bonus is it comes with all that support your normally get from your hosting company! (depending on which one you are with this of course varies immensely 😉 )
If you are going to buy form your hosting company its worth pulling up their online chat support people and asking them for discount as they can normally shave some $ off the price, especially if you sign up for more than one year. They will also normally install it on the spot as you are chatting, or start the verification process immediately, bonus!
How long does it last?
Some hosting companies only allow you to buy the SSL Cert for a year and you need to renew it on your credit card annually and have the ‘reinstall’ it on your server. Bit of a putz, but all workable and doable
Other sell you anything up to 5 years worth, and offer discounts if you do so.
Can we get it free?
Interestingly, this segment has blossomed after Google announced it’s https everywhere announcement in 2015.
As far back as November 18, 2014, the Electronic Frontier Foundation (EFF) released an announcement that they were working on an opensource project to make SSL certificates free and with the ability to install them in just a few clicks. It became available in mid 2015 as Let’s Encrypt.
Let’s Encrypt give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way they to create a more secure and privacy-respecting Web.
One of the hiccups here is that installing this way is WAY technical requiring with your host to support it (most of th biggies don’t by the way as SSL Certs are a major income generator for them ) or SSH Shell access to install onto your server yourselves. No mean task let me tell you.
Cloudflare Flexible SSL
Cloudflare offer what they call Flexible SSL in their free plan.
This provides a secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don’t need to have an SSL certificate installed directly on your web server, but your visitors still see the site as being HTTPS enabled.
However this must be said, that this option is not recommended if you have any sensitive information on your website, such as WooCommerce or credit card info.
Plugins to Assist
We use a variety of plugins in the Monkey tree-house to help clients make the shift without any downtime oir hiccups alon g the way, Here’s a selection of our favourites.
Really Simple SSL automatically detects your settings and configures your website to run over https. To keep it lightweight, the options are kept to a minimum and it’s surprisingly user friendly. This is best solution when you are planning on making you entire site https and SSL secure.
They reckon it’s 3 simple steps:
- Get an SSL certificate (this is your choice of how to do it, free or purchased…)
- Activate the Really Simple SSL plugin
- Follow the pop ups and enable SSL with one click
If you are going to use the Cloudflare’s Flexible SSL on their free plan to get your green padlock, then this plugin is highly recommended, actually it’s kinda mandatory 😉
The biggie here is that this plugin sticks some code in what is called a “header rewrite” to prevent a redirect loop when Cloudflare’s Universal SSL is enabled. This is the most common problem in breaking sites switching to SSL.
You can also change most of your Cloudflare settings from within the plugin itself without needing to navigate to the cloudflare.com dashboard. You can change settings for cache purge, security level, Always Online, and image optimization with a simple click.
SSL now essential, but not a standalone
Having an SSL certificate for your WordPress site is now accepted as an essential step in protecting your website and its visitors, but it’s not the only security measure you should be using.
To further ensure your site is safe for everyone, you could also use a WordPress security plugin, such as Wordfence or iThemes Security (used to be Better WP Security).
How to do it?
- Have some else do it: If you do not do your own plugin installs and theme installs and updates of your WordPress yourself, get someone else to do it. Either contact your host (if you are purchasing an SSL Certificate) or your web designer (if you are opting for a free or Cloudflare solution) 25%* off Standard SSL Certificates from GoDaddy!
- Do it yourself: If you are happy with ftp access and editing your own htaccess file, then feel free to go ahead and jump in! Of course if you are purchasing an SSL Certificate from your host, we still say, get them to do it 😉 Whatever happens, ensure you have a backup of course, and a way to hard acces your folders and files, as lockouts on initial install are not uncommon, especially if you’ve never done this before.
When to do it?
Simple answer ASAP, actually you should have done so in 2016!