Once again, Google has done that thing where its internal decisions are sending waves through the online world. The latest one is about online security, specifically SSL certificates.
From July 2018, the search giant has announced that any webpage that doesn’t begin with HTTPS – and the S being the crucial part – will be deemed Not Secure. And that’s a lot of sites: about half to two-thirds of all websites are not HTTPS enabled.
It means every user for those millions of sites is going to log on and the first thing they will see in the URL bar is a Not Secure page warning. Is Not Secure really the very first thing you want your visitors to see as soon as they click on your URL?
It won’t be a good look for any businesses still operating – even if perfectly safely – on an HTTP site when the deadline hits.
What your url will look like after July 1 2018
SSL is really important for WordPress hosting. Anyone logging in has to be secure, because there could be a hacker sniffing around and if there is an unsecured part of your WordPress site, they will find it.
Not your hosting service (such as GoDaddy), nor your ISP (such as Bigpond), nor your web developers (such as us) has any control over this message coming up or power to stop it.
Getting your site up to HTTPS standard is not a “maybe” job. This was only announced quite recently and it will kick into effect in just a few weeks.
It would be bad if this was just for when your URL is in the search results, but this will also apply to your traffic coming from AdWords clicks too – and you’ll still pay for the click that leads the potential customer to the Not Secure warning!
This alert will also likely increase the opt-out rate where the potential customer will not proceed to the website, this will reduce the relevancy and therefore increase there average “cost per click” on Google AdWords.
Now that you are as worried as you should be, let’s look at a few points about what Google’s decision to effectively mandate SSL means.
Q: What is SSL anyway?
A: SSL stands for Secure Sockets Layer. It is an online security protocol that generates a “certificate” authenticating a website and, further, means that all traffic going out of or coming into your site is encrypted.
An SSL certificate encrypts what gets sent to and from your site. When your user types something into, say a form, and sends it, hackers can capture it. On an unsecured site that can be anything at all, any log-in details, all the information in a form, credit card numbers if you have an unsecured e-commerce check-out.
Having HTTPS does not stop hackers from seeing “something” if they breach your security, but the data they can see is strongly encrypted. Even military codebreaking geniuses can’t decipher it. Only the intended sender and recipient can.
Q: But I have antivirus, why does my site need SSL?
A: Anti-virus detects and neutralises malicious software and code on a computer’s hard drive. An SSL certificate creates a safe and secure connection between a server and the browser on your computers. If anti-virus can be thought of as home security, then an SSL certificate is like having the mail checked by the bomb squad and then delivered to your house under guard.
Q: How is this a worry for my AdWords?
A: If your site does not have HTTPS status, bringing your site up to code will also require a rebuild of all your AdWords Campaigns and update all your site links. Remember, every click from Google Search or AdWords into a non-HTTPS site will trigger the Not Secure warning.
There’s a further catch too, Google says it is going to take at least 24 hours for it to approve all your AdWords changes. For bigger campaigns, this could be the best part of a week. During this changeover time your AdWords presence will be zero.
Q: Why is Google cracking down on SSL now?
A: Google has been pushing SSL pretty hard for a while now and a new version of Chrome is coming along in July. Further, recent changes to European Union laws about online security and privacy are having global ramifications. Google SSL deadline is simply part of a larger ongoing trend. Introducing it as a new feature in the latest version of the world’s favourite browser was going to happen sooner or later. Turns out it is sooner.
Q: What can I do to make sure my site is HTTPS ready?
A: There are two parts to getting your site HTTPS ready. First, you need to get your website ready. To do this you need to force SSL which makes sure the SSL file registers as the default. If this happens the HTTPS address will be returned whenever your links are clicked.
If you’re using WordPress, you can get a force SSL plugin or you can do it by using the .htacess file, which is quicker and easier if you have the technical knowledge.
Both the manual .htaccess method and the WordPress plug-in do roughly the same thing. For an expert, the .htaccess method is simple, quick and permanent. It is, however, beyond the skills of a non-expert. These people could use the plug-in. While easier, it does add yet another plug-in to your WordPress back-end – increasing overall site bloat and website maintenance load.
If you choose to install an SSL certificate yourself, products like Let’s Encrypt make it easier than ever. Check your website host for easy install options.
My opinion is that using a plug-in isn’t bad as such, it’s just not the optimal solution in this case. If the more technical method is beyond the scope of your business’s technical knowledge, get in touch with us and we can do it for you.
Second, there are numerous minor hiccups that can happen with this update, but we have done this enough times to know where they are and do something to prevent them.
A final note, like many agencies, SSL has always been included in Mash Media’s premium hosting package, but that is now changing. On the heels of Google’s new announcement, we will no longer host any non-SSL websites. It’s just not worth the security or commercial risks for our clients anymore.