Have you been noticing a little padlock with a red line through it coming up when you visit certain sites? If you haven’t seen it yet, it’s a matter of time before you’ll start to see that warning all over the Internet. In the past months, newer versions of both Chrome and Firefox have instituted a change so that you’ll get a warning if the web page doesn’t provide a secure connection.
What this means is that the website that you’re visiting is sending data with a form or checkout, over the Internet in plain text, which anyone with certain skills, who is up to no good, can easily intercept. These insecure sites have a URL that begins with HTTP. Yes, that is most likely how your site and most of the websites today are sending their data.
According to a recent survey by HubSpot, 82% of respondents reported that they would leave a site if they saw a warning that it was “Not Secure”. Obviously most website owners would not want their visitors turning away before they get there.
In the past, ecommerce sites were the only ones that were required to have their data encrypted. In order for them to get their payment gateways approved they had to have an SSL certificate that proved their site was secure. You would notice this because the URLs of these sites started with HTTPS.
There is a move afoot to have all sites send their information securely and we wanted to let you know and explain exactly what that means and what you can do about it.
If all that technology is too much for you to take on, we can help you change your site to HTTPS. We’ll include that information at the end of the post. In the meantime, let us explain exactly what’s going on with the security issue, and why you should do something about it.
HTTP, short for Hypertext Transfer Protocol, is the language that network administrators chose to use to exchange information over the Internet, back when the Internet was new. Over time, people have become very savvy about finding ways to intercept data that is basically being sent in plain text.
When you go to a secure website to make a purchase, your browser will typically change and use HTTPS instead of HTTP to send the data. That’s a good thing since it means that a protocol is being used that scrambles the message so that no one can steal your data as it’s traveling back and forth between computers around the Internet.
Now, instead of HTTP, there’s a more secure transfer being used, called HyperText Transfer Protocol Secure (HTTPS). With this secure methodology, computers agree on a code to transfer between them. That code scrambles the messages so that if they’re intercepted, they can’t be read, thus insuring the safety of our website’s transactional data.
You’ll hear the term SSL-compliant regarding websites that use HTTPS. And this just means that with HTTPS, the “code” uses a Secure Sockets Layer (SSL) to send information back and forth over the web.
Why Redirect HTTP to HTTPS?
According to BuiltWith, only 6.3% of the top 100,000 websites are SSL-compliant. Google would like to see all sites (not only e-commerce sites) be HTTPS and secured with SSL. That’s understandable for sites that process credit card data to be secure, but how about blogs or non-sensitive websites?
Other than “Google says so”, what are the reasons you should move all your websites to HTTPS? The biggest reason is that your website’s data is more secure. Can you believe that the login page of all WordPress sites sends the usernames and passwords over the Internet in plain text! Hackers are able to use readily- available tools to “sniff out” login information from WordPress sites that aren’t running HTTPS.
Here are a few more reasons to switch to HTTPS:
- Visitors have more trust running SSL websites
- Better Performance
- Improved SEO and Ranking
- Your Google Analytics referral data will be accurate
Getting Started With SSL
It’s much easier to start a website with SSL than to switch one over. Therefore, we recommend you save yourself and your clients a big headache and start off on the right foot by building all your sites with SSL.
As more sites start to realize the importance of security, you’ll have more and more requests to migrate someone’s site to SSL. Since this isn’t a straight-forward process. We’ve provided a general guide to the migration process since all hosting companies don’t necessarily handle SSL certificates the same way.
Give it a try with your web host of choice and learn their process for setting up a site with an SSL certificate. Or, purchase an SSL certificate and migrate a site to HTTPS that’s already been working with HTTP. Once you learn your webhost’s procedures and the type of support they offer for adding SSL, the next time will be easier.
Here’s the general process:
- Backup your website – if anything goes wrong during the process, you’ll have peace of mind that you can always revert to a previous version.
- Secure the URL with the SSL certificate:
- Oftentimes, your hosting provider will offer a free SSL certificate through Let’s Encrypt. Other times, your hosting company will make you purchase an SSL certificate through them.
- Once your domain has the SSL certificate activated, you’ll need to change your website URLs from “http” to “https”.
- First, you need to make sure that under general settings – the “WordPress Address” and the “Site Address” are changed to the “https” URL. You can also do this from phpmyadmin if you are familiar with editing the database.
- Second, you’ll need to run a search and replace so that all your URLs are changed from “http” to “https”.
- To run the search and replace, I recommend the plugin “Go Live Update URLs”: https://wordpress.org/plugins/go-live-update-urls/
- To run the search and replace, I recommend the plugin “Go Live Update URLs”: https://wordpress.org/plugins/go-live-update-urls/
- Now that your SSL is installed, and your URLs have been changed to “https”, you’re almost finished. The last thing to do is make sure there’s no mixed content.
- Mixed content is often the hardest part of securing websites. It’s not hard to figure out what’s causing the error, but it can often be somewhat difficult to find out how to fix that error.
- Mixed content are insecure URLs that are being called on your website. The most common example I run into are the header and the favicon. Oftentimes, you’ll upload your header through the theme. When you do this, you’ll not be able to change the header URL with a search and replace plugin. You’ll have to go in manually and replace the header so the URL changes.
- You can run your website through “Why No Padlock” to figure out exactly which URLs and errors are causing your website to not be secure: https://www.whynopadlock.com
How We Can Help
If all that is too much tech for you to take on, you are in luck. We at New Tricks Web Design Atlanta, are offering two opportunities to secure your site:
SSL Certificate Installation ($75 one time fee): This is a one time fee to install and configure the SSL certificate. Most hosts offer free certificates, but depending on your web hosting there could be an extra cost for the certificate. Contact us for help.
