What does this mean? Well, anyone attempting to access a website without HTTPS will receive a warning that the site isn\u2019t safe.<\/p>\n
Here\u2019s an example from Google of what the warning will look like in browsers:<\/p>\n
![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/google-treatment-of-http-pages.png\")
<\/p>\n
Image: Google<\/a>.<\/em><\/p>\n In a word: yes.<\/p>\n According to Cloudflare<\/a>, over half<\/em> of web visitors will see these warnings. That\u2019s 50% of your web traffic.<\/p>\n So if your website is not integrated with HTTPS, your customers will see that your site is vulnerable to cyber attacks and any personal information they enter into your site isn\u2019t secure and might decide to go elsewhere for your product or services.<\/p>\n HTTPS is the safer version of the HTTP protocol<\/a>, which enables web users to connect to websites.<\/p>\n Secure connections are an important step in protecting users from a type of cyber attack called content injection, or content spoofing<\/a>. Content spoofing is when a hacker creates a fake website and passes it off as if it were legitimate. The intent is, typically, to defraud victims via phishing<\/a>. Sometimes, though, the purpose is simply to misrepresent an organization or person.<\/p>\n Content spoofing often works because it exploits an established trust relationship between a user and organization or user, whether it\u2019s a famous company or a celebrity.<\/p>\n And it\u2019s not just hackers \u2013 disgruntled employees, angry customers, and anyone else who wants to hurt a company or person could carry out a content spoofing attack, sharing false information and messages with customers and driving them to their competition.<\/p>\n Common forms of content injection include eavesdropping, data modification and man-in-the-middle attacks. Hackers can also perform SEO injections, spreading additional false messages through search engine spiders that index and craft URLs.<\/p>\n With HTTPS, Google hopes to make this kind of malicious attack a thing of the past.<\/p>\n Because security is Google\u2019s middle name. Plus, it\u2019s been making gradual steps towards pushing users \u2013 and the world \u2013 towards HTTPS.<\/p>\n Google commissioned security engineering firms X41 D-Sec GmbH and Cure53 to examine the relative security strengths of the three most popular enterprise browsers: Google Chrome, Microsoft Edge, and Microsoft Internet Explorer (IE).<\/p>\n The two studies<\/a> found that in 2017, Google Chrome was the most secure browser on the web due in large part to its high rates of detecting suspicious websites and fast vulnerability patching.<\/p>\n Also, Google has been playing with HTTPS for years<\/a>. The company started testing in 2014, examining which websites were secure and used connections that were encrypted in its search engine algorithm.<\/p>\n The tests were a rousing success<\/a> and in response, the search giant began using HTTPS as a ranking signal.<\/p>\n Though it was only a slight change, HTTPS impacted less than 1% of global searches, and factors like high-quality content still mattered a great deal more.<\/p>\n Still, back then Google saw the potential and important of HTTPS and wanted to see it become more fully realized.<\/p>\n Here\u2019s what Google had to say about the future of HTTPS<\/a> on its security blog in 2014:<\/p>\n \u201c… over time, we may decide to strengthen it (HTTPS), because we\u2019d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.\u201d<\/p>\n A year later, Google released another update on its security blog, announcing a slight adjustment in its indexing system. The plan was to crawl just as many, if not more, HTTPS over HTTP pages even when HTTPS web pages were not linked to any other websites.<\/p>\n This meant Google had decided it was going to start playing favorites. In other words,\u00a0goodbye HTTP. HTTPS was going to get a leg-up in search engine ranking and indexing simply because it was HTTPS and not for any of the usual ranking requirements.<\/p>\n And if two URLs with the same domain and the same content possessed different protocol schemes<\/a>, Google would index the HTTPS URL with these rules in mind:<\/p>\n In 2016, Adrienne Porter Felt and Emily Schechter from the Chrome security team released another update on Google\u2019s security blog to share their success with HTTPS.<\/p>\n Their HTTPS report card<\/a> documented the increased security of the web thanks to HTTPS. It included data on how HTTPS implementation increased from 2014 to 2016, that more than 50% of web pages loaded with HTTPS, and that two-thirds of time spent on the Chrome Browser was with HTTPS.<\/p>\n This graph from the Google Security Blog offers a more complete picture of just how many websites made the shift to using HTTPS:<\/p>\n Image: Google<\/a>.<\/em><\/p>\n In 2017, Google started applying even more pressure. It announced that from January, HTTP web pages that collected passwords and\/or credit card information would be labeled as \u201cnot secure.\u201d This shift would be part of Chrome version 56.<\/p>\n Then in April 2017, the search engine giant took things a step further, announcing that from October that year, Chrome 62 would show the \u201cNot secure\u201d warning in two additional situations<\/a>: when users entered data on an HTTP page, and on all HTTP pages visited in Incognito mode.<\/p>\n Google highlighted that since the change in Chrome 56, there had been a 23% reduction in the number of visits to HTTP pages with password or credit card forms on desktop.<\/p>\n In February, Google made its latest HTTP, announcing \u201cA secure web is here to stay<\/a>.\u201d With the release of Chrome 68, all web pages that aren\u2019t using HTTPS will be marked as \u201cnot secure.\u201d<\/p>\n If you\u2019re not sure if your site is using HTTPS, check your URL. If you see \u201chttps\u201d in front of your domain name then your site is secure.<\/p>\n Installing an SSL certificate was one of the first things I did when setting up my site.<\/em><\/p>\n If your URL starts with \u201chttp\u201d then it\u2019s insecure and will look something like this, depending on your browser:<\/p>\n ABC News still hasn\u2019t set up HTTPS as of March 2018!<\/em><\/p>\n Hopefully, the internet fairies have blessed you with a secure HTTPS site and you can go about your day and stop reading this guide.<\/p>\n Fortunately, the best thing about installing an SSL (Secure Socket Layer) certificate \u2013 which you need to enable HTTPS on your site \u2013 is that it\u2019s simple to set up. Once it\u2019s done, all you have to do is route visitors to use HTTPS instead of HTTP.<\/p>\n But if you don\u2019t have HTTPS on your site, here\u2019s how to get started.<\/p>\n Note: I\u2019m working on a more in-depth guide to HTTPS for WP Rocket, so watch this space!<\/em><\/p>\n Until recent years, it was only possible to install an SSL Certificate if you had a dedicated IP address for your website. However, a technology called SNI (Server Name Indication), which is now standard on web servers, solved this problem by allowing multiple certificates to be installed on a single shared IP address.<\/p>\n The only issue is with older web browsers that might not offer support for SNI. This is where having a Dedicated IP address can help by covering all bases.<\/p>\n Some hosting providers offer free SSL with their plans. Siteground<\/a> is one WordPress managed host that offers free Let\u2019s Encrypt SSL certificates with every account.<\/p>\n Kinsta<\/a> also supports Let\u2019s Encrypt and provides free SSL support for customers at no extra cost.<\/p>\n If your hosting provider doesn\u2019t offer a free SSL certificate, you may have to purchase one from a third party through your web host. Some hosting providers like Bluehost on-sell them for around $50.<\/p>\n For more information about SSL certificates, check out Let\u2019s Encrypt<\/a>. It\u2019s a free and open Certificate Authority run for the public\u2019s benefit by the Internet Security Research Group.<\/p>\n The Let\u2019s Encrypt website.<\/em><\/p>\n Once you have an SSL Certificate, you either ask your web host to install it on your server for you, or set it up yourself.<\/p>\n In order to set it up yourself, you\u2019ll need to generate a Certificate Signing Request. Basically, this identifies the server and domains you\u2019ll use your certificate with.<\/p>\n The instructions for doing this will be different depending on your server, but generally, you\u2019ll need to:<\/p>\n You\u2019ll need to check with your web host for what will work with your server. As an example, here are the instructions for GoDaddy users.<\/a><\/p>\n The final step is to make sure WordPress know you\u2019re now using SSL and HTTPS.<\/p>\n Head to your WordPress dashboard and go to Settings > General<\/strong>. Scroll down to the \u201cWordPress Address (URL)\u201d and \u201cSite Address (URL)\u201d fields and replace \u201chttp:\/\/\u201d with \u201chttps:\/\/\u201d<\/p>\n Save your changes and you\u2019re done if you\u2019re setting up SSL for a new website.<\/p>\n If you\u2019re setting it up for an existing website, however, there are a couple more steps to go.<\/p>\n You need to tell WordPress to redirect from HTTP to the more secure HTTPS version of your site<\/a>. To do this, use FTP, cPanel or whatever other method your host provides and open the .htaccess file (or create one) in the root directory of your site.<\/p>\n Paste in the following code above anything that might already be in the file:<\/p>\n https:\/\/gist.github.com\/raewrites\/5760b23cb3000778d97ea8e7159f123a<\/a><\/p>\n Now, visit your site to make sure it works. If \u201chttps:\/\/\u201d appears in your URL with a green padlock next to it, then you\u2019re all good to go.<\/p>\n If you want to add HTTPS to your Multisite admin area or login pages, you\u2019ll need to also configure SSL in your wp-config.php file.<\/p>\n Add the following code above the \u201cThat\u2019s all, stop editing!\u201d line:<\/p>\n https:\/\/gist.github.com\/raewrites\/dc6a5c3dc162c3964dd7dec0e7bf378d<\/a><\/p>\nShould I Care About HTTPS Warnings?<\/h2>\n
Why Is Google Forcing HTTPS on Site Owners?<\/h2>\n
How Does Google Know HTTPS Works?<\/h2>\n
\n
![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/usage-chart.png\")
<\/p>\nQuick Guide: Securing Your Site with HTTPS<\/h2>\n
![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/https-example.png\")
<\/p>\n![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/http-abc-news.png\")
<\/p>\nDo I Need a Dedicated IP Address?<\/h3>\n
1. Buy a Certificate<\/h4>\n
![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/lets-encrypt.png\")
<\/p>\n2. Generate a Certificate Signing Request (CSR)<\/h4>\n
\n
3. Tell WordPress to use SSL and HTTPS<\/h4>\n
![\"\"](\"https:\/\/wp-rocket.me\/wp-content\/uploads\/1\/update-http.png\")
<\/p>\nExtra Steps for WordPress Multisite<\/h3>\n