And by secure, what we’re talking about is that little S in https://
It starts with obtaining what is called a SSL Certificate.
There are a few different kinds including “Domain Validated”, “Company Validated”, and “Wildcard” just to name a few.
HTTPS, SSL and making your site Secure
This FAQ on making your site “Secure” is going to walk you through the steps you’ll need to take.
The goal of this is to have your site url show a little green padlock in the visitors browser window.
You are going to hear a few new words and acronyms like SSL, SECURE and https. Here’s a quick definition.
SSL CERTificate: This stands for Secure Sockets Layer. It’s simply a data file that ties in the necessary items to make encryption possible between their browser, your host, and the files that create your website. We might say SSL or SSL Cert or SSL Certificate but we’re talking about the same thing.
https: This is the beginning of the url for a secure site. You might already know that the http stands for Hypertext Transfer Protocol and of course the added S would then stand for Secure.
SECURE: This is a general term that we are using to describe a site that has a valid SSL Cert combined with proper coding to continue what is called a daisy chain of security. If that chain is unbroken, we have encryption happening and have what is called a “SECURE” website.
So, no matter what words we’re using – the goal is going to be the same. That little green padlock.
I get it – we’re all skimmers.
If you don’t know what TL;DR means my guess is that you probably skipped that part of the internet. (see what I did there?)
So if this whole post and it’s embedded FAQ was too long for you and you didn’t read it here’s the bullet point edition.
- You want your site to be SECURE today so that you show up in Google.
- There’s free options out there but I suggest you pay a little (can you afford $200?).
That’s it. Every site out there needs to be Secure these days and if your is not you’ll be left behind with ZERO traffic.
Three things, but I really could just say one…
Google has mandated that they want all sites to be secure. With that in mind, here’s three reasons why your site should be secure.
Google is using it as a ranking signal. That means that secure sites will be ranked higher than equivalent ones without https.
Since the Penguin update of 2012, Google has put in a great deal of effort to promote security and quality. Today, sites protected by SSL enjoy a higher priority in search engines.Experiment for yourself. Do a Google search concerning any topic. It’s safe to assume that most of the top 10 results are from sites with either an SSL certificate or have high domain authority.
- Authenticates Between the Site and Visitor
Using an SSL protects data to and from your website. It makes it more difficult for hackers to intercept or change information while in transit. For example, a hacker could change the images or even launch executable software within elements you view from an unprotected site.Think of adding SSL as creating a tunnel from your visitor directly to your website. The stronger you make that tunnel, the less chance someone can affect the visitor from the outside.The rain outside on the street doesn’t affect you if you’re in a subway system. This is a simplified example of what encrypting data with SSL does for your online guests.
You wouldn’t enter your credit card on a site that isn’t secure, right? That’s because there’s a level of trust that happens when you see that green padlock. That trust conveys to sites that aren’t accepting credit cards and to the content that is in them, even if it’s a blog full of facts and statistics. Seeing that deep green message that a site is secure in the address bar makes an impact. Premium SSL certificates come with Dynamic Site Seals, warranty and other benefits that instill further confidence. When you consider the massive amount of competition on the Internet, the last thing you want to do is send away potential customers. And a lack of an SSL will do just that for a lot of them.
Keep in mind that Google Chrome users make up nearly 60% of the online traffic worldwide. It’s safe to assume more than half of your visitors will see if your site is secure or not.
In the past, Google has made a few adjustments to how it handles secured websites. There was talk about showing alerts to users in 2017, and now Google is pushing/pushed that notification.
Whether you have an online store or running a simple blog, the difference between HTTP vs HTTPS is huge. And I’m not talking simply about making a sale. In fact, how your site appears in Google Chrome will impact your overall success.
If your site is NOT Secure your visitors are going to get a red warning like this:
As Google focuses more on security, the search engine giant is pushing a new feature to its popular browser. This integrated ability will determine if your website is using a Secure Sockets Layer.
The URL of your site in the address bar is preceded by “Not secure” if no SSL is detected.
or even worse there’s a new red notification coming soon…
Ok, the first step in becoming “secure” is getting an SSL Certificate for your site/business.
SSL Stands for Secure Socket Layer and it’s simply a data file that binds or connects your domain name, server name, and or host name to your website.
If you want to get deeper, it’s all about the crypto keys. These are incredibly long strings of random numbers. There’s two – a public key and a private key. Together, they create a very complicated math problem for the browser to solve if one of the two are missing. That in the simplest terms is how digital encryption works.
Back to obtaining an SSL Cert…
So, there are many places to get an SSL Cert. There are also a few different levels of SSL Certs. At the most basic level, the SSL Cert will verify that the domain name matches the domain files and the host. That’s important as there are scripts out there that’ll mask and reroute domain traffic to the sites of the bad guys.
At the higher levels of SSL Certification – the issuing company will verify ownership of the company, the physical address and other details as well.
Most of the sites I build don’t need that. Simple is usually just fine. In SSL terms this called a Domain Validation SSL.
Let me first mention that some of this is not for the DIY type. There’s just too much involved that you as a site owner are not going to know (like filling out the details for what is called your Certificate Signing Request) That said, you can still do this, you just need the help of your hosting company.
So instead of me giving you a list of places to buy your SSL Cert I’ll just refer you to your hosting company. You’ll simply want to ask them for a Domain Validation SSL. They’ll probably give you a link in their system to order/buy the SSL Cert.
Once that order is placed and the SSL Cert is issued the hosting company will need to install it on your account. Once again, this is yet another reason you can’t DIY this.
I love free and yes there’s a free option of SSL out there too!
It’s called “Let’s Encrypt“ and it’s pretty slick!
Chances are that your host even offers them.
So that’s good, right?
Yes and no. I recently had a client’s website go down for a handful of days. They were fully encrypted using an SSL Cert from Let’s Encrypt. Why? Because unlike normal SSL Certs – Let’s Encrypt Certs last only 90 days. At that point, or rally before that point they need to be renewed. This renewal is done by your host and quite frankly some hosts just are not setup to stay on top of that. An expired SSL Cert doesn’t mean that your site doesn’t have the green padlock, it means there’s going to be a big ass warning for all to see – instead of your site.
I know exactly how it feels when your site is down. It’s happened to me. Every second it’s down I felt like the whole world was judging me. I was literally wringing my hands, pulling my hair. If your site is that important to you, I’d skip free – at least for now.
With a valid SSL Cert installed on your hosting account you’ll want to tell WordPress about your new domain name.
I have a new domain name?
Well, not exactly. Technically speaking you have a new URL. With your SSL Cert you can now direct people to your https:// address.
The domain name stays the same, the prefix is the obvious change.
In your WordPress dashboard there’s two fields that you’ll need to change.
That’s a start. We’re not done yet.
Next, we want to force all visitors to load the https version of our site. There’s a few ways to do that but if you are not familiar with .htaccess files you might use a plugin.
HINT: modifying your .htaccess file is better.
Starting a new site from scratch and going SECURE is the easiest. Most anything you add to the site, moving forward is going to be uploaded and ‘called’ from a secure host. That means when you insert an image into a post like this:
The html that does that will look like this:
See that little S? We know know that it’s pulling that picture file from a secure source, right?
Remember that as the page loads it’s going to pull in stuff from all sorts of places. Most, like this, are going to be from your own server but that’s not always the case. If anything is being pulled from a non secure server (yours or someone elses) the daisy chain of SSL Security is going to be broken and you won’t have a green padlock.
Unlike the new site, we’re going to have files, images and other content that we uploaded previously to a non secure server.
That means the html that is going to pull in that image thing might look like this instead.
There’s an S missing after the http – and as the page attempts to load in the visitors browser their browser is going to see that some of the elements (in this case the picture) are not coming from a secure place. Their browser is going to throw them up a warning.
This is called “Poisoning The Well” and it’s something we need to avoid doing at all costs when we are secure.
So the fix is that you now have to go back to each of your posts, each of your pages, each of your headers, footers and widgets. You need to check and change the url of every single thing that is being pulled in to build your site or page. This isn’t just images, this could be CSS, this could be scripts, this could be embed codes. It’s time consuming for sure and that’s why it’s easier to start with a new site.
Yes, you can. 🙂
How much is it going to cost?
Good question. Breaking it down into two fees, you’ll have the fee for your actual SSL Cert and the fee for my labor.
The labor of course is a one time fee while the SSL Cert is usually an annual fee.
I would budget $100 for the SSL Cert and I am currently $100 for the labor.
If that seems fair enough to you – let’s start the conversation!
They can cost anywhere from free to a hundred bucks or so a year.
The “SSL Cert” ties into your hosting account and your domain name and must be set up correctly for the viewer’s browser to work.
The next thing that needs to happen from a browser’s point of view is that everything, EVERY SINGLE THING, that needs to happen to create that page has to come from a secure server.
Think about that. Every single little image that makes up a site
It’s not just your stuff. If you have a YouTube video, that embed code needs to be pulling from the https of YouTube.
This page is a work in progress right now.
Let’s get you secured!