HTTPS & WordPress – Do You Really Need It?
The Internet isn’t a very safe place for confidential talk. There are thousands of prying eyes waiting to leech your personal information – your street address, your phone number, and your credit card information. That’s why most companies use the Secure HTTP (HTTPS) protocol when processing confidential tasks. Today we’re going to talk about HTTPS and debate on whether we actually need it in our sites.
Some Technical Tea
HTTP is a protocol used by web servers and clients (browsers) to communicate and transfer webpages and files. There are loads of other protocols like FTP, SSH and BitTorrent.
HTTPS is a secured version of the HTTP protocol which uses SSL (Secured Socket Layer) encryption. How SSL works in the background requires a bachelor’s degree in Computer Science and a solid understanding of cryptography. Thanks to the concept of abstraction, we need not worry about that. Just remember:
HTTP + SSL = HTTPS
In a nutshell, HTTPS uses a public and private key matching “handshake mechanism” prior to transferring data. Once the handshake is done, the connection is established and the secured session begins. When you visit an HTTPS site, all of this happens almost instantaneously before you see the green indicator in your browser’s address bar.
Four Reasons Why HTTPS Is Great
1. Top-notch Security: With SSL, your connection is encrypted. A virtual tunnel is created through which only the server and the browser can communicate. Nobody else can interpret that channel. Even if the attacker taps into that channel, he wouldn’t be able to make sense of the encrypted data. He would need the private key which is only known to the browser.
2. Scrutiny: HTTPS requires and SSL certificate and acquiring the latter for a business is a serious process. It requires official documents to be submitted which are verified by the Certificate Authorizer (CA). Only when the documents pass the validation tests, the SSL certificate is issued.
3. Legitimizes Businesses: When you visit a SSL secured site, you can be certain of the site’s credibility. You can always obtain the necessary contact details of the owner from the site’s SSL certificate.
4. Data Integrity: Data integrity refers to the consistency of the data requested and the actual data received. Consider this example: Someone visits your site for a particular post on XYZ server setup instructions. At the end of the post, you leave an affiliate link. On an unsecured site, an attacker could easily tap into the connection and send your visitor the compromised data. In all probability, he’ll replace your affiliate link with a phishing link. Thus there’s a monumental difference in the data requested and the data actually received – the integrity of the data is destroyed. With SSL, none of this is possible!
Here’s The Catch:
Establishing a secure connection requires substantial computation power both by the server and the client. This results is a slower transfer rate when compared to HTTP. That’s why most sites don’t use HTTPS all the time. They wait till the moment you try to login or make a purchase. E-commerce sites like Amazon and Newegg follow this rule. This way the browsing is blazing fast and purchases are secure.
Do I Really Need HTTPS In My WordPress Site?
Good question, but it’s not a simple yes or no answer. So let’s et’s discuss this at length.
Search Engines prefer HTTPS Sites (yes)
Here’s a quote from a recent post at the Google Webmaster Central blog.
…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms.
This does not mean that if you don’t have HTTPS in your site, your SERP rank will fall. For now. Vigilant people will take this as an early indicator of what the future holds. A lot of people are complaining and questioning Google’s decision. Why on earth would you use HTTPS on your static blog? To prevent hackers from reading your visitors’ comments? Heck, even the Google Webmaster Blog isn’t using SSL!
Scenarios Where Sites Should Use HTTPS
There are plenty of situations where HTTPS should be used as an added layer of security. Here are some examples where it should be applied:
1. E-commerce Stores
If you’re running a WordPress store using WooCommerce or iThemes Exchange, it would be most wise to use HTTPS in the transaction pages of the site. As you already know, HTTPS is slower than HTTP and hence it carries an impact on the user’s browsing experience. However, when it comes to someone’s confidential information like home address, phone number or the credit card details – sacrificing speed over security is a necessity. You should always use HTTPS in the following scenarios:
- A new user registers or logs in
- A user is about to make a payment
2. Donation Pages
Some sites display a small donate button in their sidebar and almost all of them don’t use HTTPS. Here’s what can go wrong. Since the site isn’t secured, the attacker can easily manipulate the site’s data to show fraudulent information – such as replacing the PayPal donate button with some phishing site. When a visitor (rather donor) clicks on that fraudulent link, his account is at risk of being compromised. So, if you’re using a donate button on your site, try to incorporate SSL.
3. Membership Sites
A lot of Internet entrepreneurs run private forums and membership sites using WordPress. Such sites carry private data – data you don’t want the public to see. If SSL is used in such cases, it would eliminate data integrity threats and create a secure environment for your members to interact. It’s like hitting two birds with one stone:
- Better security
- Boost customer confidence and trust
4. Sites Hacked In The Past
If your site is a victim of a targeted attack or was recently hacked, then you should seriously consider switching to an SSL encrypted site. Recovering from a hacked site can be done using personal expertise and/or with the help WordPress security experts (such as Sucuri).
To shield yourself from future attacks and add an extra layer of security, force use HTTPS on your entire site. However, since SSL consumes a lot of server resources, your site might become quite slow depending on your server configuration. You don’t want that. Thus, you could also selectively use SSL only during login pages and while working in the WordPress administrator dashboard.
Setting Up SSL In WordPress
Setting up SSL is a complicated and tedious process. It requires technical expertise, substantial time and there’s a lot of room for error. I would strongly recommend talking to your hosting manager to help you get set up with SSL (checkout GoDaddy, with our link you can save 25% on an SSL certificate). If you’re determined to switch to an HTTPS site, then it is a safe bet to assume that your budget can incorporate the cost of a managed WordPress hosting company.
We at WPExplorer use WPEngine and our site is protected from hackers, malware and DDoS attacks. Plus it’s really fast. Companies like WPEngine give you the option of buying an integrated SSL certificate. The cost varies from 49 to 199 USD a year. You can also use third party SSL and they’ll help you setup and configure HTTPS in your site.
Conclusion
Over to you – what are your thoughts on this particular topic? Yay or nay on HTTPS? Have you used SSL in your site before? Do share your thoughts with us!
How does the boost in seo from having encryption compare to the presumed decrease in seo from having a slower site?
I honestly think the https increase for SEO is not significant enough to really stress about it. A fast site on the other hand, even if it doesn’t affect SEO too much is better for usability. Think about your visitors #1 and SEO second.
If your site is slower you should consider using better server software like nginx and enabling HTTP/2 to boost your performance. The slowdown of HTTPS is minimal on modern servers and clients.
I agree! If you have good hosting you shouldn’t even notice the HTTPS difference in speed.
SSL a doesn’t have any significant impact on site performance. Other than that error, great article.
SSL with SPDY protocol is actually faster then a non secured site and i did see a 10-15% increase in rankings for a local business site.
Nice!
HTTPS has been a ranking signal for a while now, see http://googlewebmastercentral.blogspot.co.uk/2014/08/https-as-ranking-signal.html for Matt Cutts comments on the value for SEO purposes. While it’s not an essential for all sites and their are arguments over the need to switch a non HTTPS site to HTTPS, it makes sense to set up new sites as https in preference.
wpexplorer does not use SSL 🙂 A deliberate choice?
We’re working on it. It’s a bit more of a challenge with a larger, established website. For new sites we 100% recommend using SSL from the get go – for older sites we highly recommend taking your time and consulting professionals (or possibly investing in some help).
Well written article! I strongly agree that HTTPS is mandatory for each and every website since major browsers started flagging HTTP sites as non-secure. Also, if any WordPress users are struggling to generate free SSL certificate in 2021 – WP Encryption WordPress plugin is my fav tool
Manually installing an SSL certificate on your WordPress website especially if you don’t have cPanel is very hard. That’s why I created the ssl zen plugin that will help you generate a free SSL certificate by Let’s Encrypt. Our plugin is used by more than 50,000 websites globally and we have a very active community.