The Internet isn’t a very safe place for confidential talk. There are thousands of prying eyes waiting to leech your personal information – your street address, your phone number, and your credit card information. That’s why most companies use the Secure HTTP (HTTPS) protocol when processing confidential tasks. Today we’re going to talk about HTTPS and debate on whether we actually need it in our sites.
Some Technical Tea
HTTP is a protocol used by web servers and clients (browsers) to communicate and transfer webpages and files. There are loads of other protocols like FTP, SSH and BitTorrent.
HTTPS is a secured version of the HTTP protocol which uses SSL (Secured Socket Layer) encryption. How SSL works in the background requires a bachelor’s degree in Computer Science and a solid understanding of cryptography. Thanks to the concept of abstraction, we need not worry about that. Just remember:
HTTP + SSL = HTTPS
In a nutshell, HTTPS uses a public and private key matching “handshake mechanism” prior to transferring data. Once the handshake is done, the connection is established and the secured session begins. When you visit an HTTPS site, all of this happens almost instantaneously before you see the green indicator in your browser’s address bar.
Four Reasons Why HTTPS Is Great
1. Top-notch Security: With SSL, your connection is encrypted. A virtual tunnel is created through which only the server and the browser can communicate. Nobody else can interpret that channel. Even if the attacker taps into that channel, he wouldn’t be able to make sense of the encrypted data. He would need the private key which is only known to the browser.
2. Scrutiny: HTTPS requires and SSL certificate and acquiring the latter for a business is a serious process. It requires official documents to be submitted which are verified by the Certificate Authorizer (CA). Only when the documents pass the validation tests, the SSL certificate is issued.
3. Legitimizes Businesses: When you visit a SSL secured site, you can be certain of the site’s credibility. You can always obtain the necessary contact details of the owner from the site’s SSL certificate.
4. Data Integrity: Data integrity refers to the consistency of the data requested and the actual data received. Consider this example: Someone visits your site for a particular post on XYZ server setup instructions. At the end of the post, you leave an affiliate link. On an unsecured site, an attacker could easily tap into the connection and send your visitor the compromised data. In all probability, he’ll replace your affiliate link with a phishing link. Thus there’s a monumental difference in the data requested and the data actually received – the integrity of the data is destroyed. With SSL, none of this is possible!
Here’s The Catch:
Establishing a secure connection requires substantial computation power both by the server and the client. This results is a slower transfer rate when compared to HTTP. That’s why most sites don’t use HTTPS all the time. They wait till the moment you try to login or make a purchase. E-commerce sites like Amazon and Newegg follow this rule. This way the browsing is blazing fast and purchases are secure.
Do I Really Need HTTPS In My WordPress Site?
Good question, but it’s not a simple yes or no answer. So let’s et’s discuss this at length.
Search Engines prefer HTTPS Sites (yes)
Here’s a quote from a recent post at the Google Webmaster Central blog.
…over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms.
This does not mean that if you don’t have HTTPS in your site, your SERP rank will fall. For now. Vigilant people will take this as an early indicator of what the future holds. A lot of people are complaining and questioning Google’s decision. Why on earth would you use HTTPS on your static blog? To prevent hackers from reading your visitors’ comments? Heck, even the Google Webmaster Blog isn’t using SSL!
Scenarios Where Sites Should Use HTTPS
There are plenty of situations where HTTPS should be used as an added layer of security. Here are some examples where it should be applied:
1. E-commerce Stores
If you’re running a WordPress store using WooCommerce or iThemes Exchange, it would be most wise to use HTTPS in the transaction pages of the site. As you already know, HTTPS is slower than HTTP and hence it carries an impact on the user’s browsing experience. However, when it comes to someone’s confidential information like home address, phone number or the credit card details – sacrificing speed over security is a necessity. You should always use HTTPS in the following scenarios:
- A new user registers or logs in
- A user is about to make a payment
2. Donation Pages
Some sites display a small donate button in their sidebar and almost all of them don’t use HTTPS. Here’s what can go wrong. Since the site isn’t secured, the attacker can easily manipulate the site’s data to show fraudulent information – such as replacing the PayPal donate button with some phishing site. When a visitor (rather donor) clicks on that fraudulent link, his account is at risk of being compromised. So, if you’re using a donate button on your site, try to incorporate SSL.
3. Membership Sites
A lot of Internet entrepreneurs run private forums and membership sites using WordPress. Such sites carry private data – data you don’t want the public to see. If SSL is used in such cases, it would eliminate data integrity threats and create a secure environment for your members to interact. It’s like hitting two birds with one stone:
- Better security
- Boost customer confidence and trust
4. Sites Hacked In The Past
If your site is a victim of a targeted attack or was recently hacked, then you should seriously consider switching to an SSL encrypted site. Recovering from a hacked site can be done using personal expertise and/or with the help WordPress security experts (such as Sucuri).
To shield yourself from future attacks and add an extra layer of security, force use HTTPS on your entire site. However, since SSL consumes a lot of server resources, your site might become quite slow depending on your server configuration. You don’t want that. Thus, you could also selectively use SSL only during login pages and while working in the WordPress administrator dashboard.
Setting Up SSL In WordPress
Setting up SSL is a complicated and tedious process. It requires technical expertise, substantial time and there’s a lot of room for error. I would strongly recommend talking to your hosting manager to help you get set up with SSL (checkout GoDaddy, with our link you can save 25% on an SSL certificate). If you’re determined to switch to an HTTPS site, then it is a safe bet to assume that your budget can incorporate the cost of a managed WordPress hosting company.
We at WPExplorer use WPEngine and our site is protected from hackers, malware and DDoS attacks. Plus it’s really fast. Companies like WPEngine give you the option of buying an integrated SSL certificate. The cost varies from 49 to 199 USD a year. You can also use third party SSL and they’ll help you setup and configure HTTPS in your site.
Over to you – what are your thoughts on this particular topic? Yay or nay on HTTPS? Have you used SSL in your site before? Do share your thoughts with us!