Anything that hurts the credibility of a website is bad business. The “not secure” warning sign displayed in modern web browsers such as Firefox and Chrome is disturbing to users. If your website starts showing up as not secure, you better fix it fast (especially if your site is earning money!)
Back in 2017, the Google warned everyone about a coming update that it would start giving preferential treatment to websites which used https instead of http (think of the “s” as standing for security).
On July 2018, Google began to mark domains that didn't use HTTPS as “not secure”. Fast-forward to today and websites that use HTTPS get a boost on the SERPs, demonstrated by the fact that almost every site with a page 1 ranking has this security feature.
So let's dig in and figure out why your website is showing as not secure!
Answer: You Haven't Installed A Security Certificate (HTTPS)
What is HTTPS And Why Should You Care?
HTTPS stands for Hypertext Transfer Protocol Secure and is an extension of HTTP (Hypertext Transfer Protocol). It’s a system used for securely transmitting information over computer networks.
All communications are encrypted using Transport Layer Security (TLS) or SSL (Secure Socket Layer), its predecessor. Both are implemented for the same purpose and that’s to transmit info securely.
Implications to Consider
Cybersecurity is a mess right now. They’ve been too many breaches in recent years and that’s why strong security is a must for any company, including a plain old website like you have.
HTTPS basically secures communications between your server and the client’s browser or computing device. Your web servers default security system isn’t powerful enough to protect user data without HTTPS.
Sensitive information such as banking passwords, credit card numbers or any PII (Personally Identifiable Information) can be intercepted by anyone on your network. Even stuff like email addresses and surnames can be a security problem for some people! Imagine looking for ways to make money online and your boss finds out you're looking for an exit strategy. Personal data security is important!
The difference is quite simple. Regular HTTP transmits data in plain text while HTTPS encrypts it. With the former, all someone with malicious intent has to do is break into the communications between your site and web browsers. At which point, they can see everything that’s being transmitted.
From a business standpoint, a visitor wouldn’t trust your site if they saw the ‘not secure’ alert. This will affect your sales or conversions and negatively impact any ongoing online marketing activities.
Even a simple warning like “Your Connection Is Not Private” Can scare away people. Plus, you need to actually click “Advanced” then “Proceed” to access the http website. Traffic & conversions will drop off a cliff
Reasons to Secure Your Website At a Glance
- Encrypted Communications – Provide your users with peace of mind, knowing that anything they do on your site won’t be easily tracked and stolen. Encryption protects all communications from prying eyes.
- Data Integrity – The possibility of receiving corrupted data is slimmer. This is especially useful for companies that offer SaaS (Software as a Service) products such as cloud storage. Plus it benefits both users and provider since communication is two-way.
- Required Authentication – This ensures your visitors are on the right website and authorized to transmit info.
How to Secure Your Website If You Do Not Have HTTPS Yet
Contact your web hosting provider by phone or chat and tell them you wish to purchase or add HTTPS to your site. SSL or TSL certificates are offered by many hosting companies and domain registrars. How yours will be set up will depend on how you built your site.
The process can range from a simple flick of a switch, to a multi-step, multi-hour-long process.
While Namecheap was my registrar, I had to purchase an SSL certificate from them, then connect it manually via my VPS at Knownhost. It was a pain. While I hosted at WebSynthesis, I had to email them privately to generate the security certificate.
Working with Kinsta was magnificent. I just clicked a button and my free SSL certificate was generated and implemented. There's a reason they can charge $200/month for hosting and thousand of people pay for it!
How to Get SSL for FREE
I highly recommend that you purchase your own. However, there are several ways to get one for free. The only company that I trust if you want to go this route is Cloudflare. They’re a US-based company that provides CDN (Content Delivery Network), security and domain name services.
Don’t worry. It’s not a very technical process and you won’t have to install any code to get a free SSL certificate from Cloudflare. All you have to do is go signup for a free CDN.
A CDN sits between all incoming traffic, your server, and website. Essentially, it serves as an intermediary between transmissions to filter out malicious intent or illegitimate web traffic.
Also, your website won’t slow down but actually, becomes faster since Cloudflare has over 150 servers located all over the globe. Every time someone visits your site, Cloudflare will transmit or deliver data using the closest server to them. For example, if a user from New York (NY) want X, the CDN system picks the closest server to NY and sends the requested package.
Sign up for an account and use the following instructions to set up HTTPS. Keep in mind, this is a “shared SSL” certificate, so may not provide the best security if you're accepting credit card payments or other highly sensitive data.
Why is it free? They're doing the “freemium” model thing, where you get some features for free in the hopes that you'll really like their service and upgrade later as you become more aware of specific features you want like increased speed and uptime guarantees.
If you're running an affiliate business (the topic of my website here), I recommend just getting SSL through your host or registrar, or flat out paying for the CDN rather than going on the free tier. Cloudfare PRO will only cost you $20/month, or my recommended host Kinsta provides a CDN for free.
Getting The Most Out of HTTPS for SEO
Verify the following details after switching to HTTPS as an additional measure. This will ensure that your website remains SEO-friendly.
- 301 redirect all HTTP-based incoming traffic to the HTTPS version of your domain.
- Update all your internal links to HTTPS variations. This helps you avoid any unnecessary URL redirects when users and bots try to follow links.
- Add/verify the HTTPS variations of your domain name in GSC (Google Search Console) and Bing Webmaster Tools. Make sure to do this for www and non-www versions.
- Update or regenerate applicable sitemaps with HTTPS URL variants and resubmit to search engines.
- Keep monitoring your website for 404 errors so that you can redirect any missed pages accordingly.
What If Only Some Pages Are “Not Secure” (No Padlock)?
Installing your security certificate may not be the end of your troubles! Most websites these days will be built from the start using security certificates, but some older sites that convert from HTTP to HTTPS could have individual pages which are still reading as not secure.
This is because there are some elements on the page which are still using the old HTTP links. For example, your blog post could be https://mywebsite.com/blog-post, but an image URL on the page is http://mywebiste.com/my-image-url. This is known as having “mixed content”.
Fixing these errors requires a few more step I outline in the video below (starts at 6:55). Earlier parts of the video show a certificate installation, so you can watch that too if you want.
WordPress Insecure Content Fixer is also a great plugin to use if you're having mixed content issues.
Security Should be Top-of-mind
Search engines take security seriously and so do your customers or visitors. That’s why web browsers show the ‘not secure’ alert. Securing your domain should be a top priority if you want to run a successful business or website. For more website security, check out my top picks for WordPress security plugins.