Misconceptions and old rumors abound about converting your site to HTTPS including, why you should do it, why an SSL certificate and plugin are not enough, loss of backlinks, why a green padlock could be misleading, plus site security and performance issues.
Clear up those myths and see how to avoid headaches with the conversion process.
Myth 1: I don’t sell anything so I don’t need HTTPS
Just because you don’t take payments on your site doesn’t mean you don’t need to convert to HTTPS.
Encrypting your site’s data, both to and from the visitor’s browser makes surfing the web safer for everyone.
And visitors are definitely starting to be more savvy about looking for that little green padlock in the URL bar now too.
That’s mainly because browsers are starting to warn them about it in any fields they fill in on your site.
Want folks to sign up for your newsletter?
UPDATED 8/20/17 – This is a reality now. Google Chrome will show a NOT SECURE warning on any non-https sites collecting any type of data. Details here
You may start losing some of those when a browser warns them that their email address is being sent on an unsecured connection.
For more, read Why do I need HTTPS if I don’t sell anything on my site?
Myth 2: No Loss of Backlinks or Ranking
Two parts to this myth:
- backlinks from other sites
- links from Pinterest
You could be losing valuable backlinks to your site and lowering your ranking with Google if your site is not HTTPS.
Here’s a real world example that I’ve seen with my clients.
- Site A features a link to Site B.
- Site A converts to HTTPS and discovers a mixed media warning on the link to Site B.
- There is no HTTPS version of the link from Site B because they have not converted yet.
- Site A removes the link to Site B.
A mixed media warning would knock Site A out of HTTPS encrypted delivery.
And that warning is visible to visitors, so it’s a big no-no.
Site B is just going to lose that valuable backlink until they convert their site to HTTPS.
Here’s another real world example.
- Site A is in a blogging carnival.
- Common images are shared from Site B with multiple other sites, including Site A.
- Site A is HTTPS and Site B is not.
- All of the image links from Site B cause mixed media warnings on Site A.
The choices for the Site A owner are:
- Not to participate in the blogging carnival
- Or upload all of the images to her own site
Neither of those choices is ideal.
So it behooves every site owner involved to convert their sites to HTTPS asap or they stand a chance of being shunned as a source of images in blogging carnivals as more and more participants make the switch.
If you get a real HTTPS conversion, you will not suffer any redirect issues of your Pinterest links.
HTTPS is a protocol.
If converted properly, all traffic is forced to simply connect to a different, secured port on the server from your HTTP link.
If converted improperly, it could set up a redirect chain from hell. And I doubt Pinterest will be very happy with that!!
You will need to update the link to your Pinterest profile to https as well. But you won’t need to reverify your site. (Same with all other social platforms.)
Myth 3: All I need is an SSL Certificate.
Two parts to this myth:
- Host issued SSL
- Cloudflare issued SSL
“My host issued a free SSL certificate for my site. Why isn’t HTTPS working right yet?”
I see this question posted in site owner forums and groups a LOT.
An SSL certificate is only one element in the process. It certifies the encryption level of the secure connection through the HTTPS port at the host.
All of the links on the site must also be converted to HTTPS too, meaning that they must connect through the secure HTTPS port at the host, not the unsecured HTTP port.
The free way of making this change simply redirects the links from one port to the other. The links are not actually HTTPS. Read on for more about this.
If you use CloudFlare, or another CDN, your site data has two legs in the journey.
- The path from you host to Cloudflare
- The path from Cloudflare to the visitor’s browser
If an SSL is not at both sources, the host and Cloudflare, you’re only encrypting the data for half the journey.
Cloudflare issues its own SSL certificate from Comodo, which is THE most trusted issuer in the world. So, that part of the journey is taken care of.
Most hosts use the free Let’s Encrypt SSL certificate, which is fine if you don’t take payments directly on your site.
But, if your site is not properly converted to make use of the secure HTTPS port, that opens you up to man-in-the-middle peeping Toms and hacks.
In other words, you don’t have end-to-end encryption.
Plus, if you ever need to put Cloudflare in Development mode, or delete your site from Cloudflare for troubleshooting, poof goes your HTTPS.
Myth 4: My host can do it for free or with a plugin.
Were it that simple!!!!
This is the duct tape / chicken wire way.
Your site is not actually converted to HTTPS!
Many hosts are trying their best to make it easy for site owners to DIY an HTTPS conversion.
- pre-issuing free SSL certificates
- changing a couple of links
- Providing or recommending a plugin to redirect all links from HTTP to HTTPS.
Read that again – the plugin only redirects all links.
That includes all page/post permalinks, plus all of the internal links on those pages/posts.
Not only is that a performance issue, it’s a security issue.
Those links are all over the place, in places like:
- WordPress itself
- The database
- All of your page/post content
- Theme files
- XML sitemap links
The links in the theme files can be especially problematic for calling in things like your site logo image and favicon.
Ask yourself this – do you really want your header logo image file to be redirected on every page load?
And then there are the redirects you intentionally create. They can be all over the place too, like in redirect plugins, .htaccess, cPanel, etc. The plugins just aren’t going to cover all those. And the ones they do cover are now going to have multiple redirects.
Plus, you need to force all versions of your site URLs to use the new HTTPS canonical.
Have fun figuring out which regex code to put in your .htaccess file.
I’ve tested 14 of them, including the ones leading hosts recommend, and the ones added by plugins.
So far, all but 2 give undesirable redirects and neither of them are recommended by hosts or used by plugins.
Some of these codes redirect 3 times before landing on the proper link.
That will cause a performance issue and may even lead to a warning for too many redirects.
Worse, some of those regex codes give 302 redirects instead of 301, which drops coveted “link juice” with Google.
So, while a plugin may seem like a good way to go for ease, look at how it actually works. It’s awful for your site.
And you’re stuck with that plugin for the entire time you own your site too.
It’s WAY better to actually get the site converted properly and not rely on something that could break or may not be around in a year or two.
Myth 5: I have a green padlock so I’m all done.
That green padlock may be displaying because non HTTPS elements of your site are so egregious that they are being blocked by the browser.
Beyond that, the visitor’s browser is checking the SSL certificate score and for additional security headers. Those headers have to be added manually.
The main security header you need, according to Google and other security entities, is HSTS so the browser will see this as a safe, truly encrypted site and preload it.
There is even a Chrome HSTS preload safe list that you have to submit your site to. And other browsers are making use of that list now too (with Google’s blessing).
If you are getting anything less than an A score, you’re missing things you need.
Myth 6: HTTPS will make my site more secure.
Yes and no.
HTTPS will make the data traveling to and from your site more secure, in that it is encrypted. That means hacker Peeping Toms can’t see it as it travels across the internet because it’s like having a brown paper wrapper around it that can’t be poked through or torn off.
But HTTPS will do nothing to secure your site from other hack attacks that come mainly through open doors to your site, like
- plugins and themes that are out of date
- brute force attacks
- lack of security at the root
You still need to secure your site from the root up. And it’s a good idea to get on a paid WAF (Web Application Firewall) now too.
Forget those behemoth security plugins getting the job done. In fact, most of them are just resource hogs and aren’t fully protecting your site.
Don’t be fooled into thinking your site is more secure because of HTTPS. Get a full site audit. I find an average of 26 security holes and performance drags that no plugin can find.
Myth 7: HTTPS will slow my site down.
Now we have the HTTP/2 protocol and all major browsers have adopted it. And the HTTP/3 protocol is right around the corner with even more speed.
With HTTP/1, all data to and from a site had to travel in a serial fashion, meaning one bit after the other.
With HTTP/2, multiple data streams can travel in parallel, radically increasing the speed.
Browser adoption of the HTTP/2 protocol is one of the main reasons why we now have such a push to move forward with HTTPS encryption.
Want help with your HTTPS conversion?
All of my clients can tell you how much cheaper it is to hire a pro than to try to DIY this kind of project because it’s so invasive and involves so many site elements. I provide a pre-conversion checklist so we catch all those gotchas and address them prior to the conversion. Makes the whole process smoother.
And I don’t clean up botched conversions either. They are just too invasive to every element on your site to try to undo.
This is one project you definitely want to get help with and KNOW that it’s right.
Want to learn how to do HTTPS conversions for your clients?
Designers – this training is made with you in mind.
I‘ve spent over 100 hours researching and testing all conversion methods on the web, including the ones many leading hosts make available. And I’ve put the easiest and best method together for you.
In just one afternoon with the Webmaster Training course you can go step-by-step through the process and learn how to do it the right way the first time.
And the best part – one conversion job will pay for the training. You’ll be taking business you couldn’t get before too.
Webmasters also enjoy support from me and other webmasters in our private Facebook group and live meetings. That alone is a pot of gold resource!! Read testimonials on the home page and see for yourself.