You may be wondering why it’s worth getting pro help to convert your site to HTTPS when your host has ways to do it for free.
Well, I’ll give you 10 good reasons why.
Not Equivalent Services
Before we get into the top 10 reasons, let’s be clear on this.
When you’re comparing the cost of getting pro help with your HTTPS conversion to doing it the free way at your host, you are not comparing apples to apples.
You’re not even comparing apples to oranges.
It’s more like apples to rocks.
They are not even close to the same service.
Here’s what you don’t get for free and 10 reasons not to go that route.
The #1 Reason Not to Convert to HTTPS for Free
If the free way worked well, I would have done it for my own sites.
Like you, I don’t have all the time and money in the world to put into my sites.
And I’m ALWAYS looking for ways to help site owners DIY everything they can. That’s why I’m primarily in the business of education.
If quick HTTPS tactics worked, I would have taken that route too, and then made tutorials to show you how to do it.
Instead, I had to invest over 100 hours of research and testing to find what did work well.
Now I help my DIY site owner clients fully convert their sites and save designers all that research and headache too by teaching how to do it in the Webmaster Training courses.
Note I said help my clients convert. It’s a partnership and there are elements they can DIY in it, saving them money.
Your site is not actually converted to HTTPS.
Nope. Your links are not actually converted to HTTPS.
All of your HTTP links are simply redirected.
Let that sink in.
It’s not just the links to your pages and posts.
Every link on your site is redirected.
- Header logo image
- Every link called in by your theme
- Linked images in widgets, like the sidebar and footer
- Links in your content
All those redirects happen every time a post or page is requested on your site.
That’s both a performance and a security issue.
A plugin is used to redirect all of your links.
All of these SSL/HTTPS plugins are not created equally either.
They have various ways of doing their jobs, and some don’t catch everything.
Have fun manually finding and fixing what they miss and not setting up more conflicts or multiple redirects.
You’re stuck with a plugin forever to keep HTTPS status.
I want you to think about all of the plugins you’ve ever used.
Ever had a plugin:
- cause glitches after an update?
- stop being supported?
At some point, browsers will start issuing in-your-face warnings anytime you visit a non HTTPS site.
Can you afford for that to unexpectedly happen just because a plugin is having a bad day?
We’re talking about every post and page on your site giving a warning, not just some plugin function you can work around.
You’re stuck with your host to keep HTTPS status.
Every host that offers free HTTPS conversion has their own duct tape / chicken wire way of doing it.
The minute you move to a new host – POOF!
There goes your HTTPS status.
Ever had to:
- move your site in a hurry?
- restore your site to a new host from a backup?
NONE of your site links were actually converted to HTTPS.
Your backup is all HTTP.
Have fun with that migration copy not breaking in the new host environment, or them knowing what to strip out from the old host.
If your site were actually converted to HTTPS, you could change hosts anytime and in any way.
You are left to mop up all of the mixed media issues.
If there are any HTTP links the plugins don’t catch, you’ll get a Mixed Media warning on that page/post.
Have fun manually finding and fixing them yourself.
Once I had to chase down a 1×1 pixel that kept folks from right-click saving an image. It’s not even something you can see.
And don’t expect any help from your host. They don’t support WordPress at that level.
FYI, the Why No Padlock tester is the least accurate mixed media tester on the web. Have fun figuring out what’s real or not with that.
Also, be super careful with any Content Security Policy suggested by ad networks to block HTTP sources and ads. More details here
You may get a green padlock due to browser blocks.
Getting a green padlock denoting that all elements are being delivered via HTTPS is the goal.
But you may only be getting it, instead of mixed media warnings, because non HTTPS elements are being blocked by the browser.
I’ve seen folks lose money with ad scripts and such being blocked.
And you’ll never know that it’s not working because you still see the ad image.
Too many redirects.
The regex redirect code used by hosts to force HTTPS can cause up to 4 redirects before landing on the actual page.
I know. I’ve tested 14 of them, including those recommended by the host.
In fact, I’ve had to go to Tier 3 support and system admins to get answers about some of them. Turns out, what works best is entirely dependent on how your server is set up. Even at the same host, what should be equivalent servers are set up differently. They’ll argue that’s not so, but deeper checks revealed it.
Yet hosts continue to suggest one blanket set of regex code for all.
That is both a performance and security issue.
What’s even worse, some of those use 302 redirects, which dump all the Google link juice.
You can kiss your SEO goodbye.
Got any redirects in your .htaccess or cPanel or redirect plugins?
Yep, those get redirected a more than once too.
Missing security headers.
To submit your site to Chrome’s Safe Preload list, you need a minimum of the HSTS security header.
All other browsers copy that list with Google’s blessing.
To date, there are 6 security headers, 4 of which are best practices to ensure that every browser can verify your HTTPS secure site status.
With new phishing site tactics to impersonate safe sites on the rise, it’s likely more than the HSTS security header will be required.
Check your site security header score if you’ve already gone the free route.
On Qualsys Labs you should get a minimum of an A+.
On SecurityHeaders.io you should get a minimum of a D and most sites should get a B.
(I don’t recommend trying to get an A on this score at this time, as 2 of the headers are not standardized for all browsers yet.)
No host will even tell you about this, much less help you do any of it.
Your Google Analytics and Search Console accounts are not properly updated.
Yeah, that’s one of those 3rd party update things the instructions from the host don’t even mention most of the time.
You’ll need to verify all 4 versions of your site with Search Console and know how to deal with the old and new XML sitemaps.
You’ll also need to set the new preferred canonical.
That’s important because so many of my clients decide to drop the www during the conversion process as well.
You most certainly don’t want to confuse the beegeebees out of Google with which URL version to index.
Plus, you’ll want your Analytics tracking to keep going without interruption as well.
There are several other common 3rd party accounts that require site URL verification that will need to be updated as well.
Even though site owners can DIY that task, they appreciate having help making the list of accounts that can be affected.
Site elements can break.
You want to know about and take measures with those BEFORE you convert your site.
That’s where hiring experienced help really pays off.
It’s also why I provide an in-depth pre-conversion checklist.
It’s also why I do the conversions the way I do.
We have a checkpoint midway into the process where one line of code can be changed to revert back to the original site links if we run into anything catastrophic or unexpected. I haven’t had to do that yet, but the fail safe is there.
You have zero fail safe when going the free route.
Why Hosts Offer Free Conversion Methods
Two reasons – demand and overhead.
Demand – there are millions of site owners who will want to convert to HTTPS this year. Any host that offers a free and easy way for clients to DIY it is going to get more sales and retain more existing clients.
Overhead – host support departments are being chewed alive in overhead by requests to issue free SSL certificates and to convert sites. So now they are simply proactively issuing SSL certificates to all sites and making 1-click methods for clients to do the conversion themselves.
It’s the same reason hosts offer 1-click, free WordPress setup.
And that’s not fully secured or set up either.
But hey, it’s free and easy, right?
Ask any site owner who has been hacked how much free costs. Heck, they don’t even have to be hacked for it to cost. I saved one of my site audit clients $2400/yr in hosting due to bots running wild on her site from a lack of basic security.
Going the free route with HTTPS is the same thing!
You miss a lot.
Get Experienced Help
Ready to get your site actually converted to HTTPS and have peace of mind that it has been done properly and you’re not missing anything?
I’m here to help.
Plus, you know I’ll be staying on top of this and if things do change down the road, you’ll be kept ahead of the curve too.