If you don’t want the Chrome browser scaring your visitors away, here’s what you need to know…
Pages with any kind of form field on them should start with https:// instead of http://.
The “s” stands for secure and encrypts any data submitted through your website’s forms.
If you aren’t using encryption on those pages, starting in October 2017, Google Chrome users visiting your website will see an intimidating “NOT SECURE” message.
Yes, that means your email opt-in forms will trigger this warning too. That’s what makes this relevant to so many site owners.
If your page is encrypted, Chrome will display a padlock and the word “Secure” next to your website URL in the address bar.
Don’t Be Afraid to Ask for Help
Let me start by saying this.
If all this techy stuff makes you nervous, please call your host and ask for help. They may have even better suggestions than I do.
I’ll be mentioning that a lot in this post, so please take my advice if you feel uncomfortable with any of these steps.
I’m doing a lot of disclaiming here because this post is more about a heads-up than a tutorial. Where you host your site will largely determine your steps.
Did You Receive This Email?
If you have a Google Webmaster account and your site is not yet secure, you might have received an email like this…
It lists all the pages that will show a “NOT SECURE” warning in October. The page you see listed above has an email opt-in form on it.
Most of you do not need this to encrypt credit card purchases on your domain. You’re probably using a 3rd party that has encryption already.
You are doing this to prevent annoying Chrome warnings on opt-in and form pages.
That’s why this announcement impacts so many people. I mean, who doesn’t have at least one page on their site with some kind of form?
How to Get Free Encryption
I have dedicated hosting for my most profitable websites through LiquidWeb (affiliate link).
Many hosting plans (especially high-end plans like VPS and dedicated) offer free AutoSSL. See if your host has this.
It took all of 3 minutes for the tech guy to set it up on my server.
Next, I installed the Real Simple SSL WordPress plugin to instantly redirect all my pages from http:// to https.
If you’d rather not use a plugin for redirects, you can manually set this up with your .htaccess file. Call your host and have them set it up.
To verify that SSL is working, I went here to validate it.
Also, I’m not by any means saying this is the best way. It’s just the way I chose to do it, and it also seems to be a very popular and fast option for WordPress users.
If Your Host Doesn’t Have AutoSSL Yet…
I don’t think most of you need to switch hosts or upgrade your plans — especially if you only have a few pages with opt-in boxes and other simple forms.
The video below also shows another FREE way of encrypting your website without buying an SSL certificate.
It’s called Let’s Encrypt, and here are the hosts that support it.
Don’t forget to PLEASE backup your site and database before making any of these changes.
To those of you using Website Palace (GoDaddy), I did call support yesterday because I also have a few sites hosted there on my reseller store as well. We can use Let’s Encrypt (above) but it’s a manual install. The bottom line is, call support and have them walk you through if you choose to install it. I may not even bother since mine are smaller, less significant sites.
Why Doesn’t Everyone Support Let’s Encrypt?
Honestly, hosting companies want you to buy an SSL certificate. So it comes down to money at the end of the day. But I don’t think most of you need to do this.
Thankfully AutoSSL and Let’s Encrypt are slowly rolling out to more and more hosts.
Free AutoSSL vs. Paid SSL Certificate
I won’t even pretend to fully understand all the technical differences between the free AutoSSL and a paid SSL certificate that you purchase from your host.
So anyone who is a pro at this techy stuff, feel free to fill me in.
As long as the web browser shows my site is secure and it validates, then I see no need to buy a traditional SSL certificate.
My web host agreed.
Plus, I’m not taking orders from any of my websites directly. I’m using 3rd party sites, and they already have SSL.
Again, I’m mainly doing this to prevent those Chrome warnings on form (opt-in) pages.
Do You Really Need Encryption?
Yes and no.
If you are taking payments directly from your domain then YES!
If you are not taking payments or collecting sensitive data directly from your domain, you don’t need it from a customer data protection perspective.
But…
That’s not going to stop Chrome from displaying the “NOT SECURE” message on opt-in pages and any other pages that include form fields.
Also, in 2014 Google introduced SSL as a “weak ranking signal.” Well, now it’s a stronger signal. See this article.
So if your site’s reputation with Google is something that concerns you, that’s another reason to look into this.
What About Notifying Google of The Change?
Did you register your website with Google Webmaster Tools?
Hope so!
This is where you verify all the sites you own with Google.
In a Q&A last year, John Mueller of Google confirmed that the engine is smart enough to figure out the change from http to https (provided nothing else changes in your URL).
However, he said you should still add the https version of your site as a new “property” in your Google Webmaster Tools account since it is seen as a separate site.
Also, I use the Google XML Sitemap plugin, and thankfully all my canonical URLs in my post/page headers and sitemap automatically updated to https.
If all this tech talk confuses you, once again, I recommend calling your host. This switch to https has been a VERY standard procedure lately so they should be able to guide you.
Let’s Sum Up Your Options (For WordPress)…
- If you collect sensitive data directly on your domain (credit cards, addresses, etc.) then you should definitely encrypt your pages. You can use AutoSSL or the Let’s Encrypt option in this video.
- If you still need to redirect your pages from http to https, use the Really Simple SSL WordPress plugin to redirect your pages from http to https. Easy breezy!
- If you do not collect sensitive data, then you can wait for your host to get AutoSSL, Let’s Encrypt or do nothing. Just remember, Chrome will warn your visitors on your pages with form fields.
- If you take orders via a 3rd party site instead of your domain, just ensure the order page starts with https:// or customers will be warned. Most 3rd party sites have taken care of this already.
- You should only consider buying an SSL certificate if none of the free options work and you collect orders directly from your domain.
- After your site has been encrypted with AutoSSL or Let’s Encrypt, validate your site here.
How Important Is This Really?
This is definitely something you should not ignore, but don’t lose sleep over it either.
Google warned us that using https would become a stronger ranking factor over time. Does that mean they will just drop all sites that don’t?
I doubt it, but you might move down a few spots for certain keywords — especially on pages with forms.
It’s really hard to know, and I’d be lying if I said I knew for sure. I just don’t keep up with SEO the way I used to.
If you are one of those people who follows everything Google says to the letter and you are very concerned about your rankings, then you should act on this sooner than later.
I’m actually more concerned about the Chrome warnings scaring people away.
Just remember, if you have opt-in boxes on every page, that means they will all will trigger a “NOT SECURE” message in Chrome starting in October.
Not a good look.
Suggestions Are Welcomed and Encouraged
If anyone would like to offer additional suggestions and advice on SSL/encryption, please feel free to leave comments below.
I have not used Let’s Encrypt yet (the option in the video), so if anyone wants to share their experience with this, feel free to do so.
If your host offers AutoSSL or Let’s Encrypt, feel free to share the name of the company below.
Just remember, you have until October when Chrome will start warning your visitors that your form field pages are not secure.
If you could do me a big favor and tweet about this blog post using the link below, I’d appreciate it.
[clickToTweet tweet=”On 10/1, Chrome will label your website ‘Not Secure.’ Here’s the scoop!” quote=”On 10/1, Chrome will label your website ‘Not Secure.’ Here’s the scoop!”]
Fady Soliman says
Hi Lisa, this is such a great and useful post helping webmasters to secure their sites with SSL certificates but I also noticed that there are several types of paid SSL certificates. Like high assurance certificates and low assurance ones. Does it matter to get an expensive high assurance SSL for SEO? or both would just work the same? Thanks again for this nice article.
Marc Trace says
Hello Lisa,
which kind of of redirect does the Really-Simple-SSL-WordPress-plugin create? Is it a 301-redirect, so that the contents are not considered as duplicate?
Thanks for this great post! Have a nice day
Ankur Naskar says
I have a very small site with shared hosting. I got an message from google webmasters that my site is not secure. One of my friend tell me to go for cloudflare’s free SSL. Is this free SSL helpful?
Shantanu Sinha says
Hey Lisa,
It is an overall good move because security and safety of the end users should be the main priority of the site owners and even Google’s!
The email opt-in part is the main issue here as most of us have these on almost all pages, sometimes even in multiple instances like at the bottom of the page, sidebars etc.
So far, your tutorial is the easiest that I have read and I guess it will be fairly straightforeward to set it all up – and like you said, it is all for the Chrome warnings, otherwise we aren’t really asking anything much from the readers except perhaps their email ids!
Thanks,
– Shantanu
Kris says
Hi all,
Hoping someone can help me here. I just downloaded the Really Simple SSL plugin but it’s asking me for an ssl certificate? Thanks.
Moshe Chayon says
That’s what I like about WordPress.com they automatically changes my URL to https without adding any charges. Yes they are more expensive but I think it’s worth it.
Paris Forlidas says
Simple and very helpful article. Your recommendation of the Real Simple SSL WordPress plugin makes our lives even easier. I had no idea it was so simple to make an SSL installation.
Thanks Lisa.
Collins Agbonghama says
I use the Really Simple SSL plugin for all my sites and couldn’t be more happy with it. It’s literary a one-click setup of HTTPS/SSL.
Great post Lisa.
Solowayne says
This is a good example of Aggressive marketing. Google just wants to compel the eCommerce website owners and the affiliate marketers to purchase SSL Certificates. It should be noted that SSL Certiificate is the most neglected hosting addon in every hosting company. Most people don,t purchase SSL certificates because its verrrrry expensive and irrelevant. Nowadays most small eCommerce website owners accept payment for their products and services via PayPal and other secure third party payment services which makes SSL certificates irrelevant.
The bloggers and the internet marketters don,t need SSL certificates because they only refer potential customers to the secure ecommerce websites. The bloggers who collects their web visitor’s email often use Aweber which already has SSL. SSL certificates simply encrypts sensitive information on transit to prevent it from being intercepted and read by a hacker. So websites like blogs which doesn,t accept credit card payments, directly collects email or offer user accounts, don,t need it. Another reason why SSL certificate is irrelevant is because only 5% of the web visitors of most websites often check the secure lock icon on the address bar. In my own opinion, Google should create a platform where website owners can clearly state the objective/purpose of their website so that they can determine whether the secure or the dreadful insecure icon should be displayed alongside the URL of a website or blog. Umm this is my own humble contribution.Lisa thanks for reading.
Franc says
It’s been more than a year since Let’s Encrypt left beta; it’s time for all website owners, hosts, agencies, and service providers to make the jump. There is increasing evidence that the longer you wait, the more risk you have of becoming blacklisted or labeled as “Not Secure”.
Bhawna Kaushik says
Hello Lisa
Thank you for this interesting and informative post. I have recently started blogging and learning new things everyday. I haven’t include SSL on myy site yet. How much would it affect my rankings if I do not include it on my website.
Shimmer Technologies says
Hello Lisa, I am glad I found this blog post today I have been been meaning to change my site over and reading this post gave me another reason to do it, so it’s done. That plugin worked great and I ended up using cloudflare free SSL certificate. Some additional things I did was change my Google analytics website over to HTTPS and my sitemap URL in my robots.txt file. Thanks for this great post!
DNN says
It’s a good thing I think that Google sent out a warning to bloggers and website owners that they have to have their sites updated by October. I agree with Google and here’s why. No one wants to do business with a blog or website who’s unsecured. The same goes for me. My site was showing as a threat in the Google Chrome browser a couple of months ago before I enabled SSL protection and installed my SSL certificate. After installing the SSL certificate and propagating my URL address to https, I noticed not only my search engine rankings improving, but my traffic improved and I am now on track for making more money. And my revenue has increased. That’s one thing I’m very happy about.
Dan B says
Hey Lisa!
Great article and information here…
This was actually floating around more than a year ago, but now Google has made it official by the looks of things!
and if you follow any major seo blog, they all say it helps with ranking! NICE
Great post have a great day
Lisa Irby says
Yep!! They actually warned us like three years ago but I ignored it. LOL! It all seemed too techy at the time. Glad it’s a lot easier now thanks to add ons and plugins.
Pete says
Hey lisa, great article and awareness of this upcoming issue! I personally had a real headache with one of my ecom sites changing to HTTPS… but got it figured out!! Thanks so much for the awesome information!
toefl madrid says
So hard to keep up nowadays with so many changes.
Lisa, Thanks so much for this kind of information. So valuable!!
I love your blog.
Alex says
I have known about this issue will occur one day, that’s why I have already bought SSL certificate and applied to my website. It really helped me a lot.
Amit says
Will it affect SEO?
Is there any way to get it done at no cost?
Ali Salman says
We know that from SEO perspective it’s a huge advantage that you goto https. It will help your rankings and that should be good enough reason to transfer. Great info Lisa
Crystal Santoría says
I wish I would have known about this a month ago. It’s fixed now. I have to restart with getting SEO back up and ranked again. I was ous for a month and a half because I didn’t want my site hacked. Thank God it’s secure again.
Techhiss says
Thanks for sharing this important and useful information. Can I get free SSL? as my website, http://www.techhiss.com is not secured.
Avant Hyatt says
Not too bother since we’re only offer free content on the blog and not to really ask for any persons to buy.
Mitch Mitchell says
I’ve been thinking about this and I’ve decided I’m not going to worry about any of it. I got the free upgrade for my main business site without knowing they wouldn’t cover all my sites and right now that’s good enough for me. Anything I sell off my site takes people to Paypal and it comes with that verified sticker; not that anyone’s buying anything off my sites anyway. lol
I do hate the scare tactic thing from Google but I figure I haven’t listened to anything else Google’s told me to do that I didn’t want to do, so why start now.
Lisa Irby says
Yeah Google is good at the scare tactics aren’t they? I..agree ..since you’re using PayPal, it’s really not that big a deal in your case. Most people will only check (if they EVEN check) once they are ordering and since PayPal has an SSL, I doubt you’ll be scaring people off. People who have checkout forms directly on their site without SSL are the ones that REALLY should be concerned. Always good to hear from you, Mitch!
Bob Stacey says
With all of Googles vast resources and rules why don’t they offer the website encryption and be done with all the bs
Lisa Irby says
Or at least offer more detailed instructions for non-techies. Since they aren’t really into the web hosting biz, I can understand why they wouldn’t get into the SSL game, but the lack of info and scare tactics gets annoying.
DNN says
The https:// are officially in the bag. It was a tid bit embarrassing to see the Google Chrome browser a few months ago say that DNN site was “unsecured.” Has to fix that. Installed the SSL certificate on the server & A+ ok now!
AJ says
Your privacy policy link in the footer is still unsecured, just saying.
DNN says
Thanks for letting me know. Forgot to add the (s) at the end and update that page. Good looking out, friend!
Charlie says
Help Lisa, I use a blogger Blog, does that need SSL too as there’s no “plugin” for blogger blogs?
Lisa Irby says
Google will no doubt take care of that since it’s a Google product. So I wouldn’t worry.
C.A.R. says
This was total news to me. No one can say they didn’t have time to get their SSL before the issue becomes a problem. Chrome usership is growing by leaps and bounds.
Dave says
Thank you very much for this article, Lisa. It makes a lot of sense (talk security).
Um.. sorry to bug you Lisa, but it seems your site is not yet encrypted.
Though, bearing the “https”, I almost couldn’t visit it had I not added it to an exception list on my chrome, and BBq10.
And that did not remove the red warning tag presently on my screen.
.
Once again, thank you for your timeless articles and more power to your typing hands.
*Keep up the good work*
Lisa Irby says
Hmmmm…. interesting. OK thanks for letting me know. Will look into this! So odd. I’ve checked on several different PCs, browser and even my Macs and they all come back secure. Weird.
Brian says
Thanks so much for this post, Lisa!
Quick question…you said you contacted your host and they made the switch to https. Then, you said you used a plug in to redirect all URL/articles from http to https. But later, you said the URL’s were updated automatically through Google XML Site maps anyway.
Did I miss something? Meaning, if XML Sitemaps updated the URL’s automatically, why was the redirect plugin necessary?
Thanks!!
Lisa Irby says
Great question. I should have explained that better.
When your hosts turn on AutoSSL, nothing happens in the browser. Your URLS are still http.
The Simple SSL plugin is what forces the browser to use https if someone types your site in the browser or visits from a search engine.
The Sitemap is an XML file that lists every link/URL on your site. It’s what the search engines use to see a listing of every URL in your domain. It lives in your site’s root directory.
Those URLs should also be updated from http to https. Google will probably figure this out once you do the Webmaster Tools update I mentioned in the post, but it doesn’t hurt to make sure your sitemap is updated too.
Make sense?
Brian says
Hi Lisa,
Thanks so much–that definitely made sense.
One more quick thing–what do you do to protect your websites? Do you use any kind of firewall?
I’m specifically asking because it relates to me getting an SSL Certificate. Long story short, I use Sucuri’s firewall to protect my websites, but my web host says I cannot install the SSL Certificate because my domain is pointing to their firewall, rather than the hosting provider’s server. They say this is also a problem whenever the SSL has to renew every 90 days.
So, to solve the problem, I can of course just permanently stop using the Sucuri firewall–but then my sites are more vulnerable.
So, I was just wondering if you use any kind of website protection or firewall? And if so, did it make installing and renewing your SSL Certificate more difficult? And if you don’t use any protection/firewall, has that caused concern for you when it comes to online attacks or so forth?
I’m trying to figure out a good solution in regards to this slight dilemma, cause it’s literally the only thing stopping me from getting a SSL Certificate.
Thanks,
Brian
Lisa Irby says
Great question! I am actually using my host firewall instead of Sucuri’s but I do use Sucuri for scanning and cleaning. There haven’t been issues with the renewal. Does your host offer a firewall option? Most provide something for free.
Brian says
Oh they do? I honestly am not even sure I knew that before! I have a few websites, so I use InMotion and SiteGround. I guess I’ll have to research it!
Thanks for the tip.
How have you found you’ve fared with the host’s firewall over the years? Any problems, or fairly smooth sailing?
Lisa Irby says
I have had malware issues over the years but my problems have pretty much disappeared since getting Sucuri in 2016. Best investment ever! Fortunately though I’ve never had major issues. I’m also on dedicated hosting which is more secure than shared. It’s great you use Siteground. They are one of the best!
Trish says
Hi Lisa! Thanks for the heads-up! I use TMD Hosting, largely because they provide free Let’s Encrypt certificates! It’s not as manual of a process as you might think – I go into my cPanel and issue a Let’s Encrypt SSL certificate. For the first few, I was creating help tickets asking for them to be signed, but then I realized if I just wait, it happens automatically and I don’t have to ask for intervention. From there I change my WordPress general settings to display the https://www. version of my site by default and make sure that it’s registered in Search Console.
Lisa Irby says
HI Trish! Yep, I believe it’s only more manual for GoDaddy customers because of their backend so that’s what I meant.
But the video I posted here makes Let’s Encrypt look pretty easy so that’s great you confirmed it! Sweet!
Small Biz Geek says
To anyone reading this…
I found a video showing how GoDaddy customers using shared Linux hosting can install Let’s Encrypt on their site.
https://www.youtube.com/watch?v=GPcznB74GPs
The only drawback is that these certificates do not auto renew every 90 days because Let’s Encrypt is not officially supported by GoDaddy.
Apparently, it IS possible to set up an auto renew instruction using a cronjob (a Linux command) which I believe involves using SSH (command line interface) as opposed to the normal way of logging into and accessing a server via the webhost’s website.
Renewing the certificate is mentioned here in the FAQ of Zero SSL (which is demoed in the video) – https://zerossl.com/ssl-faq.html
You can renew it any time within the 90 day window. I’ve added a certificate for my site. All I gotta do now is change my WordPress URLs using a database search and replace. Lots of plugins do this.
I’ve also been using Let’s Encrypt with Dreamhost because they officially support LE, meaning the certificate is automatically renewed. I don’t need to do anything.
Lisa Irby says
Thanks Darren
Kevin Ross says
Hi Lisa…
How are you?
Long time no hear. Unassumingly… we both are (or have been) pretty busy in both LIFE and business.
Anyway…
Thank you for the head’s up on Google’s HTTPS update, effective October 2017.
However, I’ve been using the “HTTPS” protocol for a few years now, in spite, my challenges figuring out what would be best for a website nearing a decade-old now.
I also like (and agree) wholeheartedly on the advice shared in the above article. By the way… it is a phenomenal read.
Until next time…
Take care, and I’ll be watching for your next update.
LOL
Lisa Irby says
Hey Kevin,
Good for you for being ahead of the game! Way to go!
AJ says
Out of interest, how were you able to retain your social media share count after switching to https?
Lisa Irby says
Don’t quote me on this, but it seems I remember reading that the networks are actually now able to follow links when you create 301 redirects — which is what I created when I moved to https. So that’s a good thing!
AJ says
Weird, I switched my sites over to https a few months ago, coded a 301 in the htaccess file, but the social media share counts were back to zero. Maybe it depends on the share tool you’re using, not sure. It doesn’t matter much though, but still, it would have been nice to retain those counts. Lucky you haha.
Lisa Irby says
I did wonder that too. Might have been the Social Warfare plugin. If so they need to market that!! lol That’s a nice benefit!
Mitchell Allen says
Hi Lisa,
Thanks for this information. I’m Evernoting it until I can take action.
Cheers,
Mitch
Cathy says
Lisa, your site is coming up for me as not secure in chrome and firefox I had the same problem after encrypting and had to hire a tech guy to find the issue and fix it.
Lisa Irby says
Are you seeing this on the comments or on the homepage? I noticed the homepage is fine, but the comment boxes here are still showing that but the homepage is. Yes, my host is working with me on the rest of the areas. This is soooo much fun! Not!! lol And thank you. I will probably have an admin make sure it’s all done. This is waaaay over my head.
Cathy says
The home page is fine but your posts are where I’m seeing it. Not the comments necessarily but the post itself.
Lisa Irby says
Ahhh yes, I see it now. Yes, it’s probably my search forms that still need to use https. My host is going to fix me up, thank you!
Small Biz Geek says
You have a mixed content warning.
The following image is being served over http:
https://blog.2createawebsite.com/wp-content/themes/daily-dish-pro/images/bg.png
Your style.css is causing the issue at line 985. Take a look:
.enews {
background-color: #ddd;
background-image:url(‘https://blog.2createawebsite.com/wp-content/themes/daily-dish-pro/images/bg.png’);
padding: 2px;
margin: auto;
width: 100%;
}
Just change the http to https. Easy!
Lisa Irby says
Yep! I was on the phone with my host trying to figure it out and I was fixing this as you were typing this! LOL Thanks Darren.
Small Biz Geek says
You can always use relative URLS to link resources. If you use absolute URLS, the http will always produce the mixed content warning. This issue is def to do with your stylesheet. Best thing is to do a find and replace on your absolute URL to swap out http for https.
Lisa Irby says
Yes I know it was the image link. It was fixed Monday. Are you still seeing mixed? If you are still showing mixed it might be cached. That’s what happened to me after changing. It was still showing mixed till I opened Incognito Window. It’s showing secure for me on all pages now. Will def change that link to relative. Thank you, Darren!
Ricardo says
Seriously Lisa I don’t Know what I would do without your regular updates. I am usually up to date with the latest Technology but can never seem to get these shifts and changes Google is making all the time(You have changed that).
Google is at it policing the internet again wish they were not so strict,a simple form can trigger such a response. I see the need for this update but they should at least make the warning less ominous people will definitely take such a simple warning in some cases as being a major red flag for a website. Again thanks for the update Lisa don’t know what I would do without you being Googles official Spokes person (lol).
Lisa Irby says
Awww thank you Ricardo!! And LOL @ Google’s spokesperson!!! Ha ha ha!
Yes, Google has a way of intimidating people with their updates. This one is definitely important, but they could do a better job of breaking things down as most people with websites are not server admins (including me!) and it can make people freak out if they don’t understand what’s going on.