About a year ago, Google had announced that it has started using HTTPS as a factor to decide where to rank a website in search results. Since then, HTTPS has been a very lightweight ranking signal that affects only 1% of global search queries and carries less weight than other ranking factors such as mobile-friendly design and high-quality content.
Although HTTPS-powered websites get a very minor boost in search engine ranking but strictly speaking, that small boost matters a lot especially when the competition in your niche/industry is fierce. As security has always been one of the top priorities of Google, it may strengthen HTTPS in the near future to make the web more secure. So, to be on the safe side, you should switch your WordPress site to HTTPS right now!
HTTPS: What Is It?
HTTPS, which refers to Hyper Text Transfer Protocol Secure, is a secure version of the standard HTTP scheme used by the World Wide Web for data communication. Unlike HTTP, it utilizes a security protocol known as SSL (Secured Socket Layer) to establish a “secure connection” between a web server and a client (user’s browser). This secure connection ensures that all the data transmitted between the server and the client will remain confidential and impervious to external malicious entities.
As of now, HTTPS is not only the industry standard to protect transactions online but also is being used by a number of reputable websites, including Yahoo, Facebook and now Wikipedia. You can easily spot an HTTPS connection by a green padlock icon that is displayed right before a website’s name in the browser’s address bar. In a nutshell, HTTPS and SSL together provide your website a solid layer of security.
How Does It Work?
To securely pass information over the connection, HTTPS enabled pages use SSL protocol that provides following 3 key layers of protection:
-
Encryption: Data exchanged between the server and the client is encrypted, so that it couldn’t be eavesdropped or tampered by an unauthorized person. This means that when the user is browsing the site, it’s impossible for another user to listen, track and steal their information.
-
Data Integrity: This means data coming from the server to the client and vice-versa can’t be changed or edited by an external entity.
-
Authentication: This proves that the server belongs to the website which users are actually communicating with. Also, it defends against MITM (man-in-the-middle attacks) where an attacker steals and alters the communication between the client and the server.
Difference between HTTP and HTTPS
Below are the criteria that differentiate HTTPS from HTTP:
URL Scheme: HTTP URLs begin with http://, on the other hand, HTTPS URLs begin with “https://”.
Default Port: HTTP uses port 80 by default, whereas HTTPS uses port 443 by default.
Security: HTTP is insecure since it’s vulnerable to various attacks including phishing and man-in-the-middle. HTTPS, on the other side, is designed to withstand such kinds of security attacks and therefore, it’s considered more secure than HTTP.
Network Layer: HTTP operates at application layer, which is the top most layer of the TCP/IP model. On the contrary, HTTPS operates at the third layer, known as the transport layer, of the same TCP/IP model.
Encryption & Certification: HTTPS not only requires your website to have a unique SSL certificate but also encrypts the entire communication that occurs between the client and the server. While in HTTP, there is no such encryption and certification required.
Benefits of Using HTTPs over HTTP
Security: HTTPS creates a virtual tunnel between the client and the server for data communication. This ensures nobody else can eavesdrop, modify or corrupt data during the transfer. Even if the attacker gets entry into the channel, he wouldn’t have the ability to decrypt data.
SEO: I already mentioned in the intro of my post, Google gives a small ranking boost to websites that use an HTTPS connection. While it’s not a major ranking factor for now, Google clearly stated that it wants to give webmasters enough time to switch their websites to HTTPS. Means, Google is planning for a big search algorithm update. So, if Google loves https, why should not you?
Trust: Many users refuse to share their personal information with a website that doesn’t use an HTTPS connection. The green padlock right before your website’s name indicates users that you’re serious about security. This makes users realize that they’re on a trustable site with which they can share their private information.
Situations When a WordPress Site Should Use HTTPS
There are many scenarios where a WordPress site needs an extra layer of security via HTTPS. Below are some of them:
E-commerce Site: If you’re running an eCommerce store using WordPress, then you absolutely need an HTTPS connection since you’re collecting users’ confidential information like credit/debit card details, contact number and address etc. Despite the fact that HTTPS can make your store slightly slower, it would be most wise for you to sacrifice speed over security. Thus, you must use HTTPS at least on sign-up/login and payment pages.
Donation Pages: If you have a donation page on your WordPress site, you should consider incorporating SSL into it. Not securing your donation page with an HTTPS connection gives an attacker a golden opportunity to misuse the donate button. They can easily steal users’ personal information by replacing your donate button with a phishing site URL.
Membership Site: If you’re running a WordPress-powered membership site or private forum, then you can consider switching it to HTTPS. Such sites carry a huge amount of user’s private data that you never want to show others. Using HTTPS on these kinds of websites not only eliminates all threats to data integrity but also provides users a safe environment to communicate.
Booking/Reservation Site: If you have integrated a booking/reservation system to your WordPress site/blog, through which you’ll accept payments for bookings or reservations, then you should use HTTPS connection. In case you’re not accepting payments online, there is no need to secure your site with SSL.
If the Site Was Ever Hacked In the Past: Yes, you heard it right! If your site was recently hacked, you must deploy HTTPS on your entire site in order to protect it against all future attacks. If you think that implementing HTTPS on the entire site may slow it down, then you could selectively use SSL on important pages such as log-in, dashboard and payment.
Using HTTPS with WordPress
Moving a WordPress site from HTTP to HTTPS/SSL is a fairly straight forward process. Just follow the steps given below:
Purchase an SSL Certificate: The first thing you need to implement HTTPS on your website is an SSL certificate that you can purchase from a SSL provider. Decide what kind of SSL certificate – single domain, multi-domain or wildcard – you need, generate the CSR (Certificate Signing Request) on your server and submit it to the Certificate Authority (i.e. your SSL provider). You’ll get an approval email with instructions which you need to follow for the validation of your domain. Once domain validation is completed, your SSL certificate will be sent to your email address.
Install It On Your Server: After receiving your SSL certificate, you’ll have to upload and install it on your web server which can easily be done via the cPanel. Before uploading your SSL certificate to the server, I highly recommend you to backup your entire site so that you could easily get everything back in case something goes wrong.
Configure WordPress to Use SSL/HTTPS:
To move your WordPress site from HTTP to HTTPS, you need to change its URL from http to https. Go to Settings >> General in your Dashboard; add “s” after http in the WordPress Address and Site Address fields and click save.
To enforce Administration over SSL, the constant FORCE_SSL_ADMIN must be set to true in your wp-config.php file, as follows:
define(‘FORCE_SSL_ADMIN’, true);
Make sure to place this code just above the “That’s all, stop editing! Happy blogging.” line in your wp-config.php file. This will add HTTPS to both admin area and login pages.
Once you have done that, you just need to do these two things:
-
Set up a 301 permanent redirect: To setup a 301 permanent redirect, add the following code in the beginning of your .htaccess file.
< IfModule mod_rewrite.c >
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]
< /IfModule >
Remark: Replace yourdomain.com with your site address. -
Inform Google of the URL change: Now visit your site. If “https with a green padlock” appears right before your site URL, then “re-add your WordPress site with https://” to Google Webmaster tool and use this guide to let Google know about the site URL change.
Alternatively, if for some reason, you want to add HTTPS on a particular page of your site, you can use the WordPress HTTPS (SSL) plug-in.
Finally, use Qualys SSL Labs service to check your website URL status.
That’s all!
About Author
Ajeet is a senior web developer at WordPressIntegration – Best PSD to WordPress Service, where he is responsible for writing custom JavaScript code during the conversion process. In his spare time, he writes on different topics related to JavaScript, WordPress, and HTML5 to share his work experience with others.