Yes, you need HTTPS
First, let’s get this question out of the way. Why do you need HTTPS for your WordPress site?
- WordPress will eventually force everyone to use HTTPS.
- Google likes HTTPS, so it helps your ranking. Way back in 2014 they were already starting to give sites with HTTPS a SEO boost.
- If you have any kind of information exchange with the server, you have to have encryption. Without HTTPS, when your login is sent to the site, it is visible as plain text. If a hacker gets that, your entire site can be compromised. Plus, not securing the transfer of any customer or user information could lead to all sorts of legal trouble.
- It can make your website MUCH faster. Many people don’t realize, but the new standard in web traffic is HTTP2. This is much faster, simpler, and more stable than the old HTTP. However, HTTP2 only works over an encrypted connection. Ask your host if they have HTTP2 enabled on their servers. (If not, you should really be with a different hosting company… like us!)
There is a lot of misinformation out there (like “it’s easy, all you need to do is use X or do Y.”) and there are a lot of horror stories too (like “I hired a ‘developer’ to do this and my site crashed.”) However, HTTPS is here to stay and it will only become more and more necessary. Hopefully this will give you the information to make an informed decision about what’s best for your business.
Get a Certificate
The first step is to have a SSL certificate installed for your site. Often your host can help with this. Certificate prices can vary and the installation can be done yourself or for a fee. You could be looking at $20 to $110+ for the certificate and install. However, many modern hosting companies (like Sprout Studio) offer this service for free!
Configure Your Site
Second, you need to configure your WordPress website to use HTTPS. This is where most people have problems. There is a lot of misinformation and many horror stories out there. Often, people just setup a redirect to send old links from HTTP to HTTPS. However, this is not enough. There are typically two culprits: mixed content and a confused WordPress site.
Why WordPress gets confused
If you have been using your website for any period of time, the site is used to serving content over HTTP. This is a simple as having http://yoursite.com instead of https://yoursite.com anytime files or posts are referenced in your site. This is in a number of locations, but the most important is in general settings where your you tell WP what the URL for your site is. In addition, there are a lot of other links to posts and especially images that point to HTTP.
What Is Mixed Content?
As a result, when a browser receives a page over HTTPS, some of the links and images are set to HTTPS and others are still set to HTTP. Modern browsers don’t like this. If your site is coming through an encrypted connection, they expect all of it to come through an encrypted connection. A browser may give you a warning for mixed content, but in many cases it will just block unencrypted connections without telling you. As a result, images disappear, or worse, if scripts and CSS (style) files are blocked, your website might look strange or not work at all.
An Easy Fix
The easiest solution is to just install a plugin like Really Simple SSL, however this does NOT fix the problem. Instead it just masks it. Each time a page is served up, it will scan for HTTP content and change it to HTTPS. If you don’t have caching configured correctly, this can really slow down your site. Don’t get me wrong, it’s a well coded plugin and often “just works.” And many times, this is what you need–something easy that just works. In many cases though, I have seen that if someone doesn’t know how the plugin works to begin with, they don’t know enough to setup caching correctly either (and usually have cheap shared hosting).
How To Do It Right
This is not meant as a tutorial, because this process really should not be attempted by a DIYer or someone who does not know the ins and outs of these systems. There really are a dozen things that can go wrong.
It is meant to inform bloggers and website owners of what the correct process is and combat the misinformation out there. Anyone can claim to be a “developer” and have lots of “experience”, but that doesn’t mean they actually know what they are talking about. If you do get help, make sure they are going to follow a similar process.
- Change WP settings so your site knows the URL has changed.
- Setup htaccess so all old links are redirected over HTTPS.
- Check wp-config.php for any conflicts with cookies being set incorrectly.
- Update all references in the database from http://yourdomain.com to https://yourdomain.com. This step is very dangerous and should not be attempted by someone who does not understand the WP database, serialized data, or good backup/restore strategies. Also, it’s not enough to just replace any reference to “http”, since this would also impact external links.
- Enable HTTP Strict Transport Security, a Content Security Policy (specifically src directives and upgrade-unsecure-requests)
Making The Best Business Decision
At the end of the day, it is a business decision: do it right or do it cheap/free. There are a dozen different areas of your business that are clamoring for your time and money. There is no wrong answer, as long as you make an informed decision. However, when speaking to online business owners, I always recommend they not skimp on the following areas: hosting, updates, security, & backups. The rest can always improve with time, but if your site is not solid, you are building on a house of cards and just waiting for trouble.
If you don’t have an experienced developer to help you transition your site to HTTPS, feel free to let us know: email@example.com