Many of you may have already read about this. Google announced last August (2014) that using HTTPS encryption will positively influence your ranking on the web.  Last June Chrome announced it would show warnings for CMS or ecommerce sites without SSL certificates where logging in forms are involved come January 2017. Let’s discuss the reasons behind SSL Certificates SEO as well as security wise and how to get your site using it.

What is HTTPS / SSL

HTTPS is a secure way of communicating information over the web. SSL is a form of encryption used for online security (TLS is another). Its certificates are used to authenticate a secure connection and to make sure the source is genuine. We use SSL or SSL Certificates for websites to basically have a website server that can make secure connections to your computer. This so you can visit the website, interact with it without others being able to eavesdrop on you.

This is vital when you enter private data on forms. It is also important that when you or your customer enters payment details that others cannot gain access to it. In insecure environments such as internet cafes and airports using unsecured wifi connections the risk of others eavesdropping and getting your privacy data or payment details is huge.

Note Good Comodo article on https and SSL here.

To check whether a site is secure you need to click on the icon before the address in the browser address bar. When there is a padlock you can click on it to see how the security is setup. The location where the link or site address is shown. For example:

When there is none it is NOT secure. In Chrome you will then see an i icon in a circle. When you click on it it will tell you the connection is not private:

If the site uses an SSL certificate, but part of the loaded content is not secure you will see a warning in the browser address bar:

Chrome will show a red warning sign.

This could put people off as people do not like warnings that sites are insecure.  Gray padlocks in Firefox mean that people can eavesdrop on you

See a great Firefox article on it here and one by Chrome here.

SEO Benefits of Secure Hosting

Google has been promoting the use of encryption of your website data with HTTPS for quite some time. HTTPS stands for HTTP over SSL or Secure HTTP. HTTP is the protocol that makes the web run. Basically it makes sure that the data sent from the server to you and vice versa is encrypted and that it cannot be eavesdropped upon. And that is good for security and to promote that Google has decided to promote it by counting it as part of a sites’ ranking. Three, as mentioned in the intro, Chrome will show your website is not secure when you use a CMS or ecommerce site come January 2017. Another very good reason to upgrade from http to https Chrome being the dominant browser on the web.Warnings will increase non visits and or bounce rate and reduce traffic in general causing ranking to decrease as well.

So, the main SEO reasons to get an SSL certificate are:

• Google Ranking Brownie points
• Chrome not not giving of warnings where payment details are asked insecurely come January 2017
• Chrome not giving of warnings in the future where there are privacy concerns
• Privacy through security – Not directly SEO related, but important all the same

Commercial SSL Certificate

To get an SSL Certificate and encrypted site traffic you need to get an SSL certificate. Most hosters offer indoors solutions. Imagewize is on a VPS with Dreamhost and they offer Comodo Certificates and have an easy mechanism to install these. They write about site security and certificates here. Ask your hoster if they offer SSL certificates. In 99.99% of the cases they do and otherwise there are plenty of parties out there that do. Had good experience with DigiCert, but Commodo offers deals that are good too. Advantage of these commercial guys is that service is good and that they offer all types of certificates including OV and EV ones.

Let’s Encrypt Free SSL Certificate

Let’s Encrypt is a wonderful free SSL option. Let’s Encrypt is a certificate authority that allows you to have a free certificate to have an encrypted website. It is a non profit foundation supported by the likes of the Mozilla Foundation and the Internet Research Security Group. It is active since April this year (2016) and I am using it for all my client sites unless an extended or organization license is needed. See their FAQ here.

To quote them:

Let’s Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

So how do you get one? Well either you are a server man or woman (DevOps) and you take care of it, have a hoster that has automated the process for you like Dreamhost or use Trellis to set it all up on a Digital Ocean Droplet.  Let’s Encrypt does have great documentation to help you out when you want to take care of it yourself. If not, ask your hoster.

Unique IP

In the past you needed a unique ip address to run an SSL Certificate, but nowadays you can use SNI and run the certificate despite the fact that you are on a shared ip and a lot of clients use shared clients with a shared ip so that is good news. It is today very common to use SNI to run multiple certificates for different sites using only one ip. And it is saving us all quite some money as unique ip addresses don’t come cheap.

Caveat: Windows XP does not do SNI

There is one caveat. If you do not use a unique ip there will be some older operating systems that will not deal with your certificate well.  Windows XP does not have the tools to deal with it so any user still on XP will not load your site properly. Same goes for Windows Server 2003, but that OS is less relevant. But as most users are on Vista, Windows 7, 8 or soon on 10 I would not worry about it too much.

CDN and SSL

One more thing. Do remember you will need a subdomain with SSL on top if you want to serve content from a Content Delivery Network such as MaxCDN. Otherwise you will get mixed content and browsers will then give visitors warnings there is mixed content and that is…. bad PR.

NB Do not forget that content – ie forms – loaded from external sites should be loaded using https or // ! Otherwise browsers like Chrome will block the content.

HTTPS and WordPress

Do not forget that you need to adjust the .htaccess file after moving from http to https to send all traffic to https or a secure connection. Add the following to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://domain.com/$1 [R,L]
</IfModule>

Or

<IfModule mod_rewrite.c>
# Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>

To enforce a secure Dashboard add this to your wp-config.php. Do not forget to adjust the url and use your own domain name there.

 define('FORCE_SSL_ADMIN', true);

Other than that do not forget to adjust the home and site url at  appearance > general. See more on this here at the WordPress Codex. If you moved all and did not adjust the urls before you moved and can no longer access the Dashboard properly You can add this to your functions.php of your theme to regain access and fix the issue:

update_option( 'siteurl', 'https://site.nl' );
update_option( 'home', 'https://site.nl' );

With this code snippet the urls will be adjusted after the fact. Do make sure you add your urls there and not these dummy ones!

Bonus – Test suite

To test your SSL certificate for its setup and strength use the checker at Qualys SSL Labs. It is a Google recommended site to check certificates. All Let’s Encrypt Certificates setups with Trellis get a beautiful A+

Featured Image Credits:  Yuriy Samollov

Updated

This blog post was originally published in February 2015, but has been completely updated in October 2016