Yemba Digital
Start a Project

Why Have A Secure Website?

Dec 2, 2016

Having a secure website not only gives your visitors a sense of security as they browse your content, it can also help in search results since Google has stated it will use it as a rank signal. Although there has been no clarity on how big an impact – we expect it will grow as a signal as the web continues to evolve, but right now we do not think it is a huge impact based on what we see with our own websites and clients.

It used to be that in the past only e-commerce websites or websites that took credit cards or required personal information needed to be secure. But with the advances in technology – and of course increases in hacking and exploits, this is quickly changing. Google specifically is leading the way with their requirements to have a secure and safe web experience for its users.

Personally speaking we did not jump on the “secure your website” bandwagon that was taking place many months ago, but we will be adapting all of our personal websites as well as clients hosting with us to be “secure websites” because we are now convinced it is required.

WHAT ARE THE ADVANTAGES OF A SECURE WEBSITE

  1. SEO – Google has mentioned it is a ranking factor – and even if it is only a small factor, it may just be enough to give you an edge over a competitor.
  2. TRUST – When visitors see a “NOT SECURE” warning – and as people with little technical knowledge, it may cause them to run – fast. By showing a “Secure” signal you are then becoming a trusted website in their eyes and will not be concerned with leaving comments, filling out forms or doing any other activity on your website.
  3. CHROME – With the upcoming changes and the large usage of this browser – not having a secure website will be a trigger for insecure warnings.

WHAT EXACTLY IS HTTP/HTTPS
This is a very technical thing to talk about – but in an effort to make it simple:

HTTP (Hyper Text Transfer Protocol) – this is just the basic reference to how information is shared on the internet in its original form, basically as plain text. This allows anyone to view that information who gains access.

HTTPS (Hyper Text Transfer Protocol Secure) – this is the same as HTTP but the difference is that the information gets “scrambled” into character strings via an SSL certificate. Only the receiving and sending computers can then see that information. Others may be able to access it – but they will never be able to “read” it because it is so scrambled.

SO WHY SHOULD WE CARE ABOUT THIS? WELL, BECAUSE CHROME IS MAKING BIG CHANGES IN 2017

The Chrome browser is the first (and we are sure not the last) that will be taking a big step forward with security and is making some changes in January 2017 that every web owner should be aware of. And with Chrome averaging almost 50% of all browser usage – you need to make sure you are compliant with their changes to make sure your visitors feel safe on your website!

Chrome currently shows if a site is secure or not with a small icon that is located to the left of the URL in the browser bar. If you look at this page in the browser bar you will see right now we are not a secure website because there is a small gray circle with a little i in it.

Come January 2017 when the new release of Chrome comes out (Chrome 56) – not only will that icon remain but now there will also be added text stating “Not Secure”.

This is a big deal because most average site visitors may not even realize what that little gray icon is or what it means – and because it is not an e-commerce website they probably do not even think about security.

But now we will have this clear message that says “Not Secure” – in theory that could scare people off. It would even make me think twice these days with all the internet theft and hacking going on.

So for their first launch of this new functionality – the browsers that are not secure will begin to look like this:

Chrome 56 Secure Web Warning

But it gets worse.

In future releases of Chrome there are plans to label all HTTP pages as non-secure. So even if you do not have private information or e-commerce, your website will still be marked as non-secure. But what makes it worse is that future updates may reflect that Non Secure message in red as opposed to gray.

HTTP Security Warning Chrome

Below is how the URL is expected to be shown for the different security levels in the future.

Security Level Warnings

MAKING THE SWITCH

If you are ready to make the change – there are some things you need to consider when getting ready to migrate to HTTPS.

  1. You will need to get an SSL certificate
  2. You will need some time and patience to make the migration. Unfortunately, this is not a “push a button” and it is done type of project. The bigger the website the more time consuming it will be.
  3. You have to be aware that you may lose your sharing counts because your shares were based off your HTTP version of the website. (There is a plugin that supposedly will allow you to retain these counts, but it is a pay to play plugin called Social Warfare – we are not familiar with this plugin so we are not recommending it, but just sharing it as a resource).
  4. This change may affect your current rankings. Google will need to fully reindex your website with the new URL structures.  But in time you should bounce back to your pre-move rank.

ABOUT SSL CERTIFICATES

There are basically 2 options for most website owners:

A) Self-signed SSL certificate which will usually require you to have a dedicated IP (these do not typically work with shared hosting since they cannot use your domain name as verification). There is also an annual fee that goes with these SSL certificates – you should review and research the best option for your budget.

  1. You can purchase an SSL certificate – we refer most to GoDaddy just because they are cheap and are good enough for what you need. But there are other places you can purchase them like Comodo, GeoTrust, RpaidSSL and more.
  2. You need to make sure you purchase a 2048 bit key certificate or higher for best security.
  3. Once you purchase your SSL certificate it goes through a verification process and once that is done you will need to then install the certificate you receive on your host account.

If you want to get a self-signed SSL you should reach out to your hosting company to determine what your options are! Every host is a bit different in their requirements.

B) Let’s Encrypt is a new way everyone can get SSL certificates for free. Many hosts have this already integrated but you can also install it manually.

The downside to this option is that it does renew every 90 days, so if you cannot get a CRON job setup or on top of keeping it active – your site will then become insecure and throw the message and warning we are trying to avoid.

We suggest looking in your host account to see if you see a “Let’s Encrypt” icon in the control panel area. Below is a screenshot of our Squidix Account control panel – they are a host that does offer Let’s Encrypt. If you do see this – then you can go to the next session to see how to install it!

Lets Encrypt Host

IF YOU DO SEE LET’S ENCRYPT AS AN OPTION HERE IS A VERY BASIC TUTORIAL 

We are going to walk through a general overview of how to install Let’s Encrypt on a website that you have.

The screenshots may vary based on your host controls and layout – but the general steps should be similar.

  1. Click the Let’s Encrypt SSL icon and you may see something like Issue or Add To Domain or Add to Hosting – or something similar that indicates go ahead and install the certificate this is the way it looks in Squidix hosting.

install-lets-encrypt

2. Once the Let’s Encrypt SSL has been installed you will need to then go back to your website and make sure all of your content is able to be delivered in a secure environment. This includes tings like your images and files. Although there is a manual way of doing all of this, we will suggest a plugin that seems to simplify the process called Really Simple SSL.

We have never personally used that plugin but it sounds simple to use and seems to take care of a lot of what needs to be done to ensure your website is secure.
3. Then you should go into your Google Analytics account and make sure you change the default URL to the HTTPS version!

Changing Analytics To SSL

4. Then you should head on over to your Bing and Google Webmaster tools and resubmit your sitemaps because now you need to let them know your URL’s are all HTTPS! (Yes, they will eventually find out – but submitting the sitemap can speed up the process.)

5. Once all of the above is complete you should thoroughly review your website. Click through all the pages and make sure the green SECURE icon is appearing on all of your pages.

FINAL IMPORTANT NOTES

This post is meant to be informational to help you understand SSL and why you will need it in the future. Because this is such a technical issue – some of the information here may not be applicable to your unique situation. It is important to reach out to your host or an expert who can assist you with this process.

Incorrectly installing SSL can harm your website in the long run – so use caution if attempting to do it on your own.

If you have questions or concerns, contact us today. We’re happy to help.