Google and other tech titans are pushing for SSL/TLS to be the default connection protocol used by websites. Google already ranks sites higher when they use HTTPS over those sites that do not use HTTPS. 2017 is the year all web masters will be pushed to use HTTPS.
- Google Chrome and other web browsers will show prominent warnings to visitors of non-SSL pages
- WordPress will move to use ‘SSL by default’ for some admin features of self hosted sites
- WordPress will cease to promote hosts that do not offer SSL certificates as a standard part of host packages
- Web surfers will be encouraged to use HTTPS everywhere and to recognize HTTPS addresses in response to increased government intrusion into their online activities.
In 2017, if your websites do not use SSL by default for all visitor traffic, visitors will be frightened away from your sites by strong browser warnings. Sites that do use HTTPS by default will be better placed in search results to get the traffic that you lose by your own inaction.
How much does SSL cost?
Free if you want it to be
Services like Let’s Encrypt came into the world in 2016 to provide free SSL certificates. Some hosts make available to their customers the cPanel app that connects with the Let’s Encrypt API to automatically create and install SSL certificates, and to renew certificates before they expire. Let’s Encrypt certs live for 3 months or less depending on installer preference.
What to do if your host disables Let’s Encrypt in cPanel
Cloudflare provides free SSL certificates and has done for many years. The caveat is that a site needs to use the Cloudflare DNS servers. Cloudflare is easy to set up and DNS is easily configured, mostly automatically configured when a site is added to Cloudflare.
Additionally, a server needs to be SNI capable in order for Cloudflare free SSL certificates to work properly. What’s SNI? Server Name Indication. SNI makes it possible for many sites on one server to use a shared IP address and still have their own individual SSL/TLS certificate. Most modern servers are SNI capable so this is not usually a worry.
A basic Cloudflare plan is free and comes with basic CDN features so Cloudflare is my recommendation.
When not to use a free cert
Free certificates are great for general use but whenever payments (or other regulated activities) are processed on-server the server must be PCI compliant, which normally means the site needs a specific type of SSL certificate. If payments are processed off-server, e.g. via PayPal, then a free certificate is suitable.
Internet Explorer 7 on Windows XP is incompatible with SSL certificates installed on shared IP addresses due to IE7’s lack of SNI support. IE is less widely used than other browsers so this is a negligible worry nowadays.
Example sites that use Cloudflare certs
All my own sites use Cloudflare certs. Many of my clients who use SSL use Cloudflare certificates without any issues. Some example sites include
How to convert to SSL
There are fewer steps involved than you might expect but experience is required.
- Install an SSL certificate on the server
- Convert internal domain links from HTTP to HTTPS
- Redirect requests for HTTP to HTTPS
- Check for 3rd part scripts and iframes that use HTTP and switch them to HTTPS
- Switch the Google Analytics property for the site from HTTP to HTTPS
- Create a new Search Console (Webmaster Tools) property for the HTTPS site (remember to resubmit your sitemap).
Let’s go through those steps in more detail.
2) Use the Search Replace DB Script to convert, for example, http://example.com to https://example.com. Create a database backup first.
3) Add the following directive to the site’s .htaccess file (change journalxtra.com to your own site’s domain name):
RewriteCond % 80
RewriteRule ^(.*)$ https://journalxtra.com/$1 [R=301,L]
4) The tricky part of conversion from HTTP to HTTPS is that there is sometimes 3rd party content brought into pages by iframes and ad scripts. Not all remote content will use the HTTPS protocol. You will need to track down and edit iframes and scripts manually to ensure they use HTTPS source URLs otherwise visitors will see mixed-content security warnings.
5) Google Analytics needs the domain protocol to be changed from HTTP to HTTPS. This takes 5 minutes and involves a simple flick of a switch. Go to Google Analytics, select the website property then click the Admin link and change the Default URL.
6) Webmaster Tools (previously called Search Console) requires a new property be added for the HTTPS site. Currently there is no way to flick a switch to convert the existing property config from HTTP to HTTPS. You gotta create a new property whether you like it or not.
There is no need to send requests to web masters to ask them to edit backlinks to your site. The protocol redirect set up in .htaccess will ensure visitors use HTTPS instead of HTTP. HTTP backlinks will still count toward SEO.
All told, installing a cert and configuring a site to use the certificate takes about an hour, not counting unforeseen issues like 3rd party scripts that need their protocols to be updated.
Keep an eye on browser ‘mixed content’ warnings. These warnings show whether you have missed any URLs that need to be updated within page content.