SSL in 2017: a new Google mandate

Secure Web https and ssl

So what’s the buzz about Google issuing penalties for sites that don’t employ SSL?  Well, it’s true, and in the next month, I’ll certainly be busy converting over websites to use HTTPS and not just HTTP pages.

What is SSL?

Secure Socket Layer (SSL) is a security protocol that offers a degree of insurance and protection against hacks and malicious intrusion. Technically, SSL provides encryption of customer data.   Browsers see the SSL Certificate and secure URL structure to interpret that a website is “safe” and provide a degree of comfort to site visitors.  SSL is especially beneficial for first-time visits to an unknown site.  Site visitors can have a degree of confidence that in linking to a site, they will be no exposure to malware or other malicious content.  It also protects the data stream during a session, such as when on is entering credit card information.

How can I tell I am visiting a site with SSL?

First of all, you can tell by your browser.  It will display the site URL as https://www.sitedomain.com.  Secondly, there is usually an icon or symbol in place (often in color green) such as a padlock that provides a safety signal.  Often, clicking on that icon will reveal information about the type of SSL that in place for further verification.  If you happen upon a site that is not entirely encrypted (partially protected content), then you might see a lower case “i” in a bubble instead of a padlock.  Again, clicking on the “i” will provide further information usually with a warning that your connection is NOT secure.

To make matters worse, starting in January 2017, Google will make a much bigger deal about those sites without SSL or partial SSL. A red caution warning “Not Secure” will display next to the URL in Google Chrome browsers. Regardless of browser, Google plans to penalize page rankings for sites that include a login of any type, form, or any application that collects data to include ecommerce.

How much does SSL cost?  Is it necessary to purchase an expensive SSL certificate?

Costs for SSL can vary from free to quite expensive, and there is the potential for hidden expenses that can make the migration a hit on the budget.

Unfortunately, what can be done is largely dependent upon the host and type of plan in many cases.  As I’ve been migrating many sites to SSL the past two months especially, I’ve encountered a gamut of variances.

Multiple WordPress Websites on a Bluehost Shared Plus Hosting Plan

Bluehost says that with shared hosting plans, to have an SSL Certificate one must have a dedicated IP address.  But the issue is that one cPanel can only have one dedicated IP and one domain’s SSL.  So, what does one do with the rest of the domain/websites on that single shared hosting plan?  Well, a decision must be made that will be driven largely by budget and anticipated traffic.  Options include:

  1. Purchase additional Shared Plus Hosting Plans – one for each domain with its own dedicated IP and SSL – these can be positioned under a single sign-on so one central login will provide access to multiple cPanels
  2. Upgrade to VPS or Dedicated Hosting where multiple dedicated IPs can be configured.  This can be expensive and require a lot of maintenance and server admin expertise
  3. Upgrade to WordPress Optimized Hosting.  Bluehost now has the environment that enables multiple domains to share a single Dedicated IP

 

Standard websites can likely get away with using a free Let’s Encrypt SSL Certificate now being supported by many major hosts.  However, anyone with an online store will benefit from purchasing a standalone SSL certificate.

I’ve installed Comodo SSL certificates for WooCommerce websites, and those vary in cost from around $80/year on up for those that include WildCard SSL (a requirement for WordPress multisite or where multiple domains are protected on one hosting account.  Typically, one purchases an SSL certificate per domain.

Do all hosts provide free SSL?

Not necessarily, but in establishing new hosting plans, it is imperative to inquire. One cannot generalize.  However, as this Google mandate is quite serious, most popular hosts are making an effort to provide access.

Is there any fine print from Google?

Yes. Having SSL alone is not sufficient.  The entire website must be fully encrypted, so it’s not something that one can deploy on the part of a site – for example, on a WooCommerce store, it has been common in the past to secure just the checkout and account pages and return to HTTP for all other pages.  No longer will that be an acceptable practice.

But I only have a simple WordPress website; why do I now need SSL?

Even if you have no functionality on your WordPress website that involves collecting customer data (forms or an online store, as examples), you do have a login form.  That login screen is how the backend (admin) of the website is accessed and is where those who subscribe manage their user profiles, too.  You now need SSL.

Are there any problems is switching from HTTP to HTTPS?

Well, given that there is a complete URL change, yes, to a point.

Additional reading

From the Google Security Blog:   Moving towards a more secure web

From Matt Mullenweg, Father of WordPress (Given at WordCamp 2016) Moving Towards SSL

Facebook Share Icon
Twitter Share Icon
Google Plus Share Icon
LinkedIn Share Icon
Mail Share Icon