A couple of years ago, Google announced that they want everything on the internet to start using strong security by default, and, to encourage this, said that they’ll give a boost in the search result rankings to sites that do. We have now reached “critical mass” where all sites will need to be SSL in the very near future. There are immediate benefits to switching now, and it will better position your site in the future as SSL becomes the norm.
A quick primer: SSL stands for “Secure Sockets Layer” and, when properly implemented, means that the data sent to and from your website is encrypted and therefore “secure.” Secure website addresses start with https:// instead of http://. Technically, the newer protocols are actually called “Transport Security Layer,” or TLS, but the name SSL has pretty much stuck.
Here’s why it’s time to switch to SSL:
1. You will indeed get a bump in your search rankings. It’s not a huge lift, but every little bit helps.
2. It’s cheaper. It used to be expensive to purchase an SSL certificate, with prices ranging from $10/year to over $300/year. Now, Let’s Encrypt offers free certificates!
3. It’s faster. The new HTTP/2 protocol, which is possible only with SSL, enables more files to be downloaded simultaneously, which makes your site load faster.
4. It’s much, much safer. Encrypting traffic as it goes to and from your server means it can’t be “sniffed” or spied upon. That may not seem like it matters too much when, say, viewing a recipe for roasted brussels sprouts, but it matters a heck of a lot when you’re entering your password to log in to your site. Especially if you’re on a public wifi network.
5. It’s easier. Many hosting companies now integrate Let’s Encrypt’s free certificates directly into their control panels – so you may be able to install an SSL certificate with just a few clicks. No intimidating tech-knowledge necessary.
6. Most ad networks have finally caught up, so it won’t kill your ad revenue if you go all-SSL. Here’s Mediavine’s post about it.
7. It’s becoming more obvious which sites are secure, and which aren’t. Recently, Google changed the Chrome browser so they’ll actually show the word “Secure” next to the URL, instead of just a tiny little green padlock icon. More importantly, they’ll now also show “Not Secure” when a site isn’t secure and there are password or credit card form fields on the page. I anticipate that very soon they’ll say “Not Secure” on all insecure pages….and other browsers will follow.
8. It’s better for the world. If only sensitive data is encrypted, then it’s a lot easier for hackers and (evil) governments to know which data to go after. It’s like a target on your data’s back. But if it’s all encrypted? Then the critical stuff gets mixed in with everything else, and as a result we’re all more secure. (Think: journalists reporting from war-torn countries, uprisings overthrowing dictators, banking information, your car’s internet connection…)
But beware of these potential “gotchas” when switching to all-SSL…
First, you’ll need to be sure that all the content on your pages is also requested securely, else you’ll get a “mixed content” warning. That includes your own content (like images), but also any off-site requests, like ad network tags. (Why No Padlock? is helpful for troubleshooting this.)
Second, you should change all your internal links to the new https versions. You can do a Search & Replace in your database to replace all instances of http://www.yoursite.com with https://www.yoursite.com. (Make a backup first, please!)
Third, you’ll need to set up 301 redirects to force SSL connections (redirecting all http requests to https). Without that, people will still be able to browse your site without SSL. And since Google sees http and https URLs as separate sites, you could end up with duplicate content issues.
Fourth, it’s a good idea to add the SSL version of your site as a new “Property” in Google Search Console.
Finally, the social media share counters (“social proof”) displayed on your site will reset to zero, since you’ll be changing URLs. I highly recommend the Social Warfare plugin and its “Share Count Recovery” tool to get those numbers back.
Bottom line? SSL is here to stay, and the sooner you switch your site over, the better.