Over the past few years, Google has increasingly stressed the importance of HTTPS encryption for websites, going as far as to mark certain HTTP pages as “not secure” if they contain data fields for things such as passwords or credit card information.
Non-HTTPS status can also affect a website’s search ranking, and earlier this year, Google announced, with the release of Google Chrome 68 in July, that all HTTP pages will be marked as “not secure” in an effort to phase out the older, less secure web protocol.
While this will help make the internet a safer place, it will also create some issues for site owners who have yet to make the switch. Google Chrome handles the vast majority of worldwide browser traffic, and sites that show up as “not secure” face a potentially massive dip in traffic.
CHECK YOUR ENCRYPTION STATUS
To check if your site is already HTTPS-encrypted, visit your domain using “https://” in the URL. If you see a green padlock next to the “https://” your site is encrypting its traffic and you are good to go:
If you see something else, you’ll need to take action before Chrome 68 is released in order to avoid some of the negative outcomes mentioned above. The good news is, securing your site with HTTPS is a relatively painless process. HTTPS encryption is acquired through something called an SSL certificate, which helps authenticate websites and ensures that hackers cannot see or intercept data your users share on your site.
To add an SSL certification to a WordPress site, site owners will either need to purchase an SSL certification or use a free option—the type of certification that’s right for you depends on the site it will be applied to. Once the certification has been acquired, it will need to be installed on your server and set up for your site or multiple sites.
Let’s Encrypt certificates provide the same level of security as paid certificates and offer the same HTTPS protection. Because these certificates are fully automated, WP Engine will also automatically renew them for you after you set them up.
Setting up a Let’s Encrypt SSL certificate is easy. Once you’ve logged into your User Portal, simply select the domains for which you would like to add an SSL certificate, ensure you’ve read and agreed to the Terms and Conditions, and then click “Request SSL Certificate” to get the process started.
Your SSL order will take about 15 minutes to process, and then it will appear on the SSL page in your User Portal where you will be able to configure your SSL settings.
RAPIDSSL WILDCARD CERTIFICATES
Other options for SSL certification at WP Engine include certificates from RapidSSL, which you will need if you’re covering your root domain and all subdomains with a single certificate.
RapidSSL wildcard certificates cost $199 and will cover all subdomains. However, if you only use a few subdomains, using the free Let’s Encrypt option above is still a viable option.
To install RapidSSL, select the domain(s) for which you would like to add a certificate, enter your contact information, and make sure you’ve read and agreed to the Terms and Conditions. Last, click the button to “Purchase SSL Certificate.” Ensure the contact information is current, in case RapidSSL needs to verify your information to complete the purchase.
Just like the Let’s Encrypt process above, your SSL order will take about 15 minutes to process. Once it appears on the SSL page, you will be able to configure your SSL settings (it’s recommended to click “Secure all URLs” to ensure your entire website loads over HTTPS).
IMPORTING NEW OR EXISTING CERTIFICATES
Another option for adding HTTPS encryption to your site is to import a new or existing third-party SSL certificate through your WP Engine account. It’s important to note that this option is only available for Growth/Professional plans and higher.
Importing a third-party SSL certificate is ideal if you already have a valid certificate you want to use, or if you need to use an Extended Validation (EV) or Multi-Domain certificate (SAN). Otherwise, the Let’s Encrypt or RapidSSL options above are likely the best ways to secure your WordPress site.
HTTPS DOESN’T EQUAL 100% SECURE
It’s important to note that SSL certification is just one of the many components WP Engine uses to keep its customers’ sites safe and secure. While adding HTTPS encryption to your site is highly recommended and will benefit you and your users/customers, it is not a singular security solution.
Every site is unique and requires different layers and levels of security—HTTPS encryption is just one part of that. However, adding this layer of security will go a long way towards keeping bad actors away from your site and the data your users/customers entrust you with.
Security is a shared responsibility and Google’s push for the wider adoption of HTTPS encryption is an effort to make the web safe for everyone. By helping users understand that HTTP is not secure, and that information transmitted over HTTP connections can be intercepted by bad actors, Google is also raising awareness of the risks that exist in today’s evolving world of cybersecurity.
By acquiring SSL certification and switching over to HTTPS encryption, site owners will not only be protecting themselves and their users/customers from potentially-disastrous data breaches, they will be joining a growing majority of web users who are making this level of encryption and security the norm when it comes to securing their sites.
Still have questions about HTTPS encryption and SSL certification? Leave a comment below or contact WP Engine for help finding the best fit for your website.