Todays tutorial shows you how to easily setup HTTPS and SSL for WordPress for free! HTTPS is no longer an optional nice to have. It’s critical for both the security of your website, your users security and for your search engine rankings. We’ll get your WordPress site running over HTTPS on just a few minutes – and all for free!
What is https and why do I need it?
Contents
What most casual web users don’t realize is that the conventional “http” method for serving you content is fundamentally insecure. A crude but useful analogy is that running a website is a bit like sending someone a postcard in the mail. Anyone can read the contents of your postcard as it weaves it’s way through the mail system.
In addition, it’s possible for someone to intercept your postcard and change the contents of it quite easily. In fact, it’s entirely possible for someone to pretend to be someone their not and send you a postcard with misleading information on it.
A website running over http is pretty much the same as this. For a long time this wasn’t a huge concern – especially when websites were pretty much brochureware. As websites have become much more interactive two way communications and commerce platforms, security becomes way more important. Combine more transaction based websites with increasingly sophisticated security threats and you’ve got a clear need to protect users from all sorts of nasty attacks.
https pretty much transforms the way your website content reaches users from delivery via a postcard to delivery via a armored car.
Simply put, you and I see https as the little lock next to the name of the website you are visting. Like this.
Underneath the hood, the contents of your website travel through the internet using highly secure protocols that are encrypted from the users browsing device directly to the web server. HTTPS is not new. It’s been around since pretty much the inception of the web.
If that’s the case then why hasn’t it become the defacto means of serving websites long before now?
The main reasons are cost, performance and complexity. Thankfully, some of the smartest people on the planet have been attacking all 3 points of pain for much of the past 15 years and we’ve finally reached a point where there’s very few good reasons not to run a website over https in 2016.
The importance of https for Search Engine Optimization
Google has made no secret for it’s preference for giving websites running over https a ranking boost. Anything you can do to give yourself a ranking boost no matter how small – you should pay attention.
Problems traditionally associated with setting up https
Configuring SSL certificates have long been an absolute pain in the ass to do correctly – for lots of reasons.
Cost
SSL certificates (the primary component needed to run a website over https) can be very expensive. If we continue to think of https like delivering your content via an armored car, the analogy can be extended to the make and model of the car. How many locks are on the security doors? Are they timelocked? Who is the manufacturer? Similarly with SSL certificates there are different types of certificates with different levels of encryption, authentication information and issued by different certificate authorities which directly affect how much they cost – sometimes running into thousands of dollars per year at the high end. Thankfully due to an alliance by some of the biggest names in tech a new certificate authority called Lets Encrypt has made it possible for the first time to get an SSL certificate for free!
Performance
Running part or all of your website over https has traditionally come with a significant performance overhead on your web server. The additional layers of security would also slow down response times which could be detremental to conversion rates on ecommerce websites. For this reason it was (and still is) common to see ecommerce websites only run their checkouts and account area over https. Thankfully due to sigificant improvements in performance with the arrival of HTTP/2 this really is no longer as big a problem as it has been.
Complexity
Without doubt, the biggest reason most websites didn’t run over https was – and still is – how complex it can be to setup https just right. The process for setting up https for most websites usually involves something like the following:
- Generate a Certificate Signing Request and a Private encryption key
- Purchase a SSL Certificate
- Validate and prove your identity
- Complete SSL Certificate order
- Download certificates
- Install (and perhaps bundle) certificates
- Configure your web server to use the certificate
- Update your website (in this case WordPress) to run over https
- Fix any https errors (yes there’s always errors – probably mixed mode errors where some ‘stuff’ still references http rather than https)
- Update content to reference https instead of http
- Add 301 redirects for all old http links that might be indexed in search engines and from external links.
Whew! Man that’s a long list! And that’s when everything goes smoothly! For many, this is still the only way to do things. But thankfully if you’re hosted with Siteground – there’s a much much quicker and painless way of doing things.
How to setup https for free in just 2 minutes
Step 1 – Get a hosting account with Siteground
If you’ve not done this yet. Stop everything now and go move your site to Siteground. We’ve covered how to setup a blog on Siteground previously. Once you’re done with that come back here 🙂
Setp 2 – Login to cPanel and open Let’s Encrypt
Once you login to your Siteground cPanel dashboard scroll down until you see this
Step 3 – Install Let’s Encrypt
Select your domain from the Domain dropdown, enter your Email address and click Install.
This will triggers a series of events in the background where Siteground generates and issues the necessary certificate details via the Let’s Encrypt partner API in the background.
This. Is. Huge.
https just becomes a one click task! Given the long and techy heavy tasklist above this is nothing short of revolutionary as it dramatically lowers the barrier to setting up https on your website.
Step 4 – Install the Really Simple SSL plugin
So you’ve most of the hard work boiled down to a single click in cPanel – not bad eh? There’s one more thing you need to do. Install the Really Simple SSL plugin for WordPress. This little fella will solve most of your post https installation potential problems in go.
- 301 redirects for old http links? Check.
- Rewrite http paths t0 https paths? Check.
- Fix mixed mode insecure links on the fly without changing the contents of your database? Check.
And you are done.
While this might not seem like the most exciting topic in the world, it’s pretty awesome how simple the Let’s Encrypt and Siteground folks have made it to enable everyone to run their website over https. Given this tech is only a few months old it’s only now starting to get noticed but I think one of the big changes we’re going to see in the next 12 months is the mass adoption of https for a big chunk of the web who previously couldn’t do it for the reasons we examined earlier.