SSL & HTTPS for WordPress – Is it really necessary?
In the course of 2017 large-scale unrest arose about SSL certificates. You really had to have an SSL certificate as a website owner, otherwise your WordPress website would become unsafe. And Google would block your site. And more Indian stories.
How is that really? To get straight to the door: there is definitely something going on and yes, it is better to provide your website with such an SSL certificate. In this article I will go deeper into it.
HTTPS or SSL?
These terms are often used interchangeably. That is not illogical by the way. It is actually pretty simple:
- A website with an SSL certificate can be reached under https: // domain name
- A website without SSL certificate can be reached under http: // domain name
In other words, you need an SSL certificate to ensure that your website is accessible under https.
A website that runs under https ensures a secure connection between the website and the visitor. In other words, sensitive information such as passwords can not be intercepted by malicious parties. This is much easier on a website that runs on http.
If you collect information from visitors such as name, e-mail address etc. then it is for that reason quickly better to run your website on https. For web shops this is absolutely a must, although the really critical (payment) information is often handled via a payment provider and that connection is by definition already https.
If you have a simple informative blog where you do not collect any data from your visitors, then that is no reason to immediately install an SSL certificate.
Websites that do collect data from customers and that do not have https are marked as unsafe by Google. That looks like this and you can imagine everything that you want to prevent this!
Types of SSL certificates
Once you immerse yourself in the matter, you will discover that different types of SSL certificates are available. So there is a distinction between:
- SSL Domain Validation
- SSL Organization validation
- SSL Extended validation
The domain validation is the easiest. You can easily obtain such a certificate as a domain owner. The visitor will then see a green lock, but not the company name. Like on this website. Such a certificate is sufficient for a small site or shop and is also the cheapest variant. This certificate is also available free of charge via Letsencrypt, but not all providers support it.
The more extensive and more expensive variants are accompanied by more checks. You will have to provide the necessary information before you qualify for such a certificate. As a visitor you will also see the company name in the address bar with such a certificate, as in the example below.
HTTPS and SEO
Even if you do not need such an SSL certificate for the aforementioned reason, it may still be wise to consider one. Google has indicated that https websites are preferred over websites without a certificate. Often this is equated with “without https you drop in the search results”, but it is not that drastic. You have to interpret Google’s statements as follows: if two pages from different websites are eligible for – let’s say – position three in Google, then a https website will be preferred to a website without https.
In other words: you have a small advantage over your competitor if your WordPress site has an SSL certificate and your competitor’s is not. SSL, however, begins to become so common, that it is the other way around: your WordPress website without https is lagging behind. However, many more factors affect the Google rankings that have a greater impact than https. So yes, https affects SEO, but it is not your highest priority. One that you can easily fix, so why would you leave it?
HTTPS for WordPress
So is that with https under WordPress? If you use an account on WordPress.com, you are automatically already provided with a certificate and you do not have to do anything else.
You have an existing WordPress website based on the WordPress.org software? In that case you can almost always purchase an SSL certificate from your provider. Some providers also help you with installation and activation. In other cases you have to do that yourself. There are also some changes in your WordPress database needed, to ensure that everything references neatly go to https. If this does not work well then the SSL certificate is active, but the connection is still not secure. In the browser, it looks like this:
In this situation you can do two things:
1. Install a plugin within WordPress that ensures that all references are adjusted to https. This plugin does that for you for example: Really Simple SSL. In many cases that is sufficient
2. Enlist someone who can help you with this. Of course you can also contact us with such a question.
HTTPS and Security
You sometimes hear that a https secured website is safer. This is only partly true, because https ensures a secure connection between the website and the visitor. However, an SSL certificate will not in itself ensure that your website is no longer vulnerable to attackers. A WordPress website with https that is not well maintained will therefore still be hacked by hackers. Be aware of this. Https is no substitute for proper and regular maintenance of your WordPress website!
Conclusion: Is HTTPS for WordPress a must?
Actually this question is separate from WordPress. For every website it is wise to take an SSL certificate. You do not have to worry about that nowadays. And it gives your visitors a safer feeling anyway. Only that is already worth it. It is not always an absolute must. That depends on the purpose of your website. If you sell online, I would definitely choose to provide your website with SSL.