Should your blog be using https?
You may have seen various articles recommending you use https for your blog or website to keep things secure and safe and perhaps you’ve read that it’s also beneficial for SEO.
What is https and its benefits?
The main purpose of https is to provide extra protection for when sensitive private data is transmitted on a website. The information is sent encrypted (turned into code) so that it cannot be intercepted by someone other than the intended recipient.
The most obvious example is anything involving the transfer of money. Here, https is essential. When you use your bank’s website, Paypal or a store like Amazon you’ll see something like this:
Sometimes you’ll see the name of the company listed, or a lock symbol or simply https in the URL bar.
Google is encouraging all sites to be https to help make the web a safer place, and is incentivizing this by using it as a “lightweight [ranking] signal…” for less than 1% of global queries. In the future they “may decide to strengthen it”. The SEO benefits are currently minuscule, or non-existent.
To use https, you must purchase a SSL security certificate.
What are the disadvantages of https?
The only possibly sensitive information on standard WordPress sites would be your own WordPress login when you’re logging into the backend; there would be no real benefit to anyone actually visiting your site.
Potential downsides are:
- the additional cost of getting an SSL security certificate (as a ballpark allow $200/year)
- the complexity of setup – for the most part this isn’t something your web developer can do; an SSL security certificate needs to be chosen (there’s different kinds), purchased and installed through the host, and options available depend on the host
being used - a possible decrease in site speed (https used to be extremely slow; these days it is much improved)
- the need to be extremely careful to ensure your site never uses http content – a single inclusion of an unsecured element (linking to a non-https external image, including a script or iframe from a non-https site, any WordPress plugin that you install that doesn’t fully support https) will cause big security warnings for visitors, which will scare off visitors more than if https wasn’t used at all!
How to set https up with WordPress
Once the SSL security certificate is purchased and set up correctly through your web host, you need to change your domain name in the WordPress settings to https:
Then you need to make sure any scripts linked to in the theme code use https as well. Going through all your scripts (from plugins and third parties) requires time and care.
I recommend checking out Google’s helpful guide on https too.
Note that there is a WordPress https plugin, but this is only necessary if you want to protect some pages and not others (e.g. only your login page) which makes things more complex again and isn’t really worth doing.
PIN THIS FOR LATER!
What about the future?
I think that there’ll only be widespread adoption of https on blogs once it’s installed by default by their host. Hosts deal with a wide variety of technical issues behind the scenes for their clients which people running websites do not need to know anything about, https should be like this too!