WordPress founder, Matt Mullenweg, recently announced that the software will require all hosts to have HTTPS for certain WordPress features to function.
Don’t panic just yet. If you already have HTTPS, this shouldn’t affect you. But if you’re still using HTTP, you’ll need to upgrade soon. The good news is that the transition is not as difficult as you think it is and the benefits outweigh the assumed disadvantages.
This article will go over what the WordPress HTTPS mandate means for you as a site owner; the advantages; as well as how to upgrade to HTTPS if you haven’t already done so.
What is HTTPS?
HTTPS adds a security layer to HTTP (Hypertext Transfer Protocol). HTTPS essentially encrypts data (using SSL or TSL) that is communicated between servers and clients until it reaches the intended recipient.
This prevents cybercriminals from accessing sensitive user information and also reduces the risk of tapping and modification of sensitive data. Although HTTPS is not completely foolproof, it undoubtedly has major security advantages.
HTTPS sites can be easily identified, as they have a locked padlock icon located on the link bar in most common browsers.
Why is WordPress Pushing HTTPS?
There's mainly two reasons for this, so let's quickly dive into them.
Google Prefers It
It is no secret that greater encryption and cyber security has made the Internet a safer place for users. As usual, a Google update signaled the necessity of HTTPS for user experience, SEO and internet security.
In 2014, Google suggested that enabling HTTPS on your site could result in higher search rankings. Although it still isn’t the only important factor in raising your site rankings, you shouldn’t underestimate its value. For example, if two sites are equal in all ways, but one site has HTTPS, that site would get a boost in rankings.
In January of this year, Google released version 56 of Google Chrome. This new release brought about some changes, notably with how Google Chrome treats HTTPS vs. HTTP sites. The browser now clearly identifies sites that are not operating HTTPS on their systems. For example, a “Not Secure” message now appears on pages without HTTPS that try to collect passwords or sensitive information. You can expect that, eventually, all pages not using HTTPS will clearly be labeled as having insecure connections.
We can reasonably assume that Google’s preference for HTTPS has been a contributing factor for the changes implemented by WordPress.
Users Prefer HTTPS Too
A secure connection can make all the difference from a user's perspective. Users see HTTPS as a positive signal that you are taking your site security seriously, for their benefit. So, having HTTPS could mean more traffic and longer usage times on your site.
HTTPS is particularly important if you are operating an e-commerce site. Simply seeing the padlock icon could make users more comfortable in entering their payment details and other personal information. Particularly with the new Chrome update (mentioned earlier) which shows a “Not Secure” label on e-commerce sites or sites that require a user login or credit card information, but don’t have HTTPS.
Both Google and user preference should be enough reason for you to upgrade your site to HTTPS. It is simply necessary to ensure watertight security for your users and to protect your online business reputation.
Remember when JavaScript was first introduced and quickly embraced by users and webmasters? Looking back, we can see now that JavaScript was essential for smoother and better user experience. HTTPS similarly, presents a number of unique advantages for user experience and security that we should all quickly embrace.
We know that you may be overwhelmed switching from HTTP to HTTPS. After all, change does takes time to get used to, but in this instance, you may need to quickly get on board. At this point, the advantages of HTTPS have greatly outnumbered the disadvantages. Plus, upgrading to HTTPS is no longer the costly, time consuming, and difficult process that it once was. In fact, getting an SSL certificate in 2017 is fast, sometimes free, and quite easy to implement.
How to Get HTTPS
WordPress hosting partners should now provide an SSL certificate for all accounts. (It is required that they all do so as early as the first quarter of this year.)
Your hosting provider may already provide a free SSL certificate, so check with them first before you make any third-party purchase. If they do not offer a free one, you could ask them if they sell third party SSL certificates. Once purchased, you can ask your provider to install the certificate for you on your server.
Another option is to explore the free alternatives, independent of your hosting provider. There are projects such as “Let’s Encrypt” which have now made it easy and quick to secure a free HTTPS certificate for your website.
Let’s Encrypt is an authorized open Certificate Authority with millions of active certificates in place. There are other comparable projects out there that can help by guiding you step-by-step through the installation process or who have been authorized to deliver certificates.
Remember that SSL certificates upgrade the website, but not the content itself. That means that the content on your page will also need to be updated so as to avoid 404 errors. Google may interpret the error as a mismatch in the security level of your site. The only way to avoid this is by encrypting the content of your website to match your SSL certificate.
To track and resolve any 404 errors on your site, you may want to use a specialised plugin such as Redirection to do so.
What if You Just Don’t Want to Upgrade to HTTPS?
You could see a number of things happening to your site over time if you do not upgrade to HTTPS. The first may be facing the consequences set out by Google, i.e: lower rankings and having your users staring at a “Not Secure” warning when they try to access your site via Google Chrome.
The second is that you could struggle with WordPress updates and lose some or all functionality on specific WordPress plugins.
Third, your site may be an easier target for hacking.
Those are three consequences that require you to seriously reconsider if you really want to take the risk of not upgrading to HTTPS.
Wrapping Up
Let’s put it this way: you will simply have nothing to lose by adopting HTTPS. Yet, if you do not use HTTPS, you could risk leaving your site in the “dark ages” of the Internet.
But then again, if you’re a WordPress site owner, you have no choice. Take the plunge and let us know how it worked out for you!
Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.
We have to ready Upgrade to https, thanks for your article, I hope, I can tell this to my hosting provider
Any suggestions for those that are with Bluehost as it does not appear as a partner? I used to be with Siteground with a Moodle school site and went with an SSL certificate. As my site also includes youth and caters to youth I am very interested in securing but am gutted that I might have to pay my hosting service more… Having said that I will check Let’s Encrypt – anyone out there with experiences doing this that can offer top tips… as I prefer to spend time on site content? Thanks.
I use SiteGround hosting that allows Let’s Encrypt for free. It’s good, and SiteGround is improving this service constantly.
Does your host provide cPanel? If so, look for “SSL/TLS” or “SSL/TLS Manager” under Security. Then check for “Install and Manage SSL” or something like that. If an SSL installation option is not available, you’ll have to ask your host how to go about installing third-party SSL certificates.
If the install option is there, then you should be able to get your own Let’s Encrypt certificate and install it yourself without paying any extra $$$ to your host.
The best way is to generate your Private Key (2,048 bit is fine) and Certificate Signing Request (CSR) using the tools within the SSL/TLS manager under cPanel. For the CSR, make sure to enter both the www and non-www versions of your site’s domain in the Domains box. Then use your CSR to generate a Let’s Encrypt certificate via ZeroSSL (https://zerossl.com/free-ssl/#crt).
Read more at the ZeroSSL website (https://zerossl.com/free-ssl/#howtocrt). I don’t have time to write full, step-by-step instructions, but ZeroSSL will generate what you need to install a Let’s Encrypt SSL certificate on your site using the SSL installation tool in cPanel. Another helpful resource is the Let’s Encrypt forum (https://community.letsencrypt.org).
When you’ve finished generating your certificate, make sure to save the instructions provided by ZeroSSL. They will help with the installation, and you will need them to renew your certificate every 90 days. Also, make sure to download and save the Let’s Encrypt key that is generated for you during the first step after pasting your CSR code into ZeroSSL’s certificate wizard. You will also need that to renew your certificate each time.
One last thing… to use ZeroSSL, you must have FTP access to your website. This is necessary to create the directories and upload the files necessary for ZeroSSL to verify your ownership of your site.
Great comment, Jill. Thank you for helping out the community!
Bluehost is a partner and offer if for FREE! They will send you a bill for zero amount every 3 months though! LOL Give them a call and they’ll walk you through it.
I have changed my websites to use HTTPS two times now just to see if I got everything working and in my case using HTTPS is corrupting my link cloaking & tracking software which runs directly on my website and I also can’t get rid of all the mixed content errors.
If my link cloaking & tracking software doesn’t work, at least half of all my marketing campaigns will be gone so if anyone has the same kind of issues I highly recommend you to keep using HTTP and don’t worry about your rankings too much…
Google will keep your website URL’s indexed and you can use Google Webmaster Tools (Now Google Console) to select your preferred site link, just make sure you have both HTTP and HTTPS sites verified with the Google Console and you’ll be sure that you don’t lose your rankings.
This is terrible. I spent hours on several days doing all kinds of things to makeover a site into https – sometimes with WP it fails and locks you out.. people are going to crash sites.
My main site that I tried converting to https has three major problems that made me revert to, and force non-https – the chat programs we use will NOT work with https – we have been trying to move to newer systems – but none of the newer chat programs have all the features our users know and love.
Without our chat we can not keep the site going, without wordpress however, we can do just fine. Certainly we can export our pages and posts to a different platform, or even use one of the static html generators to simply convert all of our WP stuff to static html and never have to worry about WP updates again.
One section of our site does depend on wp and buddypress.. so I may try to find a way to add an exception in our https that would revert all of our site to non-https – and then in the sub-wp+bp section go to https.. but wait, that will break two of our three chat room systems.. one of the systems depends on wp/bp for it’s integrated user auth / profiles / registration.
I can move one of the embedded chats to a different non wp section of the site and do a 301 redirect… however the one chat system will break with https turned on. This is a major problem. I can’t move that system to ssl unless we blow two grand on the premium wowza license.
Funny you mention that google prefers https – however we found that having google index both ssl enabled and non https pages gets even worse results – so having the option for people to get some pages as ssl and other not can be a bigger problem.
Also learned that browsers will default to https if your home page is set that way.. so after trying to make the home page ssl, and the wp login pages ssl, and our chat rooms page forced to non-ssl with some craftier if statements in the htaccess file – well it won’t work since browsers default this way.
If the things in this post are true – we are truly screwed. fml.
This article is confusing. I have free SSL for my website from my web hosting provider, but my URL still does not say HTTPS and Google Chrome says the site is still insecure. What do I have to do to convert to an HTTPS URL? Does the plugin Redirection make this happen?
First off, if you haven’t done so already, make sure your secure connection is working properly by manually typing the https:// version of your site’s URL into the browser’s address bar. If your site loads properly with no errors, and the padlock icon appears, then you should be all set. Otherwise, you’ll need to seek help from your host to get your SSL configuration working properly.
Just having SSL won’t automatically send all your HTTP traffic to HTTPS. If you are on a Linux host and have FTP access, you can modify your existing .htaccess file by adding the following to it:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www\.)?yourdomain\.com$ [NC]
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,NC,L]
Replace yourdomain.com with your site’s URL. On the last line, omit the www. portion if that is your preference.
If you don’t have access to your .htaccess file, then you’ll have to find a WordPress plugin that automatically redirects all your HTTP traffic to HTTPS. A couple of possibilities are: https://wordpress.org/plugins/really-simple-ssl/ and https://wordpress.org/plugins/https-redirection/.
Nice article, now i go to upgrade my web to HTTPS. Thx
Will CloudFlare’s free/flexible SSL will fulfill these requirements?
As a web-based scribe for more than a dozen years with WordPress running my two sites now for “10” years this is going to be an arduous implementation. I have thousands and thousands of posts online and tens of thousands of images loaded up which are all going to need fixing in the code somewhere or generate endless “404” pages.
They need to offer some sort of find/replace editorial function in Jetpack to allow easier fixing operations or a plug-in that will locate and swap the http for https for us. I also don’t have a hosting that feels the WordPress user base is sufficient enough for them to offer this https for free so will only be making the switch when its an urgent item to address and if I notice statistical rankings dropping. I just don’t have the time to do all the editing in a piece by piece fashion. We are a text and photographic magazine with nothing being sold or need for vital user information stocked and stored. Good luck to all in this, I will be watching this topic going forward.
Two things I found when switching to HTTPS:
1. You have to log in once more to the HTTPS version of your website.
2. The plug-in “Easy HTTPS (SSL) Redirection” was very useful, and helped force-change all HTTP requests to HTTPS .
It would also help that if WordPress is forcing HTTPS, that they provide a utility to change all hard-wired URLs to either (a) the HTTPS version; or (b) make URLs relative.
SSL is easy to implement. Like most things is just seems hard the first time.
To avoid mix content warnings and to update all your https urls in one click use this. Just make sure you backup first (updraft plugin to dropbox).
https://wordpress.org/plugins/better-search-replace/
Also, make sure you don’t lose your Social Share Counts when you move the site to HTTPS! Shareaholic plugin just released a new feature that addresses this.
Thank YOU! The Shareaholic plugin saved us a bunch of time and was able to recover our Share Counts after moving to SSL.
We have three sites up and put SSL on two of them. It took us about 2 hours on the first site and about 20 minutes on the second site using CPanel. We paid $9 a year for each SSL. Tracking down insecure contect is PITA, but the easiest method on Chrome is to use the F12 key.
Great, the cost of WordPress sites just went up $60 bucks a year. That is not a decision WordPress should force on the admins who use it.
There’s plenty of free SSL certificate providers to choose from.
Great news!
Looking forward to have major hosting providers providing free SSL for all WordPress installations.
It’s a great thing both for internet users and developers.
I think you can also get a free SSL certificate from CloudFlare.
Nice article!
Cloudflare is a good option to get HTTPS set up for free. I’ve noticed a few web hosts saying that they’ll set it up for your WordPress site for under $20 as well.
i have allready upgraded to ssl , Thanks to CloudFlayer
Nice Article Arnaud!
I’ve implemented https:// on several websites and with the plugins ‘easy https redirection’ and ‘insecure content fixer’ it wasn’t more than an hours work. The latter is very useful when you get a mixed content warning in your browser window. This happens, for instance, when you host an image on your page that’s from a http website.
If you still can’t find the culprit when you get mixed content warnings, try the free tool ‘whynopadlock’ (just google it :)). This tool helped me out with a larger site.
Use a DB search-replace tool to find potential mixed content sources. just type any ‘http’ query in the search box and see waht comes up. Then fix it.
Hope this helps for anyone who feels challenged.
Hi Mike
I used CloudFlare with a client site whose host provider does not provide free ssl certificate and worked greatly
the article you referenced says, “2017 is going to be the year that we’re going to see features in WordPress which require hosts to have HTTPS available.” You make it sound like we have to have SSL to have WordPress. Fake News
Nobody said anything about SSL being required to run WordPress, we simply linked to a post written by Matt Mullenweg, founder and release lead for WordPress, in which he said that certain features will require SSL to work.
He gives examples: “Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.”
I’ve edited the post to be more clear.
You don’t need to have it. Not if you are not selling anything on your site or are not storing user data. There is absolutely no need for it, regardless whether “Google likes it” or not.
I have no intention of adding it to any of my sites. They are article sites where the reader does nothing but read and leave. We do not store any of their data, so https is nothing but an added level of security that is simply not needed.
As for Google preferring it, Google is not god. And as more and more people are moving to other search engines (I now use Duck Duck Go exclusively) they will have less and less power.
Thank you! I’ve been saying this ever since this SSL push started. SSL is only needed if you’re storing or passing sensitive data or payment information. For the majority of blogs out there, like this one, it is completely useless. I’m glad to see someone else preaching common sense.
Unfortunately this is always not that simple. I tried Let’s Encrypt’s SSL through a site called SSL for Free and I got my SSL certificate. However when I uploaded to my cPanel in ByetHost and switched to https, I got an error message that my certificate is configured incorrectly. I did some research and I found out that this is due to the fact that my server doesn’t have uploaded the intermediary certificate of the certificate signer and therefore cannot trace my certificate back to a trusted certificate. And the free host plan doesn’t include resolving this issue. So the free certificate only works if you get premium hosting and the Let’s Encrypt SSL is part of your control panel.
BULLSHIT
There is no excuses to force someone to use HTTPS, if you want to awarn bloggers of benefit of using it just do!
But forcing everybody to addopt a new technology by removing the compatibility with the legacy is AGAINS ALL SOFTWARE ENGINEERING PRINCIPLES!!!! And the only reasonable explanation is that wordpress is making a profit of the extra fee all the host charge the costumers for providing SSL certificate.
If HTTPS is so importante and you are so concerned about it why not provide a SSL certificate for free for all users? stop lying to people!
WordPress is community-developed software, it isn’t an entity that makes a profit.
Also, most decent hosts are providing SSL for free.
I just changed my website to https. I am not sure it was worth it for this reason alone.
All my social media including on two Facebooks and Pinterest have links to pages on my website that do not link. Yes, they do link to the home page but not to a direct page, nor do any of bitly links work. I am talking of thousands of posts. Just so you know. I am heartbroken. Now less people will be going to my website. I am not now sure it was worth going to https. Sure i am more secure, but, well see above.
Well, my clever webmaster fixed all the links on social media and they now all work everywhere. But it is something to check so I will leave the original post.
Https make our site trusted by user, it can also boost your site more valuable for advertiser. So, I think every blogger must have “https” in their site.
My experience with HTTPS.
I have updated my eCommerce site last year and although everything was setup right including all htaccess redirects my rankings dropped and now after 5 months still have not come back.
There are many articles out there that warn not to jump to fast on the HTTPS train and wait. I think that a site that does not ask for any information like a review site does not need a HTTPS right now.
Ed
I use A2 Hosting. They’ve made it a breeze to setup Let’s Encrypt. However, if you’re lazy, they will do it for you gratis. After implemented on the server, you will need the free plugin; “Really Simple SSL”. This plugin changes your site/links to https and redirects all http traffic to your new https.
Thank you for the article. It was very informative.
But I do wonder about one thing. When we set up a free SSL certificate on our hosts,for example by using Let’s Encrypt, which option do we need to use for SSL on Cloudflare?
I’m assuming it should be “Full SSL” and not “Flexbile SSL”. Is this correct and is “Full SSL” available on Free Plan?
That would be a question for Cloudflare support.
Thanks for your article. We already moved to https://. Of course, after moving to https://, our SERP results also improved. Am not sure, but am thinking that google just give little boosts to the website who have a secure connection.
Thanks for this article. I already done https:// Also, after this my site is so resposive and secure
Really fed up of Google making all the rules. I suffer from MS so managing my site is difficult at times, and I’m forever having to change something or other. But what bugs me the most is I use Paypal for checkout so the only place anybody entering any sensitive information (or any information of any kind for that matter) would be at checkout. Paypal’s checkout is obviously secure so what’s all the fuss about.
Anyway I’ve got myself an SSL certificate, then had to work out how to generate an .htaccess file, done that, added the necessary text etc, added the SSL info in Cpanel, changed the URL to https and I STILL get the “Not secure” warning in Google Chrome.
Seems to me instead of being a simple tweak everything I need to do seems to be a new learning curve, something else to try to work and and another half-day down the pan with no benefit at the end of it.
Sorry about the moan but just so frustrated with it all.
Thanks for the article. SSL certificate is important.
I installed my SSL certificate on my VPS with certbot (letsencrypt). Quite fast and easy. Thank you!
Nice article. Thanks for the update. I’ve got to start working on upgrading my blog. Thanks again.
CloudFlare is a good option to get HTTPS set up for free. I’ve noticed a few web hosts saying that they’ll set it up for your WordPress site for under $20 as well.
i will buy ssl
Thank you for this article. Months ago I attempted to get an SSL on my web site which is hosted by Host Gator. I purchased the SSL and tried to get it installed. I was online and on the phone with the company I purchased it from as well as Host Gator, and never could get it installed. I am at a loss as to what to do. Any suggestions as to someone who could help me with this?
Our site does not ask for any info but there is a subsidiary page that is password protected. If I protect the home page with SSL, does that protect the subsidiary page as well? or do I have to ensure protection at each level?
I added my sites to Cloudflare and received a free SSL certificate. Now I am happy as my sites all show a green padlock in browsers.
Don’t change your .htaccess file it’s unneeded. Also no support in Nginx. You may do so using a plugin – https://wordpress.org/plugins/force-https-littlebizzy/
@Kamir (or anyone interested)
It is still free on GitHub:
https://github.com/littlebizzy/force-https
https://packagist.org/packages/littlebizzy/force-https
Thanks for this article. I already done https:// Also, after this my site is so resposive and secure
“For certain features to function.” This is very vague. When I set up a staging site as a subdomain, it is not https, even if the main site is. HOW, pray tell, will it effect WHICH EXACT FEATURES. This article is useless without this information. Matt’s article you linked to does not point out exact features either. Please clarify, or reword your fear mongering!
Awesome article. Thank you so much, it helps me a lot!
Great comment. Thank you for helping out the community!
Firt off all I would like to say awesome blog! I had a quick
queestion that I’d like to ask if you don’t mind.
I wass curious to know how you center yourself and cloear your
mind prior to writing. I have had a difficult time clearing my thougfhts in getting my thoughts out there.
I do enjoy writing however it just seems like the first 10 to 15
minutes are wasted just trying to figture oout how to begin. Any recommendations or tips?
Thanks!
We spend a good amount of time planning what we’re going to write about, what the subject of the post will be and what points we want to write about and what the conclusion and goal of the post will be. Once we’ve done that, it’s much easier to sit and write the post. Success is really all in the planning.
I hope this helps.