SSL Certificates & Your Website
Google has formally announced a firm date (January 2017) for all new versions of the Chrome browser to mark sites that use a password without a SSL Certificate as insecure. Since every website that uses a Content management System (like WordPress) uses passwords for users to login, this would include your WordPress website.
Starting with version 62 of Chrome (release date of October, 2017), a NOT SECURE warning will be shown when users enter text in a form on a non-secure page. This is all part of Google’s long term plan to mark all pages served via HTTP as not secure.
Although Google Chrome is just one of many browsers used by the public, it is used by approximately 60% of users as of July 2017 and represents the single biggest platform for visitors on your site. Other companies such as Microsoft (Internet Explorer & Edge – 21%), Mozilla (Firefox – 13%), and Apple (Safari – 4%) are all also following suit in an effort to protect internet traffic.
What is a SSL Certificate?
A SSL (Secure Socket Layer) Certificate is used to protect traffic to and from a website on the internet. Most people are familiar with this as the type of technology used by banks to securely provide online banking services or e-commerce stores such as Amazon to safely take your payment information. This protection stops third parties from intercepting the information and potentially stealing or editing your valuable data.
What does this mean for my website?
Starting in 2017, Google will potentially rank your SSL-less site lower than competing sites which have a SSL. Additionally all current versions of modern browsers will begin warning visitors that your SSL-less site is now less secure (see above). For security conscious individuals unaware of the change this will be a very large warning sign, for many users they may not even notice the Not secure warning.
The next step for Google is to switch from marking site without an SSL as being Not secure in a benign, light grey icon and text to something much more alarming to the average internet user:
These changes are being slowly rolled out and are now inevitable. It is not a case of if they will happen but when they will happen.
What do I need to do to fix this?
First of all, nothing is broken, this is a change in how Google (and soon, other companies) will treat content on the internet. This isn’t a matter of fixing your site so much as upgrading it’s security to meet the new standard. The fix is relatively simple – we just need to add a SSL to your website.
The catch is that if you are using the most affordable type of hosting for your website, called Shared Hosting, you will also need something called a Dedicated IP Address. A Dedicated IP Address gives your specific website an exact address inside your shared hosting account that doesn’t change over time. Without a Dedicated IP Address the SSL does not know exactly what site on the server where your Shared Hosting account lives should be protected.
Both a SSL and the necessary Dedicated IP Address are available from all hosting companies for a fee.
You will need to install an SSL Certificate and a Dedicated IP Address.
Since these changes were first announced two years ago, we have been keeping an eye on the situation and have been monitoring the continued drop in the pricing for Dedicated IP Addresses and SSL Certificates. What was once a luxury feature for e-commerce sites has become a more standard offering at a lower price point.
If you are currently not accepting financial information (online payments for e-commerce) or are not collecting sensitive private information (information for credit checks) then you do not likely have a SSL Certificate.
All of the hosting companies that we have recommended to our clients currently offer SSL Certificates and Dedicated IP Addresses, either separately or as a bundled service. Fees for a Dedicated IP vary but generally range from three to five dollars per month on an annual plan. Fees for a SSL are often at a similar price range of three to five dollars per month on an annual plan. Bundled services will typically be priced between $76 and $99 per year.
If you are not sure what your current host charges, feel free to contact us.
Some of the most common questions we have been receiving about this topic.
What if I am already accepting e-commerce payments?
If you are currently a client of Simply Ducky Designs and you are accepting payments without a SSL Certificate is is because you are using a third party service such as PayPal to safely process payment elsewhere. You should still add a SSL Certificate to your website for the same reasons as listed above.
If you are not currently a client of Simply Ducky Designs and would like to now install a SSL Certificate, please contact us.
If you knew about this upcoming change for two years, why wait so long?
Although the change in how the Google Search Engine would rank non-SSL pages and how Google Chrome would display non-SSL URLs was announced some time ago, the reaction of many hosting companies that offer shared hosting was not known.
Rather than set our clients up with a Dedicated IP Address and SSL Certificate at a time when they were seen as premium options on many shared hosting accounts, Simply Ducky Designs opted to wait until pricing and policies at many hosting companies adapted. For example, hosting companies offering shared hosting have reduced pricing on a Dedicated IP by over 60%, still others now bundle both a SSL and Dedicated IP together, and most encouragingly – some are looking at enabling the latest update to cPanel which allows for the AutoSSL plugin to automatically request and issue a SSL for your domain.