I wrote, a few months back, about the importance of having an SSL certificate on your website even if you don’t offer online shopping.
In a nutshell, Google has been really trying to move us towards a safer web for all by encouraging the use of SSL certificates on all websites, not just those that might ask for sensitive information like credit card numbers.
You see, an SSL certificate acts like a secret envelope for passing information between your website and the person viewing your website so that nefarious entities can’t intercept the traffic that flows between you and possibly do bad things with it. Just like at the Oscars where the accountants hand off a sealed envelope to the presenters and ensure that no one can see who won until the presenter opens it on stage.
Well, Google is getting ready to up the stakes on that again.
Last month, they announced that starting in July of 2018, the Chrome browser will show ALL non-SSL sites as insecure. <insert big, dramatic ♫ dunt-dunt-duhhhhn!! ♫ here>
And with somewhere in the vicinity of 55-60% of people using Chrome as their web browser, as a responsible website owner, this isn’t something you’ll be able to ignore.
So given the looming critical nature of having an SSL certificate on your site, I wanted to share a rundown of what all you need to take into consideration when you’re setting one up (because unfortunately, it’s not just a slap-it-on-and-go situation).
Here are the 7 steps you need to be sure you cover when installing and configuring the SSL certificate on your website:
-
Procure your certificate
Either purchase one or take advantage of a free option if you can. Many web hosts these days offer a free SSL certificate that is going to be more than adequate for your needs here, even if you’re running eCommerce on your site. If your web host doesn’t offer the free version, an SSL certificate will typically run you about $60/year. But either way, working through your web host for this step will be the easiest route to take.
-
Install the certificate on your hosting package
If your web host does offer the free SSL certificate, chances are, they’ve given you a way, via your cPanel (or whatever hosting admin application they provide you) for installing the certificate. If you have to purchase your certificate, typically they’ll install it for you.
-
Get a good, full backup of your website before proceeding any further.
If something goes awry, you want to be able to easily get back to where you started. A full backup is the best way to do that. Don’t rely on your web host for this step.
-
Make sure your theme files don’t have any non-secure links embedded in them.
This one may be a little tricky and might require some bravery on your part to pour through a dozen or so files worth of code. But basically, you want to make sure none of your theme files have hard-coded within them an “http://” reference which will cause a page to appear as “Not Secure” when that particular theme file gets used.
-
Make sure none of your content has hard coded http:// links in it.
These one isn’t super easy to track down. Places to check for this are: in the body of your blog posts and pages, in your menu, and the big gotcha is the images you use. More of than not, the images are where I find the hidden little buggers that are causing a page to show as Not Secure.
-
Flip the switch to SSL and verify.
Once you’ve done all of the above, this step is really pretty straightforward. It’s just a matter of telling WordPress that it should display all your web pages and posts as https://. You want to do this in your WordPress dashboard under SETTINGS / GENERAL by changing your Site Address (URL) to be https://mysitename.com.
Ensure that your old non-ssl pages get automatically redirected to the new SSL pages (because Google does view these as 2 different pages). This could involve an extra plugin to help you manage that if you’ve got a lot of content.
And then be sure you browse through all of your web pages to make sure that glorious little green icon is showing in the address bar for you.
-
Fix your Google Analytics account.
The last step is to make sure you update your Google Analytics account so that it is appropriately collecting and tracking data from your site as https:// and not http:// (and yes this matters).
So that’s it. Not exactly point and click but not horribly pain-inducing either.
You don’t want Google to be waving a big red flag in front of your site visitors come Summer, so it’s a great time to jump on this particular bandwagon.
If you’d like some help getting your an SSL certificate set up for your website ahead of the July deadline, please feel free to reach out to me. 🙂