HTTPS is a hot topic right now — with Chrome penalising sites that don’t have it, and Google rewarding those that do, more and more websites are making the move.

As a Managed WordPress Hosting company, our support desk receives all sorts of questions about WordPress, website tech, and the meaning of life. (Okay, that last one not so much.)

We’ve certainly received a lot of questions about HTTPS, which we’ve answered both as emails and as articles in our support Knowledge Base — which we’ve now compiled into this handy blog post.

1. Why should I move to HTTPS?

If you have a website, we strongly recommend you upgrade it to HTTPS. If you don’t do it now, chances are you’ll want (or need) to do it in the next year or so anyway. It’s better to be ahead of the game than play catch up down the track. Check out this article on Google’s Developers page for more about why it’s so important.

HTTP stands for “Hyper Text Transfer Protocol” and is the protocol that sends data between your browser and the website you’re reading. HTTPS is “Hyper Text Transfer Protocol Secure”, and is the secure version of this protocol — instead of being sent as-is, the data is encrypted before making its journey. This is particularly important when sensitive data is being shared, such as on online shopping and bank websites.

Until recently, sites running financial transactions were the main users of HTTP; but that’s changing. Now, every respectable website should have at least the basic level of SSL certificate, which is the tool used to encrypt the data.

So, why move to https?
HTTPS:

  • Is the future of the internet.
  • Protects your site from intruders.
  • Keeps your users’ data safe.
  • Speeds up your site (due to http/2, which is only available for HTTPS sites).
  • Gives you slightly better SEO.
  • Allows many new web platform features to work.
  • Is required if you don’t want a big “not secure” label on Chrome.
Example.com is not secure.
Example.com is not secure.

2. What is an SSL Certificate?

SSL is what makes https domains work.

SSL stands for Secure Sockets Layer. This technology creates an encrypted connection between the server hosting your website and the web browser your visitors are using. This allows private information to be transmitted securely, for example credit card details for online purchases.

You will usually see a padlock icon in your address bar if a site is using SSL, or alternatively the address bar could be green. Plus, the website address will begin with HTTPS rather than the standard HTTP (without the s on the end). If you want to use HTTPS on your website, you need an SSL certificate.

3. What are the different types of SSL certificate?

There are three different types of SSL certificates available. All three of the certificates will encrypt information, the difference is in the level of information that is verified about the owner of the website.

1. Domain Validation (DV)

A Domain Validated SSL certificate is the most basic of the certificates, and is designed to prove that the owner of the URL has the right to use that domain name. The CA will send an email to the domain owner, and once the owner responds, the certificate is issued. The certificate does not show a validated company name as this will not have been checked during the validation process.

2. Organizational Validation (OV)

The next level of SSL certification is the Organizational Validation (OV) certificate. This is the minimum level of certification recommended for ecommerce transactions, as it contains an acceptable level of information about the company running the transaction. In this case, the CA will validate the company name and the domain name (and possibly other information related to the domain) by using public databases. The certificate will include the company name and the domain name that the certificate was issued for.

3. Extended Validation (EV)

EV Certificates are the most authenticated of the three options, as more information about the company running the website is validated. The CA will validate the company name, the domain name, the company’s address (place of business), the registration entity and registration number, and any other pertinent information about the company.

Secure
The idea is to keep your site secure.

4. Will moving to HTTPS affect my share counts?

Upgrading to HTTPS is a finicky process, and the forums are full of conversations of upgrades gone wrong. One of the most common issues is the loss of social share counts when an SSL certificate is installed. For example, before the upgrade perhaps your social share bar shows that an article has been shared 20 times on Facebook, 24 times on Twitter, and 16 times on Pinterest. After the upgrade, one or more of these numbers may be reset to zero.

Example of a social shares bar
Example of a social shares bar

This is because social sites see the HTTP and HTTPS versions of websites as two completely different sites.

Some social share plugins do a good job of maintaining social shares after the change. Generally, they do this by storing the shares from the HTTP version of the site in their system, then adding on the new, HTTPS shares to give a total. We’ve found that the Social Warfare premium plugin does a good job of this:

So if you have that plugin, it is very likely that your social shares won’t be affected.

If you don’t have Social Warfare, or if you have one and find that your social share counts are affected after moving to HTTPS, purchasing Social Warfare after the upgrade is an option. It can gather the shares from the HTTP URL even after the site has been moved to HTTPS.

Important note:
Please be aware that these plugins rely on the social media networks making the old share counts available. If Facebook or another social media network changes their system to make it harder to access the old share counts, there’s not a lot the plugin can do about that.

We’ve been speaking to the Social Warfare developers about this, and they commented:


“We’ve noticed recently that many social networks (including Facebook) are changing their APIs to make recovery more difficult. From their point of view, maintaining old count numbers creates unnecessary workload for the API and it’s much easier to only calculate shares for current/accessible URLs. Obviously this is very distressing for us since recovery is a large part of our plugin’s appeal.

Right now LinkedIn and Pinterest are still 100% recoverable, but the other networks are hit or miss. Our development team is working to find a way around the API changes, but it doesn’t look good at this moment.”

This increased risk of lost social shares isn’t great. However, we still recommend you go ahead with the upgrade — it’s better to get on to HTTPS sooner, to start building new social shares on the new URL.

We have an HTTPS upgrade service that is available for our hosting clients. If you’re a hosting client who is considering moving to HTTPS (which we highly recommend), you can purchase that here. We have been seeing some great results for the sites that have signed up for this: I looked into two sites in detail and both saw an 8% increase in traffic comparing the week before the upgrade and the week after. An excellent improvement.

If you’re not a hosting client, sign up here.

Want your site to be more secure?
Want your site to be more secure?

5. Why do you charge for an HTTPS upgrade?

Some people have asked why they would pay for this service, when some hosts offer an HTTPS upgrade for free. That’s a great question!

We initially hoped to offer the HTTPS upgrade for free for all of our hosting clients, but when we looked into what it takes to do it well, we realised that it actually takes us four to five hours when we take into account all the extra updates and troubleshooting we do. This means that the price we’re charging really is a deal — it’s a fraction of the price we would charge on an hourly rate.

We believe that HTTPS is the future of the web and want to give all our clients that competitive advantage as easily as possible, hence the low rate.

Other service providers that do the install for free are mostly offering an automated install, with no troubleshooting, no updates to Google Analytics or Google Search Console, no testing for mixed content errors or broken links. Basically they’re offering a ten-minute service in comparison with our four-hour one. We want to make sure everything’s working well, so we really do need to devote a fair bit of time to each site.

Remember, an HTTPS upgrade isn’t just for sites that take payments or record personal details — it can give even the most basic site a competitive advantage. Read more about the service, and sign up, on our HTTPS page.

Note: This article contains affiliate links.