Take a look at the URL of your small business website in your browser. Does it show a little padlock icon (that has more than a passing resemblance to a handbag) next to the URL of the website?
That little padlock shows that you have an SSL or Secure Socket Layer Certificate installed. If you see it next to your website URL, you can congratulate yourself on your spectacular life choices in hiring a good web designer.
For a fun thing to do on a dull afternoon, you can click on the padlock to show you some intensely fascinating information about your connection with the website.
Keep clicking the arrows, and you will eventually be able to find out how many times you have visited the site (or how many visits since your last full clear of your history and cookies in your browser).
But What If There’s No Padlock?
Lately, we are seeing more and more new web design clients whose existing websites don’t have padlocks or SSLs.
Does your site look like one of these examples? Then, this article is for you.
Why do you need a padlock (… and what the heck is an SSL)?
Having a padlock next to the URL of your website in your browser means that your website has an SSL certificate installed.
What does an SSL do?
An SSL Certificate (or Secure Socket Layer Certificate) ensures that all visitor’s personal data sent to or from your site is scrambled by 2048 encryption. This means that all communications between visitors to your website and your website are encrypted and safe.
While SSL doesn’t stop hackers from getting into your site, it protects your visitor’s private information and stops man in the middle attacks, eavesdropping and data tampering for your clients.
SSLs are all about your client’s safety and security and are a crucial way to build trust in your website.
In the past, not having a padlock on your website was not a barrier to doing business. However, more and more website visitors will either not enter any personal data of any kind on a website (including simple contact forms) or will simply leave your site without even looking around without the padlock being in place.
Not having a padlock on your website is a bit like leaving prawn shells in your wheelie bin during summer for more than a couple of days. Not having a padlock is a bit on the nose and turns people off.
Then Google Got Involved
Google wants to make the web safer for users, so back in 2014, it started to reward websites that had SSL with a ranking boost in search returns.
This worked well for a while and many businesses moved to add SSLs, but Google wanted full adoption across the web.
In January 2017, it started to display a Not Secure warning in Chrome if a page required you to enter a password or credit card details.
From October 2017, it started to show a Not Secure warning on any page where people enter their details onto a form, and from July 2018, any website without an SSL was slapped with the warning.
In other words, since 2018, Google has considered your website as a bit “suss” if you don’t have an SSL installed, which has probably cost you rankings and clients.
If you want people to see your business as trustworthy and safe, you need to upgrade your website and install an SSL.
Which SSL Should You Get?
There are five main types of SSL Security Certificates.
Domain Validation (DV) SSLs – These are the most common SSLs and verify the domain name of the website. These are ideal for general information sites common to most small businesses.
Organisation Validation (OV) SSLs – These are the next level SSLs and demonstrate a higher level of vetting of an organisation’s physical and legal presence. OV SSLs deliver a higher level of trust and are ideal for sites offering e-commerce options.
Extended Validation (EV) SSLs – Offer the highest level of SSL security as they require extensive vetting of an organisation’s business details. These are commonly used by government organisations, corporations or businesses with larger e-commerce stores.
Multiple Domain (SAL) SSLs – Subject Alternative Name SSLs (also known as Multi-domain or Unified Communication Certificate (UCC) SSLs) are for businesses with several domain names, and who want to simplify their server configurations. (e.g. https://yourdomain1.com.au, https://yourdomain2.com.au)
Wildcard SSLs – Wildcard SSLs let you protect any number of subdomains with a single SSL certificate. (e.g. https://training.yourdomain.com.au, https://memberships.yourdomain.com.au)
Good web hosting includes free Domain Validation SSLs from places like Lets Encrypt as part of their hosting package.
Higher level SSLs can usually be purchased through your host, domain name registrar or CDN such as Cloudflare.
In the majority of small business websites, a free DV SSL is all that you need, and you don’t need higher level SSLs. If you are not sure what level you need, talk with your web designer who can walk you through the options to suit your business.
One thing to remember, if your web hosting package does not include a free SSL, then move hosts! This should be standard across all good web hosts.
How Do You Convert Your Site To SSL?
There are 7 main steps to converting your site to SSL:
- Install an SSL at your hosting.
- Update your WordPress General Settings to https://.
- Change all URLs across your site (including all images and attachments) to the https version of your URL.
- Debug any mixed content.
- Add in an http to https redirect in your .htaccess file.
- Adjust your robots.txt file if it hardcodes in a link to your XML sitemap.
- Update your Google Analytics and Search Console to reflect the https version of your site.
Why An SSL Plugin Is Not Enough
Unfortunately, the proper conversion of your site to SSL is not as simple as getting a certificate installed on your host and shoving in a plugin like Really Simple SSL (no matter what so-called experts try to tell you).
The problem is every page URL, logo, image, favicon, and every link on your website has been coded to your current URL: http://www.mywebsite.com.au.
Adding an SSL is as if you have moved to a new address, so all your mail needs to be changed to your new address https://www.mywebsite.com.au.
Whacking in a plugin to handle the redirection is the same as putting in a mail redirection at your local post office. Your mail goes to your old address where your local postal sorting worker then remembers you have moved, gets out a sticker with your new address on it, sticks it on the envelope before putting the letter back into the mail system to be reprocessed before finally being delivered to your new address.
SSL redirects via a plugin adds load time to your website and have many potential breakdown points. It also fails if you turn off your plugin at any point.
Given website speed is a critical SEO factor, you don’t want to do anything that slows down your site.
You also need your Google Analytics and Search Console to be updated to minimise any problems with Google not-knowing that you have changed your address and insisting on trying to send potential clients to your old address.
If you are not tech-savvy, then you need to budget for a web designer to correctly do the migration for you (… and if they suggest just adding in a plugin, then find another web designer who will do it properly).
Fixing SSL Errors
When you get an SSL certificate installed and move to https, you should have someone to recode your site to ensure every URL across your site has been updated, and your site renders correctly without any warnings or problems, before finally putting in code to ensure that anyone who follows old links will find the new ones.
Correctly migrating to an SSL takes a bit of detective work to track down all the hidden parts of your theme and plugins where old URL paths are lurking. Miss just one of them, and the padlock in your browser gets a line through it, and you get a warning that parts of the site are not secure.
If you have not correctly migrated your site to an SSL you may see what is known as a mixed content warning such as, “Your connection to this site is not fully secure.” This tells you that there are one or more URLs in your website still pointing to the old http version of your site and not the https version.
One way to find the problem is through running your page through a site such as “Why No Padlock” to help identify the problem areas.
Given that Google has been flagging sites without SSLs as being insecure since 2018 if your site still does not have a padlock, then it’s time you added migrating your site to SSL to your “To Do’ list.
In many cases, it’s also an excellent time to reconsider a redesign of your website.
We build all our new small business websites with an SSL certificate correctly installed as standard (if you use decent hosting). That means there’s one less thing for you to worry about and added peace of mind for your clients!