If you don’t want the Chrome browser scaring your visitors away, here’s what you need to know…
Pages with any kind of form field on them should start with https:// instead of http://.
The “s” stands for secure and encrypts any data submitted through your website’s forms.
If you aren’t using encryption on those pages, starting in October 2017, Google Chrome users visiting your website will see an intimidating “NOT SECURE” message.
Yes, that means your email opt-in forms will trigger this warning too. That’s what makes this relevant to so many site owners.
If your page is encrypted, Chrome will display a padlock and the word “Secure” next to your website URL in the address bar.
Don’t Be Afraid to Ask for Help
Let me start by saying this.
If all this techy stuff makes you nervous, please call your host and ask for help. They may have even better suggestions than I do.
I’ll be mentioning that a lot in this post, so please take my advice if you feel uncomfortable with any of these steps.
I’m doing a lot of disclaiming here because this post is more about a heads-up than a tutorial. Where you host your site will largely determine your steps.
Did You Receive This Email?
If you have a Google Webmaster account and your site is not yet secure, you might have received an email like this…
It lists all the pages that will show a “NOT SECURE” warning in October. The page you see listed above has an email opt-in form on it.
Most of you do not need this to encrypt credit card purchases on your domain. You’re probably using a 3rd party that has encryption already.
You are doing this to prevent annoying Chrome warnings on opt-in and form pages.
That’s why this announcement impacts so many people. I mean, who doesn’t have at least one page on their site with some kind of form?
How to Get Free Encryption
I have dedicated hosting for my most profitable websites through LiquidWeb (affiliate link).
Many hosting plans (especially high-end plans like VPS and dedicated) offer free AutoSSL. See if your host has this.
It took all of 3 minutes for the tech guy to set it up on my server.
Next, I installed the Real Simple SSL WordPress plugin to instantly redirect all my pages from http:// to https.
If you’d rather not use a plugin for redirects, you can manually set this up with your .htaccess file. Call your host and have them set it up.
To verify that SSL is working, I went here to validate it.
Also, I’m not by any means saying this is the best way. It’s just the way I chose to do it, and it also seems to be a very popular and fast option for WordPress users.
If Your Host Doesn’t Have AutoSSL Yet…
I don’t think most of you need to switch hosts or upgrade your plans — especially if you only have a few pages with opt-in boxes and other simple forms.
The video below also shows another FREE way of encrypting your website without buying an SSL certificate.
It’s called Let’s Encrypt, and here are the hosts that support it.
Don’t forget to PLEASE backup your site and database before making any of these changes.
To those of you using Website Palace (GoDaddy), I did call support yesterday because I also have a few sites hosted there on my reseller store as well. We can use Let’s Encrypt (above) but it’s a manual install. The bottom line is, call support and have them walk you through if you choose to install it. I may not even bother since mine are smaller, less significant sites.
Why Doesn’t Everyone Support Let’s Encrypt?
Honestly, hosting companies want you to buy an SSL certificate. So it comes down to money at the end of the day. But I don’t think most of you need to do this.
Thankfully AutoSSL and Let’s Encrypt are slowly rolling out to more and more hosts.
Free AutoSSL vs. Paid SSL Certificate
I won’t even pretend to fully understand all the technical differences between the free AutoSSL and a paid SSL certificate that you purchase from your host.
So anyone who is a pro at this techy stuff, feel free to fill me in.
As long as the web browser shows my site is secure and it validates, then I see no need to buy a traditional SSL certificate.
My web host agreed.
Plus, I’m not taking orders from any of my websites directly. I’m using 3rd party sites, and they already have SSL.
Again, I’m mainly doing this to prevent those Chrome warnings on form (opt-in) pages.
Do You Really Need Encryption?
Yes and no.
If you are taking payments directly from your domain then YES!
If you are not taking payments or collecting sensitive data directly from your domain, you don’t need it from a customer data protection perspective.
That’s not going to stop Chrome from displaying the “NOT SECURE” message on opt-in pages and any other pages that include form fields.
Also, in 2014 Google introduced SSL as a “weak ranking signal.” Well, now it’s a stronger signal. See this article.
So if your site’s reputation with Google is something that concerns you, that’s another reason to look into this.
What About Notifying Google of The Change?
Did you register your website with Google Webmaster Tools?
This is where you verify all the sites you own with Google.
In a Q&A last year, John Mueller of Google confirmed that the engine is smart enough to figure out the change from http to https (provided nothing else changes in your URL).
However, he said you should still add the https version of your site as a new “property” in your Google Webmaster Tools account since it is seen as a separate site.
Also, I use the Google XML Sitemap plugin, and thankfully all my canonical URLs in my post/page headers and sitemap automatically updated to https.
If all this tech talk confuses you, once again, I recommend calling your host. This switch to https has been a VERY standard procedure lately so they should be able to guide you.
Let’s Sum Up Your Options (For WordPress)…
- If you collect sensitive data directly on your domain (credit cards, addresses, etc.) then you should definitely encrypt your pages. You can use AutoSSL or the Let’s Encrypt option in this video.
- If you still need to redirect your pages from http to https, use the Really Simple SSL WordPress plugin to redirect your pages from http to https. Easy breezy!
- If you do not collect sensitive data, then you can wait for your host to get AutoSSL, Let’s Encrypt or do nothing. Just remember, Chrome will warn your visitors on your pages with form fields.
- If you take orders via a 3rd party site instead of your domain, just ensure the order page starts with https:// or customers will be warned. Most 3rd party sites have taken care of this already.
- You should only consider buying an SSL certificate if none of the free options work and you collect orders directly from your domain.
- After your site has been encrypted with AutoSSL or Let’s Encrypt, validate your site here.
How Important Is This Really?
This is definitely something you should not ignore, but don’t lose sleep over it either.
Google warned us that using https would become a stronger ranking factor over time. Does that mean they will just drop all sites that don’t?
I doubt it, but you might move down a few spots for certain keywords — especially on pages with forms.
It’s really hard to know, and I’d be lying if I said I knew for sure. I just don’t keep up with SEO the way I used to.
If you are one of those people who follows everything Google says to the letter and you are very concerned about your rankings, then you should act on this sooner than later.
I’m actually more concerned about the Chrome warnings scaring people away.
Just remember, if you have opt-in boxes on every page, that means they will all will trigger a “NOT SECURE” message in Chrome starting in October.
Not a good look.
Suggestions Are Welcomed and Encouraged
If anyone would like to offer additional suggestions and advice on SSL/encryption, please feel free to leave comments below.
I have not used Let’s Encrypt yet (the option in the video), so if anyone wants to share their experience with this, feel free to do so.
If your host offers AutoSSL or Let’s Encrypt, feel free to share the name of the company below.
Just remember, you have until October when Chrome will start warning your visitors that your form field pages are not secure.
If you could do me a big favor and tweet about this blog post using the link below, I’d appreciate it.
[clickToTweet tweet=”On 10/1, Chrome will label your website ‘Not Secure.’ Here’s the scoop!” quote=”On 10/1, Chrome will label your website ‘Not Secure.’ Here’s the scoop!”]