As we all know by now, Google is giving a small rankings boost to sites using SSL. In the past month, I’ve seen a huge increase in the number of people asking me whether they should implement SSL on their sites to benefit from this supposed increase in rankings.
As someone who has recently switched to sitewide SSL after years of using it only for certain pages, my (probably infuriating) answer is, “It depends.”
SSL – Is it necessary?
If you sell products? Probably. If you’re taking credit card payments directly on your website, you definitely need SSL in place to encrypt your customers’ credit card information. However, that doesn’t necessarily mean you need it on your entire site; you might decide to use SSL only on store or checkout pages, for instance. If you use PayPal exclusively to accept payments, you don’t need SSL since customers aren’t paying you directly.
If you offer memberships? Maybe. If you run a membership site, free or paid, SSL might be a good idea. After all, your members are giving you their email addresses, names, and passwords, all of which they likely use on other sites. Do you really want to risk being responsible for a security breach that results in your members’ information being spread across the whole internet?
If your visitors submit sensitive information via forms? Maybe. If your site’s visitors are submitting any personal information, documents, photos, etc. via forms on the site, you might consider SSL to keep that information safe. I won’t even talk about HIPAA compliance as that’s a whole separate issue (and in my opinion, the answer there is not using WordPress at all), but you might be surprised how much information you collect about your visitors even if you don’t sell products or offer memberships or subscriptions.
If your site is only a blog? Probably not. If you have a blog with no products, no memberships, no nothing except blog posts and maybe a contact form, SSL would be a waste of time, effort, and money. Any possible benefit from Google would be too miniscule to count.
Things You Should Know About Sitewide SSL
I mentioned that I recently changed this site to use SSL globally. Here were my reasons for doing so:
- Trust. When I visit a site where I intend to make a purchase or pay an invoice, I’m looking for that green padlock whether I’m on the checkout page or not. Since quite a bit of money passes through my site, I want partners and clients to know their information is safe.
- Experimentation. Just how painful is the transition to full SSL? Will I really see any increase in search traffic? I wanted to find out.
- Future-proofing. In the next year, I’ll be launching a number of new projects, products, and services that will require SSL across a few subdomains. I figured it was better to figure that out now than to wait until the week before launch.
All that said, the process of moving my site toward universal SSL was not an easy one, and I absolutely recommend against it unless you have a real reason for doing so. (In case you’re wondering, “Because Google said so” isn’t a real reason.)
Here are just a few of the challenges I encountered:
Social shares: Change all the permalinks on your site to use https, and guess what? Now all your social proof is gone! I lost all the Google+ comments on my posts as well as all my social share counts. It still hurts my feelings just thinking about it. Luckily I use the Social Rocket plugin and was able to get my share counts back.
Speaking of social…. Most social share plugins use non-https URLs for the various social network popup boxes. This can result in (1) social icons that don’t display at all, (2) that ugly non-green padlock in the browser bar, and (3) mixed content errors and/or warnings. I was “lucky” enough to experience all of the above while transitioning my site, and it required quite a bit of work to get my buttons working again.
Internal links: I’m still in the process of hunting down and replacing my internal links. While I do have a 301 redirect in place, I prefer to keep everything uniform across the site and to create links that don’t require the redirect (future-proofing yet again).
Random plugin problems: You haven’t seen plugin problems until you try to use SSL on your entire website. I couldn’t believe how many of my plugins were completely unequipped for that kind of transition, causing error after error that had to be resolved by either contacting the developer and begging for a patch or changing plugins altogether.
Webmaster Tools: The online consensus seems to be that you should remove and re-add your site in Google’s Webmaster Tools (or at least do a change of address) and submit a new sitemap to force re-indexing of your site using https. I did this and noticed an abrupt and immediate drop in my search traffic. Will it recover? Most likely. But I’ll have to wait and see, since it’s still too early to tell.
Load times: The “handshake” required to load a website over SSL leads to longer load times. Using SPDY at the server level (among other tweaks) can help with this, but there’s still a bit of latency that is driving me crazy.
SSL – Is it worth it?
This site has been all-SSL for about a month as of this writing. Benefits I’ve noticed are (1) a lower bounce rate (higher trust?), (2) fewer questions or concerns from people making payments on the site, and (3) the learning experience of a changeover where everything possible went wrong.
I buy my SSL certificates from Namecheap Disclosure: If you click this link and make a purchase, we earn a commission. This doesn't cost you anything extra. , which is also where I register all my domains. The process is very simple, and their support was great in helping me get everything set up on my server.
If you’re worried that you might miss out on a teeny boost from Google because your site isn’t using SSL, I vote that you stop right now and find something else to do. I haven’t personally experienced any improvements in search rankings since making the switch, though that could change. Even so, the headaches it took to get here probably aren’t worth any benefits Google might give me, especially since Google could take those same benefits away just as quickly as it gave them. (Authorship, anyone?)
Update January 2018: Over three years after the switch, I’ve had a noticeable increase in search traffic here on the site. However, since my traffic wasn’t terribly impressive in the first place, I’m not sure how much stock I put in sitewide SSL as a guarantee of improved rankings. I’ve also made a number of other changes that could account for the higher numbers. My verdict? SSL can’t hurt (if it’s implemented properly), but content will always be king.
For me, sitewide SSL has been worth the effort because of my future plans for my business, as well as the current pages on my site using forms to collect information from visitors. That said, SSL is not the answer for everyone, nor should it be.
All Nuts and Bolts projects are built on the Genesis Framework because we believe it's the most stable and well-supported framework available. Our partners love it and so do we - once you try it, you'll never use another WordPress theme!
Comments are now closed for this article.
Thanks Andrea! I’ve worked with SSL certificates for enterprise (Windows servers, ugh), web services but haven’t thought of it yet on a WordPress site with all the pieces and parts.
FYI - I just got the email today about a new post on your blog, I wonder why it took so long to alert me? Maybe you were SSL-ing 😉
Hi Ginger,
Thanks for dropping in! I think I had an issue with my feed caching… Been experimenting with some changes on the server and I might have broken something. Hopefully the next one will opt to go out on time!
It’s definitely a pain for a WordPress site, but once it’s there, you really don’t have to think about it anymore. So at least there’s that. 😀
Very helpful Andrea! Thanks for writing up your experiences. Since it’s been another month, do you have any updates to offer, either in terms of site ranking and/or performance? Also, we’d be very interested to know about plugins that you had to swap out for the SSL thing, if you’re able to share (not looking to bash any specific plugins, just trying to be aware of potential landmines that we could be facing). This post was super timely for us so THANKS AGAIN!
My rankings seem to be slowly bouncing back. Traffic is back up to where it was prior to the switch - maybe a smidge higher, but not a dramatic increase. The worst offenders I dealt with as far as plugins were my social sharing plugin (LOTS of changes needed to work with SSL) and Genesis eNews Extended. I ended up changing my opt-ins to use Gravity Forms instead since it was already SSL-ready.
The biggest problem you’ll have is plugins that use http URLs, which will cause mixed content errors on your blog posts. My pages were fine, but blog posts were a disaster. Seemed like everything on the screen was insecure and loading over http instead of https. Definitely make sure your host’s technical support team is up to the task so they can help with troubleshooting!
Glad to know your traffic and rankings are back - that must’ve been disconcerting to say the least! The additional info on plugins and posts is really helpful. Thanks for the follow-up and also for your always-useful content here.
Hey Andrea, I’m going to be switching my site over to all-SSL later this week. I am bummed that I will be losing my social counts… Wanted to ask a few follow up questions:
How did you resolve the internal links with regards to future-proofing. Did you change them to ‘https://’ or just ‘//’?
Did your search traffic pick up again?
Thanks!
I used Search Regex and changed all internal links to https - I probably should have left them as // but I don’t plan to EVER undo all the work I did, so it’ll be fine. 😀
My search traffic is back with a vengeance! It took about 6-7 weeks, but right now I’m hovering around a 30% increase from where I was prior to the change. That is probably not totally related to the SSL switch, but I’ll take it. It’s still depressing to look at all my lost G+ comments and lost social counts (G+ counts came back once the site was reindexed, but the comments themselves didn’t), but overall I’m glad I made the change. I’ve got some major site changes coming up - not a redesign, I swear - and it will make things a lot easier.
Switching to TLS/SSL is the halfway to activate SPDY and get an improvement in connection speed (specially with mobile devices). And the added plus of traffic encryption
Did it for some customers of mine and they noticed a speed improvement along the added security (they insist on log in to their websites thru questionable networks - Starbucks wi-fi et al.) So their password is not available to eavesdropping.
Is a lot of work for an existing website, but easy peasy for a newborn one.
Very true! SPDY made a huge difference in my site speed after the switch. From now on, any sites that I plan to monetize will have SSL out of the gate - you are 100% correct that it’s super easy for a brand new site. I wish I would have done it from the beginning.
Andrea,
Interesting post. I recently put SSL on my website (as I got one certificate free with my hosting) and noticed the yellow triangle effect. I read here as well as elsewhere that this is pretty normal for a wordpress site. I use genesis as well but my site is a blog and not a store. Sounds like time fixing the yellow triangles on some of my pages may not be worth it. I think I’ll leave up the certificate and ignore any of the kinks. Thoughts?
Hi Brandon,
It’s actually pretty easy to take care of the mixed content errors - I looked at a few of your blog posts and it’s the images that aren’t loading securely. You can ask your host to put in a 301 redirect so that everything on the site loads over SSL, which should take care of internal images. External ones may have to be updated manually, which is a pain, but you could use something like Search Regex to find and replace all the URLs.
Hi Andrea,
Thanks a lot for your ideas about ssl.
I am setting up a rather big city guide/directory in WordPress, wich will contain around 2000 listings. The listings are fee, but within a year, I will give people the opportunity to claim their listing and put extra data (video, opening hours, photo galleries, tickets etc..), for which I would charge a small amount. So it should become a small shop.
Ans when the first city guide works fine, I paln to create guides for the other cities in Belgium aswell..
In this case, then I will probably need ssl…?
Thanks for your expert advice!
Leen
Belgium
What would you recommend?
If people are submitting personal information and making payment directly on the site, you’ll need SSL. If, though, you use an outside payment processor, you may not need SSL. It really depends on whether you want people to pay directly on the site via credit card, or whether you plan to take them offsite to pay via other means.
Hi Andrea,
Sure appreciate all the information. I host and admin a couple of sites, mostly for non profit’s involved in Puppy Mill Awareness and dog rescue. One of them has an Amazon Shop page using a free Woo Commerce theme and checkout is handled on Amazon. I also have an Amazon shop, again Woo Commerce. Neither of them really generate any money, I don’t know if they are worth keeping up or if they help with credibility in any way.
I do however wonder do I need or should I have SSL for the one site specifically, I have an online dog adoption form that collects a lot of private information. I am really just doing these sites to help them, I don’t profit and I am more or less just doing this as a hobby, I am disabled currently so it gives me something to do and feel useful.
Should I be seriously considering SSL for in particular that site with the application form?
My host provides a wildcard certificate or a standard, they state the following:
“The Standard Alpha SSL certificate will work without a security warning for the domain chosen but will display a security warning for any subdomain of this domain. You can choose the Alpha WildCard SSL if you would like to have no warnings on subdomains.”
Should I be seriously trying to set something up? and if so Wildcard or Standard.
The sites are all WordPress and hosted through SiteGround.
Many Thanks
Hi Greg,
Thanks for stopping by! Personally, I would err on the side of caution and would probably use SSL on the site where you’re collecting personal info. I’d hate to have to explain to people that their names, addresses, etc. were exposed if the site ever got hacked. SSL won’t prevent hacks or malware, but it does ensure that the information is submitted securely and is less likely to be vulnerable.
If you only need SSL for the one site and it doesn’t have any subdomains where you’d need it (like members.domain.com or apply.domain.com), the standard SSL certificate should be fine. I don’t know what Siteground charges, but I have SSL certificates for several of my sites that were only like $15 for 3 years - I purchase mine through Cheap SSL Security.
Once you have the certificate, you’ll need to decide whether to switch the whole site over to SSL or only the page with the adoption form. It’s probably easiest to only enable it on the page with the form, but that’s entirely up to you. There are several plugins available that will help you control it on a page by page basis. I hope that helps!
Hello Andrea,
Great info. Did you use a WildCard SSL?
Hi David,
I originally used a wildcard SSL certificate since I have several subdomains that also needed to be protected. However, I recently switched to an extended validation certificate, which gives the company name w/ green bar in the address bar (vs. just the green padlock). You can’t get a wildcard EV certificate, so I had to buy what’s called a multi-domain EV cert instead. It’s basically the same thing but there is a limit on how many domains you can secure. If you ever needed something like that, I’d highly recommend calling Namecheap - their support team went over everything with me so I’d understand the differences between the types of SSL certificates and let me know what I needed to purchase based on what I needed to do.
We don’t sell products online, but do offer an upload of the file they would like an estimate or print from. I figured SSL not necessary, but now I get this error about it may not be safe? Would it quit the notification if I removed the upload form?
It looks like your site is using https, which requires an SSL certificate. If you don’t plan to use one, the URL should use http instead. That’s why you’re seeing the privacy error when you visit the site.
Hello, Thank you for this blog. This is June 2017, but this is still soooo relevant.
Question:
Do you know if it protects external affiliate links from being hacked or redirected?
If not, will it do nothing but look good in google for a basic blogger? Does it protect my website from any hackers?
Your experience has really helped, The hassle is a bit worse that I had hoped.
I may not need an ssl, but I guess I have to comply, to keep up with internet changes. Plus, WordPress has said that eventually, their updates may not work on http.
Thank you for preparing me for the hassles.
The aftermath was great for you, so I will just have to have, fun with them! Thanks Mary
I don’t think SSL will protect your site from being hacked - you’ll still need a security protocol for that. It’s far easier now that Let’s Encrypt is available from most web hosts, though, because it’s quick and free to implement. Many WordPress plugins have been updated to accommodate SSL as well.