Understanding Google’s HTTPS Changes – Are You Ready?

In October Google is making changes to the Chrome browser and how secure browsing is handles. This change will impact millions of websites as Google pushes for a more secure web more aggressively than ever before. The Google Chrome browser will start marking any text input as “Not Secure” starting in October of this year. Any day now!

Starting in January websites using HTTP were marked as insecure if they had credit card or password fields. This wasn’t a concern for most website owners because don’t have a public-facing member login, and use PayPal or another offsite payment processor to accept payments.

The WordPress admin login page was marked as insecure, but results from one of our customer surveys showed site owners weren’t worried because only they’d be able to see the “Not Secure” login pages.

Fast forward to April and Google announced they’re be ramping up secure browsing efforts even more to include protection of all data customers and users enter into a website.

In their own words:

Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.

So what exactly does that mean?

Don’t let your email marketing fail

The graphic Google uses in their own blog post shows a search field displaying the “Not Secure” message, so we know that search fields will certainly be impacted by this October update. Let’s look at a few other common types.

Putting a cursor in either of these fields will display a “Not Secure” message in the browser bar.

This update is going to cause a huge disturbance in the lead capture world. If you’re doing lead capture or email marketing on your website, move your site to https immediately. The alternative is to watch your conversion rates plummet, because they most certainly will.

If you’re using a service like MailChimp, Emma, Drip, or Convertkit, they’re certainly using secured connections throughout. However, it’s your job (or ours! Hey ?, get in touch here) to secure the form where the capture happens.

This change is coming in October! Meaning, any day now.

Can your customers connect with confidence?

Lead capture is an important part of any business, but what about the simple ability for people to contact your business? What if that suddenly went away?

Putting a cursor in any of these fields will result in a “Not Secure” browser message.

Contact forms are going to display the “Not Secure” message when served on an http page. This is the equivalent of a background nag on a phone call whispering “sorry for the interruption, a hacker is probably listening to your call”. People are going to turn away immediately and look to a competitor who has that comforting green lock.

Doesn’t this lock just make you feel good?

Here are some other types of form fields that you can expect to trigger the “Not Secure” warning in Chrome:

• Order Forms
• Comment forms
• Event Registration Forms
• Search fields
• Surveys
• Online calculators (mortgage calculators, etc)

WordPress plugins we trust to handle HTTPS

You can find many of these on our Best WordPress Plugins article. We’ve tested these plugins and know they’ll work seamlessly over HTTPS for you. If you’re using any of these plugins it also means that you’re collecting data, so the move to HTTPS is more important than ever.

Forms Plugins

• Gravity Forms (our favorite!)
• Caldera Forms
• Ninja Forms
• Contact Form 7

Search Plugins

• SearchWP (our favorite!)
• Relevanssi

Event Registration Forms

• Event Espresso 
• The Events Calendar

I know my website needs HTTPS. Now what?

If you’re not using HTTPS on your website yet, you have three primary options:

Perform a DIY HTTPS conversion

If you’re able and have confidence to do this on your own, go for it! This isn’t a project for the faint-of-heart due to a plethora of moving pieces, but we love it when people take the learn-by-doing approach to web projects.

The one warning I’ll add here is that you should start on a website where it doesn’t matter if things go sideways. Don’t make your business your guinea pig. Start small and work your way up to more challenging and complex problems.

Kinsta has a great in-depth guide for making the move to HTTPS if you want to try this route.

Contact your web host and ask for HTTPS

This is a fine option depending on who your web host is. We’ve seen some horribly botched HTTPS implementations, and we’ve seen some great ones as well. In fact, I’d even go as far as to say that the specific technician assigned to implementing HTTPS  by your web host could make or break the success of the move.

We’ve put together a comprehensive breakdown of each web host’s SSL/TLS product offering, including how easy or difficult it is to setup which you can check out below. If you don’t see your host in the list, leave a comment and we’ll update the table.

If you have your host handle the move to HTTPS, there are two major things to check for once the change is done.

1. Do you see any errors on your website? Obviously if you have issues with content loading or strange redirects happening, something went wrong with the HTTPS change. We notice these issues most commonly with ad networks and incorrect CDN setup.
2. Does all of your traffic seamlessly flow from http to https? Use a tool like HTTP Status to make sure you only have one 301 Permanently Moved redirect happening. You want to avoid multiple redirects, or any response codes other than 301. Your results should look something like this.

Sidenote: There are dozens of other things to check too, but these are the most important.

Have WP Site Care do the heavy lifting

Our team handles dozens of HTTP to HTTPS conversions every month and we do it across all sorts of hosting companies and strange server environments. I like to think when it comes to http to https conversion, we’ve seen some things.

When we move a customer’s website to https, it isn’t just about changing URLs or installing certificates, we go through a thorough checklist to make sure everything is done to the highest standard. We love to do work we can be proud of.

The details of our http to https service

Here’s what’s included in a typical http to https WordPress conversion from WP Site Care:

• Installation and setup of SSL/TLS Certificate – We setup your certificate using your web host’s product, Lets Encrypt, or another third party certificate from an authority like Digicert.
• Google Search Console Registration – We create a new entry for your website within Google Search Console to indicate to Google that an https version of your website will soon be available
• Update WordPress URLs – We update all of your domain URLs to use the new https protocol using a search and replace tool like WP-CLI
• Implement 301 Redirects – We ensure all old non HTTP URLs auto-redirect to the new corresponding HTTPS URL. We handle this for non-www and www subdomains to ensure all traffic is landing on the proper page without more than one redirect
• Regenerate Sitemap and Submit to Google Search Console – Google will need to know where to find your new sitemap, so we generate your new sitemap and submit it to them to crawl and review.
• Mixed Content Error Validation – We make sure that none of your site assets are being served over HTTP URLs and causing display or other types of issues
• SSL/TLS Validation Through SSL Labs – We verify the quality of the SSL/TLS implementation with SSL Labs server test.
• Google Analytics Property Update – We update your property in Google Analytics to track https traffic so you have the most accurate traffic data.

Special circumstances we can help with

Some more advanced services we’ve been asked for in the past and that are available for additional fees are

• Setup and configuration of HTTPS for Content Delivery Networks
• Validation of Third-Party Ad Networks for HTTPS Readiness
• Pre and post migration tracking for changes in search rankings
• Audit of HTTPS conversion performed by a web host or another vendor

Of course the greatest benefit of having our team handle it is that you don’t have to worry about it and it just gets done.

Don’t delay, HTTPS is here to stay (HA, it rhymes)!

We fully support Google’s push toward a more secure web, and at the same time we don’t want small businesses to suffer because of this change. That’s why we’re offering our HTTPS service to everyone, even if you don’t have one of our monthly plans. It’s very rare that we do this. Pricing starts at $400 and we can provide a same day quote for pretty much any website. Reach out to our team and we’ll help get your website fully ready for https and a more secure web!