Understanding Google’s HTTPS Changes – Are You Ready?
In October, Google is making some important changes to the Chrome browser and how it functions. Here's how you can make sure you're ready for them.
by Ryan Sullivan
WordPress | WordPress Security
In October our team is offering our http to https migration service to anyone, even if you don’t have one of our monthly protection plans. This is pretty rare for us, but we want to see a more secure web, so we’ve made an exception. Pricing starts at $400 and you can review the details of our service here. When you’re ready to move ahead, get in touch with our team and we’ll make plans help you be part of a more secure web!
In October Google is making changes to the Chrome browser and how secure browsing is handles. This change will impact millions of websites as Google pushes for a more secure web more aggressively than ever before. The Google Chrome browser will start marking any text input as “Not Secure” starting in October of this year. Any day now!
Starting in January websites using HTTP were marked as insecure if they had credit card or password fields. This wasn’t a concern for most website owners because don’t have a public-facing member login, and use PayPal or another offsite payment processor to accept payments.
The WordPress admin login page was marked as insecure, but results from one of our customer surveys showed site owners weren’t worried because only they’d be able to see the “Not Secure” login pages.
Fast forward to April and Google announced they’re be ramping up secure browsing efforts even more to include protection of all data customers and users enter into a website.
In their own words:
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites.
So what exactly does that mean?
Don’t let your email marketing fail
The graphic Google uses in their own blog post shows a search field displaying the “Not Secure” message, so we know that search fields will certainly be impacted by this October update. Let’s look at a few other common types.
This update is going to cause a huge disturbance in the lead capture world. If you’re doing lead capture or email marketing on your website, move your site to https immediately. The alternative is to watch your conversion rates plummet, because they most certainly will.
If you’re using a service like MailChimp, Emma, Drip, or Convertkit, they’re certainly using secured connections throughout. However, it’s your job (or ours! Hey ?, get in touch here) to secure the form where the capture happens.
This change is coming in October! Meaning, any day now.
Can your customers connect with confidence?
Lead capture is an important part of any business, but what about the simple ability for people to contact your business? What if that suddenly went away?
Contact forms are going to display the “Not Secure” message when served on an http page. This is the equivalent of a background nag on a phone call whispering “sorry for the interruption, a hacker is probably listening to your call”. People are going to turn away immediately and look to a competitor who has that comforting green lock.
Here are some other types of form fields that you can expect to trigger the “Not Secure” warning in Chrome:
- Order Forms
- Comment forms
- Event Registration Forms
- Search fields
- Online calculators (mortgage calculators, etc)
WordPress plugins we trust to handle HTTPS
You can find many of these on our Best WordPress Plugins article. We’ve tested these plugins and know they’ll work seamlessly over HTTPS for you. If you’re using any of these plugins it also means that you’re collecting data, so the move to HTTPS is more important than ever.
- Gravity Forms (our favorite!)
- Caldera Forms
- Ninja Forms
- Contact Form 7
- SearchWP (our favorite!)
Event Registration Forms
I know my website needs HTTPS. Now what?
If you’re not using HTTPS on your website yet, you have three primary options:
Perform a DIY HTTPS conversion
If you’re able and have confidence to do this on your own, go for it! This isn’t a project for the faint-of-heart due to a plethora of moving pieces, but we love it when people take the learn-by-doing approach to web projects.
The one warning I’ll add here is that you should start on a website where it doesn’t matter if things go sideways. Don’t make your business your guinea pig. Start small and work your way up to more challenging and complex problems.
Kinsta has a great in-depth guide for making the move to HTTPS if you want to try this route.
Contact your web host and ask for HTTPS
This is a fine option depending on who your web host is. We’ve seen some horribly botched HTTPS implementations, and we’ve seen some great ones as well. In fact, I’d even go as far as to say that the specific technician assigned to implementing HTTPS by your web host could make or break the success of the move.
We’ve put together a comprehensive breakdown of each web host’s SSL/TLS product offering, including how easy or difficult it is to setup which you can check out below. If you don’t see your host in the list, leave a comment and we’ll update the table.
If you have your host handle the move to HTTPS, there are two major things to check for once the change is done.
- Do you see any errors on your website? Obviously if you have issues with content loading or strange redirects happening, something went wrong with the HTTPS change. We notice these issues most commonly with ad networks and incorrect CDN setup.
- Does all of your traffic seamlessly flow from http to https? Use a tool like HTTP Status to make sure you only have one 301 Permanently Moved redirect happening. You want to avoid multiple redirects, or any response codes other than 301. Your results should look something like this.
Sidenote: There are dozens of other things to check too, but these are the most important.
Have WP Site Care do the heavy lifting
Our team handles dozens of HTTP to HTTPS conversions every month and we do it across all sorts of hosting companies and strange server environments. I like to think when it comes to http to https conversion, we’ve seen some things.
When we move a customer’s website to https, it isn’t just about changing URLs or installing certificates, we go through a thorough checklist to make sure everything is done to the highest standard. We love to do work we can be proud of.
The details of our http to https service
Here’s what’s included in a typical http to https WordPress conversion from WP Site Care:
- Installation and setup of SSL/TLS Certificate – We setup your certificate using your web host’s product, Lets Encrypt, or another third party certificate from an authority like Digicert.
- Google Search Console Registration – We create a new entry for your website within Google Search Console to indicate to Google that an https version of your website will soon be available
- Update WordPress URLs – We update all of your domain URLs to use the new https protocol using a search and replace tool like WP-CLI
- Implement 301 Redirects – We ensure all old non HTTP URLs auto-redirect to the new corresponding HTTPS URL. We handle this for non-www and www subdomains to ensure all traffic is landing on the proper page without more than one redirect
- Regenerate Sitemap and Submit to Google Search Console – Google will need to know where to find your new sitemap, so we generate your new sitemap and submit it to them to crawl and review.
- Mixed Content Error Validation – We make sure that none of your site assets are being served over HTTP URLs and causing display or other types of issues
- SSL/TLS Validation Through SSL Labs – We verify the quality of the SSL/TLS implementation with SSL Labs server test.
- Google Analytics Property Update – We update your property in Google Analytics to track https traffic so you have the most accurate traffic data.
Special circumstances we can help with
Some more advanced services we’ve been asked for in the past and that are available for additional fees are
- Setup and configuration of HTTPS for Content Delivery Networks
- Validation of Third-Party Ad Networks for HTTPS Readiness
- Pre and post migration tracking for changes in search rankings
- Audit of HTTPS conversion performed by a web host or another vendor
Of course the greatest benefit of having our team handle it is that you don’t have to worry about it and it just gets done.
Don’t delay, HTTPS is here to stay (HA, it rhymes)!
We fully support Google’s push toward a more secure web, and at the same time we don’t want small businesses to suffer because of this change. That’s why we’re offering our HTTPS service to everyone, even if you don’t have one of our monthly plans. It’s very rare that we do this. Pricing starts at $400 and we can provide a same day quote for pretty much any website. Reach out to our team and we’ll help get your website fully ready for https and a more secure web!
Can you please add Lunarpages to your list of web hosts’ SSL/TLS product offerings? Thank you.
Hey there! The table has been updated to include LunarPages as well. Thanks for the suggestion!
I wish you made a roundup post featuring Black Friday/Cyber Monday deals regarding SSL products. 🙂
Hi, title of the article and text don’t match. Title tells that Google is going to make some change in HTTPS protocol, but article tell about UI-related changes in Chrome.
I appreciate the attention to detail but I think most people understood what was being communicated. Also, Google can’t make changes to the HTTPS protocol since it’s a web standard. We’re definitely not trying to be misleading. Just trying to speak the same language as most of our readers!
Thanks for the share Ryan, very informative article!
How bad can these https changes affect a website?
Thanks Ryan Sullivan for beautiful information, such a good article related HTTPS topic. I am a website developer at 360 Website Design Sydney and know the importance of SSL certificate.
Ryan, release appears to be pushed to November, according to chromereleases.googleblog dot com. There’s also an animation on blog.chromium dot org that shows what it will look like. It appears to be a subtle notice that appears only if you start entering information (Incognito mode shows it all the time). A good solid nudge for web admins without overly alarming users.
To solve this problem can we redirect http://www.example.com to https://www.example.com
through webmaster tool in the case if we have both urls.
Hey Jordan, you will need to registered the https version of your website in webmaster tools, but you’d do the redirect at your web host or with your domain registrar. Let us know if you have any additional questions!
HTTPS has become a scare and money making tactic for many hosting providers. Many of them aren’t offering free SSL’s and scaring clients that their website is unsucure, will drop in Google etc, which leeds them to upselling their certificates. Personally I haven’t seen a big shake in SERPs and http only websites still ranking high.