Your WordPress site is going to be more secure this year – Or Else …

HTTPS, or “secure” HTTP, is a technical protocol that’s getting a lot of buzz right now. You’ve probably heard techies recommending it because it is more private, more secure, and all around better for a website’s visitors – and it doesn’t hurt that Google gives you a small SEO boost if you use it.

Now Automattic, the main developer of WordPress, has said that it is going to limit certain features so that they will only work with WordPress sites that use HTTPS. Automattic founder Matt Mullenweg laid out the roadmap in a blog post:

First, early in 2017, we will only promote hosting partners that provide an SSL certificate by default in their accounts. Later we will begin to assess which features, such as API authentication, would benefit the most from SSL and make them only enabled when SSL is there.

FYI: an SSL certificate is one of the requirements for adding HTTPS to a site, but it’s just one of many steps (I’ll explain more later).

Mullenweg’s announcement matters because Automattic makes Jetpack, an immensely popular plugin that adds a couple dozen useful features like a contact form, visitor stats, and upgraded comments, to self-hosted Wordpress sites.

Some of those Jetpack features are going to stop working if a site doesn’t have HTTPS.  We don’t know which features yet, but logic suggests the most likely possibilities include features where privacy is paramount – features like a contact form, visitor stats, and comments.

So if you use Jetpack, or one of the other WordPress plugins developed by Automattic, you should be concerned.

If you have not upgraded to HTTPS, now would be a good time to start the process.

Step One will be to ask your hosting company how to go about it. They will probably send you a link to instructions. Those instructions will be incomplete, but they will be a good start.

Go ahead and read those instructions, but before you follow them you should also read about the fifty-eleven problems you might face.

  • Edit: Many hosting companies won’t tell you anything more than that you need to get an SSL certificate. That’s where to start, but that’s not the only step.
  • Almost no one thinks to mention this, but if you use Google Search Console then you will need to set up a new entry in your GSC account for the HTTPS version of your site. This may sound strange but Google sees the HTTPS site as separate from the older HTTP version.
  • If you use Google Analytics, you will need to enable the setting that tells GA that the correct version of your site is HTTPS, not HTTP.
  • You should also look at cleaning up any broken links, badly formed pages, manual actions, or any other problems that might affect your SEO. If Google thinks you are running away from problems by switching to HTTPS then they might penalize you.
  • If you rely on social sharing to establish your credibility/popularity, you should be aware that your share counts will vanish when you switch to HTTPS.  Sharing plugins like Social Warfare Pro or AddtoAny can help you get your numbers back up.
  • Be prepared for HTTPS to cause conflicts with plugins, or for it to break important features on your site in unexpected ways.
  • Also, don’t be surprised if it doesn’t work right away. I have added HTTPS to a dozen existing sites, and each site required the software equivalent of hitting the equipment with a large wrench. It’s not always a clean process but we did get it to work eventually.

In all honesty, I think HTTPS causes enough pain for the average blogger that the frustration exceeds the benefits.

But it is also the wave of the future, so unless you want to be left behind, your site needs HTTPS.

And I can help. If you get stuck, send me an email and I’ll help you figure out the next step.

image by photobyleigh

About Nate Hoffelder 33 Articles
After six plus years of running The Digital Reader, Nate is a veteran web publisher with experience in design, maintenance, recovery, and troubleshooting. What little he doesn't know, he can learn.

6 Comments

  1. Excellent article. I just switched to HTTPS but wasn’t aware of the possible side-effects. Will be checking this out. Cheers!

  2. This is terrible news. I just signed a contract with HostGator, which charges for HTTPS certificates. I may have to start by moving to another hosting site that makes it part of the setup.

    • Almost all hosting companies charge for HTTPS. How much does Hostgator want?

      To be honest I wouldn’t be too worried about this today, or even this year. It’s not a critical issue yet.

      But everyone is pushing in this direction, so in the long run everyone is going to need to add HTTPS to their site.

  3. Funny, I had discovered this about two months ago (when I learned that Chrome will be showing warnings in October). My webhost greengeeks provided next to no information, pointing to CloudFlare (which I am trying to figure out).

    I realize that Automatic and others are helping users to solve this problem, but setting up https is nontrivial; it may also entail extra costs to purchase your own certificates. I have a feeling it will become an annual cash cow for hosting services and domain providers. Several free solutions currently exist, but they are not user-friendly. I am looking to implement a free certificate this weekend — wish me luck! Thanks tons for that tip about Google Search Console.

Leave a Reply

Your email address will not be published.


*