Your SSL Installation May Not Be Right

Your SSL Installation May Not Be Right - Please Check!

Published: Wed, 11/01/17

I've been working on this email for more than a week now and was planning on a detailed, accompanying post with pictures to help but this is such an issue that I just need to get this message out there fast so here goes!

If you've been keeping up with SEO news you already know that your site should have an SSL certificate in order to achieve its best ranking potential.

An SSL certificate is what allows your site's URL to change from http to https. The certificate adds a layer of protection to the way data is transmitted between the site and a visitor's browser.

Google announced in 2014 that they were starting to use https as a ranking factor in their algorithm. It was only a lightweight factor at the time and may still be so BUT changes are coming that will warn visitors that a site is not secure if it does not have an SSL certificate in place.

Read this article on how eventually ALL pages that do not have https will show a warning to visitors:

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html.

This could cause you to lose traffic even if your site does not collect any private data from visitors. When a visitor sees a big warning label on a post on your site, they're most likely going to leave.

Most hosting companies offer customers the option to purchase an SSL certificate and some even offer a free SSL certificate. Bluehost's Shared hosting plan - my affiliate link - for example, allows for a free SSL for each domain.

I start all of my sites out on Bluehost's shared hosting and then switch them to my Managed WordPress hosting once I have enough traffic. I saved a fortune in getting free SSL for each of those newer sites.

But buying the SSL certificate and having your hosting company put it on your server (because that's what has to happen first) is NOT enough.

At the very least there's one other thing you have to do and for older sites there are probably a few other steps to complete.

Do You Have SSL?

In some cases, you may have an SSL certificate available for your site and not even know it. Some hosting companies provide one for free and they're not all very good at telling you what to do next.

If you have one and don't know it, you likely haven't taken the steps to complete the installation of that SSL certificate and this could mean you have two versions of your site's URL that could be indexed in Google (http and https). Not only will your Google reports be incorrect but that could mess up your rankings in Google.

To check, bring up your website in your browser by using http at the beginning of the URL and then by using https at the beginning.

If you can see your site content under both versions of the URL (even if the content looks funny under one version of the URL or the other) then you have an SSL certificate for your site but the installation is not complete. You need to redirect your http version to the https version of your site's URL. See the section below on Redirecting Your URLs.

If you see a message saying your site is insecure or not private when you try to access it through https then there is no certificate in place on your site. If you think there should be one in place, contact your hosting company for support.

If you get the insecure or not private message and you know you don't have an SSL certificate then you're fine - you simply haven't done anything with SSL yet.

Redirect Your URLs

If you have an SSL certificate, you don't want the http version of your URL to be indexed in Google or accessible to site visitors. You want that version to redirect automatically to the https version of your URL.

If you're an htaccess file whiz you can do that yourself with some code in that file. For most, though, using a plugin like this is far easier: https://wordpress.org/plugins/really-simple-ssl/.

Install and activate the plugin. Upon activation, you should see a message that explains whether or not the plugin has detected the SSL certificate for your site. If it has, then go ahead and click the final button to let the plugin complete the setup. (See the plugins page on WordPress.org for detailed instructions regarding additional setting changes you can use to speed up redirection response times.)

If you see a message saying the SSL certificate can't be detected and you believe you have a certificate, contact your hosting company for support.

Google Webmaster Tools and Analytics

You're not done yet! Google Webmaster Tools treats the http and https versions of a site as two different entities. You need to set your https URL up in Google Webmaster Tools as a new property if you want to have access to the right data regarding your website.

You also need to change the Property and View Settings in Google Analytics to show that your site's URL starts with https.

See this post for help in completing these steps: https://really-simple-ssl.com/knowledge-base/how-to-setup-google-analytics-and-google-search-consolewebmaster-tools/

Search and Replace

If your site already had content on it when you set up SSL you may have posts that include links to the http version of your site's files instead of to the https version. You need to find and replace those links in order for each post to show as being secure.

You can use the WordPress Better Search and Replace plugin (https://wordpress.org/plugins/better-search-replace/) to do this for you.

Do a search for http://yourdomain and replace it with https://yourdomain. (If you use the www in front of your site's URL then remember to add that into both the search and replace strings!)

Test with Developer Tools

All of the above might still not be enough to complete your SSL installation - particularly on an already developed site.

If you're using SiteLock or a CDN, you might find that the certificate isn't getting picked up when you visit your site.

I struggled with one site because I use paid SiteLock on that site. I had to download the certificate from Bluehost and upload it to my SiteLock dashboard before it would work.

The Developers Tools feature of Google Chrome can help you identify any issues. Bring your site up in Google Chrome, go to More Tools and choose Developer Tools. Click on the Security tab in Developer Tools and look for any errors regarding the security of your site's home page. If you see a green check mark in the Security tab, then that URL is good. Click around to various other URLs of your site (your posts and pages) and make sure they're all green, too.

If you don't see a green check mark, then you should see a description of the error causing the problem. It might tell you, for example, that there's an image embedded in that URL that is not using the https version of your URL. You can then take steps to fix the image in that post.

I can't outline all of the possible errors you may run into but it's worth taking the time to research each one to get them fixed.