At one time, you only needed to think about security and serving your website on a secure server (via HTTPS) if you were accepting credit card numbers or doing some other kind of ecommerce on the site.
Wow! Has that changed!
In early 2017, Google announced that their Chrome browser would soon show website pages that are not secured by SSL by showing "Not Secure" in the address bar. At first this will appear on pages that ask for passwords or credit card numbers, but soon it will apply to all pages.
The catch is that this will present a negative impression to your website guests.
But that's not all. Google also gives preference in search listings to pages served through SSL-secured HTTPS.
So it's clear that -- if your website isn't already secured -- it needs to be!
"But isn't that expensive?"
Well, it used to be, but it doesn't have to be anymore. Sure, you can still spend a hundred bucks a year or more on a secure certificate, but you can also use a free certificate issued by a trusted Certificate Authority, and this is especially easy if your website hosting company offers these free SSL certificates.
If they don't, you can install it yourself, but that's rather difficult and it would be easier to change hosts.
By the way, there's also such a thing as a "self-signed" certificate, and while this effectively does the same job, your guests will not see it that way because Chrome (and other browsers) will pop up a bold warning to the effect "This Site's Security Certificate is Not Trusted!" If your host offers you one of these, even for a few days while your SSL certificate gets processed by a trusted Certificate Authority, don't accept it! Your guests will be alarmed.
Some hosts will tell you that you need to have a unique IP address for each domain that you want to secure with SSL, but that's really no longer true. (There may be a few users out there still using Internet Explorer on Windows XP, but you shouldn't worry about them.)
At this point, most of the legitimate free SSL certificates are offered by Let's Encrypt or by cPanel-Comodo. They are usually issued for only three months, but a participating host should be set up to renew them automatically.
The Let's Encrypt organization is part of the non-profit Internet Security Research Group (ISRG). Major sponsors include the Ford Foundation, Google Chrome, Automattic (the people who write WordPress), Mozilla, Cisco, Facebook, and more.
The cPanel-Comodo certificate is offered to some (but not all) cPanel clients. (cPanel is the net's most used control panel for controlling hosting.) The cPanel method is to automatically install an SSL certificate for each domain on a qualified cPanel controlled account.
In addition, some hosting companies who use cPanel have set up Let's Encrypt as an easy set up button inside cPanel.
So you'll have to ask your hosting company.
"How do I set that up?"
There are three things you need to do to get this going for your WordPress website.
Step 1. Get the SSL Certificate installed using whatever process is required by your hosting company. For the free certificates we're talking about here, this should not cost you anything.
Some hosting services do this automatically. Others require you to click an option in their control panel (cPanel). Still others may require a phone call to support.
Securing and installing the certificate may happen within 15 minutes, or it may take a day or two or longer. Once it's done, you should be able to load your WordPress website via HTTPS by adding the "s" to the URL, as in https://example.com.
You can test it in the Chrome browser by loading that page, then looking at the address bar. You may still get a "Not Secure" message. If you do, click the little "i" in a circle and you'll be able to see exactly what's not secure.
Often, until you do Step 2, many of the elements on a page (especially images) will not have the https address, so the page is only partially secure... and partially secure is not secure!
Step 2. Install and activate the free plugin, Really Simple SSL. Once activated, you will see a notice asking you to enable SSL.Click it and log in again. (If you're using a cache plugin, you should now clear the cache.) That's it!
With the one click the plugin will:
- Update both the WordPress URL and the Site URL to start with
- Redirect incoming requests to the http address to https.
- Fix your insecure content by replacing all http:// urls with https://, except hyperlinks to other domains. This is done dynamically, meaning no database changes are made except for the siteurl and homeurl.
This should change all the generated page addresses in your website, the references in the theme, in plugins, etc. if you still see a "Not Secure" message, it's probably because certain specific images or other references you have in your website, especially in header, footer, menu, theme, or certai plugin settigs, still do not resolve to an https address. You should edit these to include the s.
Special Case: If you have images or other code that loads on your webpage from another website, those other website addresses must be served by https, too. I've seen websites with Facebook badges that load directly from Facebook and the addresses started with http. I changed those to https and everything was fine.
Of course, that other website also has to have valid https service.