WordCamp US 2016 was epicThis was the second national conference for WordPress. I am always glad I attend after I am there and in the mix. So many takeaways! I'd like to focus this post on what I discovered related to what's new in 2017 for SSL.
HTTPS and Let's Encrypt"I'm really worried," I told my husband. "Google announced that in 2017 that sites that do not have HTTPS will be penalized. They will not rank as high in search engines and have a message indicating your site is not secure." While I knew SSL was the way to go, I had questions. A lot of them. Here are some:
- How could I afford a SSL for each client? Not to mention my personal sites? That can get pricey!
- Would I need to pass off this expense to my clients? Would they pay? Some already dislike paying hosting fees and annual registrar renewals as it is (something I hope to educate clients on more in the future)
- How will my clients respond to an extra expense, even though it is for their site's own good?
- Is a dedicated IP address required to have an SSL? Do dedicated IP addresses help a site rank higher?
- What are my options on Bluehost's WordPress Optimized plan since none of their WP OP permit more than one dedicated IP address per account? Or am I sadly out of luck?
- How does Google deal with sites using shared IP addresses? Most people starting out get shared hosting, not VPS, so if they are a server with a thousand other sites who do not have SSL, what are the ramifications, if any?
"The question is, is Google going to make SSL more important. Yes, I think we all are. Because a lot of the stuff we want to do in websites requires SSL. Because we need secure connections to do specific things modern web apps will want to do. Fortunately you don't need a specific IP address anymore for SSL. There's a standard called server name indication that is about ten years old that every modern browser in the world supports and that allows you to have multiple HTTPS certificates on the server, on the same IP. So that's not true anymore, not really needed anymore. In fact, more and more hosts that offer Let's Encrypt is another way to get free SSL on your site, which is really really a big step forward. The good thing about getting SSL on your site is that it allows for a lot of other speed optimizations like HTTP2 and all these other things that technically I won't go into but they make your site a lot faster without you doing anything, and I think we should all strive for that. And this may be a slightly political statement, but in this day and age, I'm very happy in everyone goes to SSL and your browser history is your browser history and not someone else's."I thanked him for taking the time to answer and sat down. But truthfully, there were some parts of his answer that I was processing and did not fully understand.
Turns out that my mind was trapped in a Bluehost paradigm.Let me explain. I have been with Bluehost for several years now. After all, the official WordPress.org website recommends Bluehost (although that may soon change, read Matt's quote below). Also, one of my favorite bloggers, Michael Hyatt, also recommends them. Michael has an ad for Bluehost in every single one of his blog posts. However, a couple years ago, Bluehost was bought out by EIN. There have been many issues and limitations in their hosting plans and options for WordPress shops (which I may detail in a separate post), and I assumed these limitations and issues were true of any host. Nope.
Connecting the dots that spell Find New Host and FastIt was the portion of Matt's speech about SSL during the State of the Word address that confirmed what I knew deep down. I needed to ditch Bluehost. Fast.
Matt's remarks on SSL.
"Starting next year, WordPress is going to start to have progressive enhancement. So certain features will only be available if your site is encrypted. Last year I said (again this is a follow-up to last year) Let's Encrypt and PHP 7 are going to be pretty big. Turns out Let's Encrypt is huge. We are now tracking (and this is the first time we are reporting this number; I hope to report it going up every single year) 11.45 % of active WordPress websites are now on HTTPS. Let's Encrypt is a free certificate authority. Before certificates used to cost fifty, a hundred, three hundred dollars. They were pretty much a pain in the butt to get. They would want a phone number, they wanted to look you up in the yellow pages. It was really bizarre. Now you can get one programmatically issued instantly for free with Let's Encrypt, and many hosts are starting to include this. We said that started next year, we are only going to recommend and point to hosts that give their customers, new customers, access to a new certificate by default. We want to bring more and more of the web to be secure, and as I said, this is especially important in a postmodern era I think the more and more encrypt traffic there can be on the web, the better."Here are some real-time Twitter reactions to Matt's remarks on SSL, HTTPS, and Let's Encrypt:
What we learned at #wcus: HTTPS all the things! Google rewards secure websites with higher search rankings. Go get your SSL certificate!— Torx Media (@torx) December 5, 2016
WordCamp Session in 2015 on HTTPSIf you want to learn even more on this topic, here is a video I found From WordCamp US 2015. This is Paul Schreiber and his speaking topic is: "Meeting the New York Times Challenge – Delivering the news over HTTPS." He discusses the problems encountered moving to HTTPS (and how the problems were solved).
How to Install Let's Encrypt?There is already plugins in the WordPress repository to help you get setup and running with Let's Encrypt.
There is a very nice post over at WPBeginner.com titled, "How to Add Free SSL in WordPress with Let's Encrypt" that shows you how. Thanks, Syed Balkhi.