If you woke up last Friday to a message in your inbox from Google Search Console warning that “Chrome will show security warnings on” your website, the first thing you need to know is don’t panic, but be ready to do some work.
We’ve received emails from our clients asking what this email is about and how it will affect them. Here’s what it all means.
What Does It Mean If a Website Is “Not Secure”?
Websites are served up over a protocol called HTTP, which stands for “hypertext transfer protocol —this is a standard way your computer communicates with the website you’re viewing. A secure site uses a security certificate called SSL, which changes the URL to HTTPS. This added security basically protects your computer’s communications so that it’s harder for other people to listen in and figure out what you’re doing or get the information you’re sending online.
What Does “Chrome Will Show Security Warnings” Mean?
Here’s a screenshot of the email users received:
It gave the warning and then an example list of URLs on your site that would be affected by this change. Note that this change is set to occur in October 2017.
These “Not Secure” warnings are something Google has been telling users they would be moving toward for quite some time now. This next step in their process is focused on pages on which a user has to input information (e.g., forms pages).
Currently, Google shows an “information” button that must be clicked on for more details (which will tell the user they’re on a non-secure site):
Starting in Oct 2017 they plan to do something like this in the URL box:
Regular pages whose URLs begin with HTTP will be similar to the existing look (i.e., the simple “i” button), but any pages that have forms or require a user to input information will have the “Not Secure” message next to it. Additionally, all pages that are on HTTP will show the “Not Secure” message when viewed in incognito mode.
Eventually, Google plans to make a much more obvious warning that may look like this:
UPDATE: As of July 2018, with the release of Google Chrome 68, sites are now being shown with the “Not Secure” warning:
This Only Applies to Chrome Browsers
If a website visitor is using Firefox, Safari, or even Internet Explorer they won’t see this same exact message — other browsers display something similar warning a user they’re on a non secure site, but for the purpose of this update it only applies to Chrome browsers.
Keep in mind that Google’s Chrome browser is the king of the hill—it crushes its competition for market share. According to Net Market Share, which tracks and reports on statistics for internet technologies, Chrome is the browser of choice being used by ~60% of people on the internet. No other browser even comes close to competing with Chrome for user share:
How The “Not Secure” Warning May Affect Your Site
One of the ways this “Not Secure” warning can affect your sites is by raising users’ concerns about the non-secure nature of your site or forms. Anyone concerned about protecting their privacy and information online would likely be leery to input information on your forms. Additionally, a “not secure” warning could lead users to believe your site is hacked or, rightfully, view your site as vulnerable. Either way, user experience will likely be affected. Another way your site could be impacted is in its rankings—Google wants site owners to have a secure certificate and views HTTPS as a ranking factor.
How to Address This and What You Need to Be Aware Of
The only way to solve this issue is to get a security certificate via your hosting service and migrate your site from HTTP to HTTPS. At the very least, you should ensure any page that has forms for users to input information is served over an HTTPS connection.
Ideally, you would migrate your entire site to HTTPS and not just specific pages. it would make more sense to have a secure certificate for the entire site—but that also brings its own issues.
Some of the most important things to be aware of when you decide to migrate to HTTPS are:
- There can be a cost associated with purchasing an SSL certificate. Although it’s usually fairly inexpensive, it is an additional cost added on to the hosting of your site. There are free options, primarily Let’s Encrypt offers free SSL certificates.
- When you change from HTTP to HTTPS you are making all new URLs. Google treats this as a site move. That means you could see traffic and rankings decline as Google crawls your site and reindexes the new pages.
- You could end up with a lot of broken links. Because HTTP to HTTPS is a completely new URL, any links (internal and external) need to be properly 301 redirected to their corresponding new HTTPS URLs. These 301 redirects should be put in place as server-side redirects.
- You may lose data from Google Search Console. If you don’t add the HTTPS property to your Search Console you will lose data. Search Console also treats HTTPS as a separate entity, and the data is not shared in Search Console.
Ultimately, it’s our opinion that it’s in your and your users’ best interest for your site to have a secure certificate and be served over HTTPS. And it’s better to be ready now and work through any potential issues rather than scrambling to get things fixed when Google rolls out its changes.
How to Add SSL Certificate and Fix Not Secure Warnings
Before you do anything, we recommend crawling your site and exporting your crawl — this is just a fail safe in case you end up with broken links, etc. The easiest tool for this is Screaming Frog.
Most hosting providers offer some form of SSL certificate that you can add-on to your site (at little to no cost).
One caveat to that is: GoDaddy does not appear to support a free SSL certificate. For GoDaddy hosted sites you will have to purchase a certificate that costs approximately $60 per site, per year — in addition to your hosting fees.
For sites hosted on WPEngine, BlueHost, Dreamhost, and others you can buy a certificate or add a free Let’s Encrypt SSL certificate. Once you add that to your site you’ll have to activate the certificate. Often your host provider will automatically activate the certificate or will walk you through a quick setup process — each host may be a little different though, so if you have any issues or concerns make sure you contact your host’s customer service and support.
Once you’ve activated your certificate this is what is used to verify that your site is following security protocols and will encrypt a user’s data moving forward.
If you’re using WordPress we recommend installing the ReallySimpleSSL plugin — once it’s installed and activated, you run it and the plugin will automatically detect your settings and configure your site to run over HTTPS. It’s as simple as that.
If you’re not running WordPress you’ll have to do some file editing (or have your host assist you with this). If you’re not extremely technical you will likely be better off getting support and assistance from your host provider.
If you would like to try this yourself: once you have installed an SSL certificate and successfully migrated your site to its new HTTPS domain, you will create the server-side redirect. In your .htaccess file add the following code at the top (obviously replace ‘yoursite.com’ with your actual URL):
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yoursite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com [NC]
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [L,R=301,NC]
An additional step we like to take is to install a “Search and Replace” plugin — you can use that tool to search your site for any instances of http://yoursite.com and replace it with https://yoursite.com — this will help with updating internal links and images that have been uploaded to your site.
Now, when you open your site in a browser you should see a green padlock and “Secure” message.
You’re not done yet though — visit WhyNoPadlock.com and put your URL in the search box there. This will crawl your site and look for any mixed media (meaning you have content, images, etc…on your site being served over http:). This tool allows you to find what needs to be updated and fixed.
Once you have passed this and you have the green secure message:
Now you need to log into your Google Analytics and Google Search Console accounts and update your URLs to https://yoursite.com. In Analytics you’re going to do this in the Property and View settings — just add the https: protocol.
In Search Console you will want to add and verify ALL versions of your site:
- https://www.yoursite.com
- https://yoursite.com
- http://www.yoursite.com
- http://yoursite.com
Once you’ve added and verified the different versions you’ll want to set the preferred version by going to the gear icon and choosing “Site Settings” — here you will set the Preferred domain (either display URLs with www or non-www).
Once you’ve done that — recrawl your site in Screaming Frog (or your preferred crawling tool) and check to make sure your URLs have changed to https and check for broken links/404s on your site.
Filip Zafirovski says
Nice piece Brian, loving it.
I want to ask you.
What do you think, how will this affect the franchise business’ that have been preforming SEO?
Kind regards,
Filip
arlef says
My Https suddenly became not secure? I don’t know what happened. When I am checking the icon it says my certificate is valid. I am using blogger and my Https is provided by blogger.
Does transferring domain affects https?
Chris Gregory says
Yes, your SSL certificate is domain specific. If you changed your domain recently you will need to get a new SSL certificate.