Thanks to the buzz around website hacking and personal data theft in recent years, most Internet users are aware that their sensitive information is at risk every time they surf the web.
And yet, although the personal data of their visitors and customers is at risk, many businesses still aren’t making website security a priority.
Enter Google.
The folks over at Google are known for paving the way for Internet behavior. Last month, they took a monumental step forward in helping protect people from getting their personal data hacked. The update they released to their popular Chrome browser now warns users if a website is not secure – right inside that user’s browser.
While this change is meant to help protect users’ personal data, it’s also a big kick in the pants for businesses to get moving on making their websites more secure.
Google’s Chrome update: What you need to know
On October 17, 2017, Google’s latest Chrome update (version 62) began flagging websites and webpages that contain a form but don’t have a basic security feature called SSL. SSL, which stands for “Secure Sockets Layer,” is the standard technology that ensures all the data that passes between a web server and a browser – passwords, credit card information, and other personal data – stays private and ensures protection against hackers.
In Chrome, sites lacking SSL are now marked with the warning “Not Secure” in eye-catching red, right inside the URL bar:
Google started doing this back in January 2017 for pages that asked for sensitive information, like credit cards. The update released in October expands the warning to all websites that have a form, even if it's just one field that asks for something like an email address.
What’s the impact on businesses?
Because Chrome has 47% of market share, this change is likely noticed by millions of people using Chrome. And get this: 82% of respondents to a recent consumer survey said they would leave a site that is not secure, according to HubSpot Research.
In other words, if your business’ website isn’t secured with SSL, then more than 8 out of 10 Chrome users said they would leave your website.
Ouch.
What’s more, Google has publically stated that SSL is now a ranking signal in Google’s search algorithm. This means that a website with SSL enabled may outrank another site without SSL.
That’s exactly why anyone who owns or operates a website should start taking the steps to secure their website with an SSL certificate, in addition to a few other security measures. Businesses that don’t take care to protect visitors’ information might see significant issues, garner unwanted attention, and dilute customer trust.
“In my opinion, I think security is undervalued by a lot of marketers,” says Jeffrey Vocell, my colleague at HubSpot and go-to website guru. “Almost daily, we hear news about a new hacking incident or about personal data that has been compromised. The saying ‘there’s no such thing as bad press’ clearly isn’t true here; or, at the very least, the marketer that believes it has never had to live with the fallout of a data breach.”
With Google’s Chrome update, those visitors will see a warning right inside their browsers – even before they’ve entered any information. This means businesses face the potential of losing website visitors’ trust, regardless of whether a cybersecurity incident has actually occurred.
If you’re ready to join the movement toward a more secure web, the first step is to see whether your website currently has an SSL certificate.
Do you know whether your site has SSL?
There are a few ways to tell whether your website (or any website) has SSL.
If you don’t use Google Chrome:
All you have to do is look at a website’s URL once you’ve entered it into the URL bar. Does it contain “https://” with that added “s,” or does it contain “https://” without an “s”? Websites that have SSL contain that extra “s.” You can also enter any URL into this SSL Checker from HubSpot and it’ll tell you whether it’s secure without having to actually visit that site.
If you do have Chrome:
It’s easy to see whether a website is secured with an SSL certificate, thanks to the recent update. After entering a URL into the URL bar, you’ll see the red “Not Secure” warning next to websites that aren’t certified with SSL:
For websites that are certified with SSL, you’ll see “Secure” in green, alongside a padlock icon:
You can click on the padlock to read more about the website and the company that provided the SSL certificate.
Using one of the methods above, go ahead and check to see if your business’ website is secure.
Yes, it does have SSL! Woohoo!
Your site visitors already feel better about browsing and entering sensitive information into your website. You’re not quite done, though – there’s still more you can do to make your website even more secure. We’ll get to that in a second.
Shoot, it doesn’t have SSL yet.
You’re not alone – even a few well-known sites, like IMDB and StarWars.com, weren't ready for Google's update. But it’s time to knock on your webmasters’ doors and have them follow the steps outlined below.
How to make your website more secure
Ready to protect your visitors from data theft and get rid of that big, red warning signal staring every Chrome user in the face in the process? Below, you’ll find instructions and resources to help you secure your website and reduce the chances of getting hacked.
Securing your site with SSL
The first step is to determine which type of certificate you need – and how many. You might need different SSL certificates if you host content on multiple platforms, such as separate domains or subdomains.
As for cost, an SSL certificate will cost you anywhere from nothing (Let’s Encrypt offers free SSL certificates) to a few hundred dollars per month. It usually averages around $50 per month per domain. Some CMS providers (like HubSpot) have SSL included, so check with them before making any moves.
(Read this post for more detailed instructions and considerations for SSL.)
Securing your site with additional measures
Even if you already have SSL, there are four other things you can do to make your website significantly more secure, according to Vocell.
1) Update any plugins or extensions/apps you use on your site.
Hackers look for security vulnerabilities in old versions of plugins, so it’s better to take on the challenges of keeping your plugins updated than make yourself an easy target.
2) Use a CDN (Content Delivery Network).
One trick hackers use to take down websites is through a DDoS attack. A DDoS attack is when a hacker floods your server with traffic until it stops responding altogether, at which point the hacker can gain access to sensitive data stored in your CMS. A CDN will detect traffic increases and scale up to handle it, preventing a DDoS attack from debilitating your site.
3) Make sure your CDN has data centers in multiple locations.
That way, if something goes awry with one server, your website won’t stop working all of a sudden, leaving it vulnerable to attack.
4) Use a password manager.
One simple way of protecting against cyberattacks is by using a password manager – or, at the very least, using a secure password. A secure password contains upper and lowercase letters, special characters, and numbers.
Suffering a hack is a frustrating experience for users and businesses alike. I hope this article inspires you to double down on your website security. With SSL and the other security measures outlined in this post, you’ll help protect your visitors and your business, and make visitors feel safe browsing and entering information on your site.
Does your website have SSL enabled? What tips do you have for making your website more secure? Tell us about your experiences and ideas in the comments.
To see this on the main RSS feed for Moz is disturbing, because this is a horrible article. Let's break it down:
1) "How to make your website secure" is the title, but it should be "A brief and mostly useless summary of SSL and Chrome browser updates"
2) "A CDN will detect traffic increases and scale up to handle it, preventing a DDoS attack from debilitating your site." Not at all true. a Content Delivery Network is designed to put static resources like images, stylesheets, scripts, etc into locations physically close to the visitor allowing faster CONTENT DELIVERY. While there are services like Cloudflare that offer CDN and DDOS protection, the summary in this article is a technically ignorant (at best) and misinformation (at worst).
3) The article suggests that it is most likely $50/MONTH for your SSL certificate which is just not true. Dreamhost, BlueHost, GoDaddy, if they don't have a free integration with Let's Encrypt, cost $50-$70/year. Granted, at least the article pointed out that additional certificates or different certificates are necessary when dealing with subdomains (subdomain.domain.com), but once again it was woefully misleading.
4) There was zero actual information regarding mixed content, specifically that just adding SSL doesn't make your site secure. 99/100 times the content of the site, specifically links to static content, need to be updated to use the new URL structure (if they specify https:// previously). If using Wordpress there are plugins that will help with this automatically, but each site is different and it's a consideration of TIME and ENERGY not mentioned.
So yeah. Horrible article.
Agreed - I think much of this could have been avoided with a better page title. This could be a decent resource to link to for end users or SEO clients about the importance of SSL.
Kudo's ... I see that the title has been updated - that is better.
Being a newbie in this field, I wasnt aware of the importance of SSL. Good to learn that here, one "s" makes a big difference between http and https :)
Yeah,it is worthy to have a SSL certificate in website URL. There are many others site also providing Free SSL certificates like SiteGround, Namecheap.. Thanks For The Article Mrs...
Yes. I usually use the Namecheap ones.
Hi Lindsay,
SSL sounds very techie for the newbie users. i have always heard about the SSL that its very important for the SEO, Google give weightage for the SSL websites, so for today i have learned about the SSL certification, and how can i do that.
Thankyou for sharing such a techie post.
This is really an ignorant article. The author is obsessed with 'SSL'... a completely obsolete protocol that should never be used anymore. You want TLS.
Just say 'HTTPS' if you don't understand the subject matter.
Agreed, SSL has always been an important element of any website from SEO point of view. Now this update (of 17/OCT/2017) will make website owners more cautious so that they can be survivied from the chances of losing website visitors’ trust
Hi Jason, it's very correct what you say about it.
An SSL certificate serves to provide security to the visitor of a web page, it is a way to indicate to your clients or users that the site is authentic, real and that it offers enough confidence to enter personal data.
The SSL certificate is a security protocol that makes the data transmitted securely and encrypted between a server and a web user.
With the latest update Google will take this factor as one of the many that will affect the organic positioning (SEO) of a website.
Greetings, Manuel
Hey Lindsay!
Absolutely. Anyone who cares about his website and SEO needs to integrate an SSL.
I thought it was only necesary for ecommerce sites, but now is deffinetly for any type of website.
Thank you
Mario
Hola Mario, that SSL is really valuable for UX and conversions, but I´m not really sure about SEO... I know that Google´s last trends are pointing that secure fact as SEO positive, but I´ve been discussing with a lot of colleges and none of them had seen any difference in SERP´s after to use SSL. What do you think about?
I think that we have to listen about what Google says. Maybe there is no difference in SERP'S now, but it will be in a near future. So better be ready now and do not regret later.
This article misses a lot of the key points of basic security, such as not using "admin" as user name or changing the default "www.examplesite.com/wp-admin" on WordPress sites. Unfortunately, following the points in this blog post will not ensure a secure website.
Yes, I missed the points you're talking about, too.
Yeah, we're currently working in convincing our clients to move to SSL! With October's last Chrome update, it felt like we needed to go fast with the migration to HTTPS.
Besides, I have never work with a CDN. Any advices on how I should do that... good providers, tips on wordpress implantation, stuff to be careful with, etc.?
Hi Lindsay
There is a lot to do in this field.
In Spain, although the URL bar indicates that we are in front of a secure site, there are still many customers who have many doubts about leaving data.
Great tips. The security in a web can not be ignored
Gracias por tu publicación Lindsay !!
Only by the fact that 82% would leave an unsafe site is worth installing https: but it's not just that. So we avoid spam on our website or hackers that are introduced in our website redirecting our url's to your site or stealing data from our customers.
Wow slow down on the trolling people. The big takeaways here are completely relevant. SSL's are important for both organic search and user experience, and the trend is continuing in the same direction. The demand has drastically decreased SSL cost in the last few years which I'm very happy about. Many hosts are rolling a free option right into their normal packages. I do commonly see sites that have an SSL, but have references to media on the https:// protocol, or iframes doing the same, that need to be changed. So make sure you don't miss that one webmasters.
Here in Canada, I cannot see the security warning on http pages with forms (I have Chrome 62 with updates). Is this roll out incomplete?
The article is misleading, Marc. You don't see the warning when the page loads. You see it as soon as you start typing INTO one of the form fields on the non-HTTPS page. (Unless the form is for passwords or credit card info, in which case it show the warning on page load.)
Website security is about so much more than SSL. This is a poor article.
Code quality, auditing and updating third-party code, good password policies, a web application firewall, sensible server configs, third-party security scans....the list goes on.
If your website does not handle personal or sensitive data, adding SSL does no more for security than adding a GIF of a padlock to the footer.
If you look at the better-known WordPress vulnerabilities - Timthumb, TinyMCE etc. - SSL would have done nothing to protect from these. SSL is not security.
Lindsay,
Before implementing SSL, be aware that all internal links are not SSL and must be changed and all links coming into your website (link building efforts) may return a 404 error if not redirected. Changing to SSL is a great idea, but also a lot of work, with many things to consider. We recently completed our switch, along with adding encryption to our server. It's a BIG job.
KJr
Thanks for a well-written article with good arguments on how to convince clients to up their security!
There is one amendment I would suggest, and that is to differentiate between SSL and TLS.
The security aspect doesn't stop at DDoS attacks, it also applies to wifi-signals. If you sit in a library, cafe or anywhere other people have access to the same network, then intercepting signals is an easy thing to do. With SSL certificate you add a layer of encryption to the signals between client and server, but there are programs available that decrypts SSL signals so fast you can watch sessions live and pick whatever information you may find valuable.
But for TLS this isn't as easy since the encryption is way more complex. Sure with brute force decryption and solid hardware it can still be done if you capture every last datapackage, but the cost will almost always be higher than the return for this.
While I guess most business owners reading this article will just order his webmaster or website-firm to sort this out (and they should know to implement TLS) - it might still be those few that opts for SSL (in its true form) and might think themselves and their customers to be truly secure, while they are still very much vulnerable to cyber-criminals stealing whatever information they input with very little effort.
Hello,
That we have to put the https we are sure, but do you have any proof that SEO positioning improves?
A greeting.
Thank you Lindsay for the post! I've been looking for a post like this a long time to improve the security of my website.
Keep it up ✌
Thanks for the useful article! Good to know the importance of SSL. Website security really is becoming more important every day.
Hi Lindsay,
Some people adds free SSL certificate through Cloudflare. How can we identify those sites ? Is it possible for Google to identify and warn us against those tricky websites?
Hello Lindsay,
Thanks for the useful share.
From the year 2017, Google has made SSL (https) mandatory. So, it is required to install the SSL certification in every site. If you observe your site properly, you can see that the site is opening in https., But SSL is not properly installed, showing connection error while opening the site(as per the browser).
Hey Lindsay,
Nice article. I've been postponing this SSL integration from a long time, but now it is time for me to make it urgent. I don't personally handle user informations at all on my two websites, but still, it's important to have a secure website.
I only wished that my webhosting provides support for Let's encrypt. While it can also be done manually it seems too much of a drag and I have no idea how to do it.
If your hosting provides free SSL you can do it from the CP . In case you have many pictures and links that you made manually,than probably you should insert the "s" your self. Otherwise the browser will show that part of u content is not safety.
Great Ideas. The way you descried is really perfect. But there is chance to have many questions from this blog
If a website has enough traffic?, should that website make secure using SSL? But we heard that If we use SSL, it may affect more loading time of the page. Is it right?
I have noticed that Manuel pointed here that without SSL certificate of website, Google may penalize SEO?. We inform that it Never happens.
To Lindsay : One of our suggestion is that if you could include few points about, that if a website without SSL certification and once they decided to make secure using SSL, what are the measurements they should take before the updates to avoid big mistakes and traffic loss.
However it is very difficult to maintain all SEO requirements according to the Google panda updates. Because Google informing that Speed, page size, website secure & mobile responsive should be very proportional and these are the main features to get high traffic in future. But it is very difficult to make these features in equilibrium level to get a great output from SEO.
Hey,
Im curious... What's your point about what Manuel said about "Google may penalize SEO"?
Lindsay mentioned that SSL is now a ranking signal in Google’s search algorithm.
SSL is necessary in websites but Google never informed that the website without SSL, will be penalized
Definitively we agree SSL is ranking factor in Google’s search algorithm but if we implement SSL in a website with good SEO, it may affect the loading time of web pages. So the seo ranking may decrease than it is now
Ok. So if it makes the website slower I understand your point about this.
Thanks
Finally We did secured our business website http to https
But as I had already informed, it will decrease the speed of the website. Because to avoid SEO issues, we have to write html redirection in the htaccess file which will decrease the website loading time
Therefore i suggest to all that please try to secure your business website in the begining stage itself
Excellent, I have already implemented the SSL certificate on several of my websites.
Greetings.
This is a very nice article. Thank you for the information and all the work you did putting it togather.
Hi,
I've checked the SSL warning being displayed on Chrome. I think that this is ok when you're on a website where you can make a "money" transaction. But when there's just a "contact" form? Does it make sense? I don't think so, they're forcing us to do something unnecessary in many cases.
Good article, by the way.
Great article. The security is very important that you dont want to hack your website.
Thanks for the useful share. SSL is important in term of make secure website. It helps to make website secure and also good for seo.
Good article - I have been installing Lets Encrypt on sites this year (Google flagged up that SSL would become a ranking signal a while ago). Regarding site security - it is easy to neglect the importance of security until your website is hacked. Services I use are Wordfence and Sucuri to provide extra peace of mind. (Would recommend)
I agree, i miss the free alternatives. But i understand te fact they want to follow the paid version.
With the arrival of Let's Encrypt there is no excuse for not having an SSL certificate. It's the best thing that could have happened for our websites.
I use WP Engine for my wordpress hosting sites. You can choose lets encrypt for free ssl. It is mostly a one step process with WP Engine.
Great article Lindsay , another important tip is to be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don't leak secrets present on your server
The SSL is totally worthy. The numbers are amazing. And thought provoking
Great article. https websites for businesses trying to sell something either directly or indirectly is a must in my opinion. Who puts trust in a website that has a big "this site is not secure" sign in the web browser? I think it makes the webmaster look unprofessional and lazy too.
I used free SSL, and that is work. The security is the most important for the website if you don't want your website stollen
Great post! Being a secure site and trusted by your audience is a huge factor, especially for ecommerce sites.
Just this month while reviewing data, we had noticed that certain older versions of Firefox were converting 25%-35% lower than chrome or the latest few versions of Firefox, but they were being rendered the same way and nothing was appearing broken from a usability standpoint (tested via browserstack). When we finally looked away from the page itself and at the url bar, we saw "Caution!" instead of the safe green "Secure Connection."
So even a "Caution" can make a huge impact on how people view your site. While we can't get all users to stay current, it's good to be aware of how they see you to help make sense of the data (and how important Secure is!)
Don't use password generator tool because hackers can also use it and with the help of Brute Force, they can hack your site. So, always create a password on your own way of thinking and use symbols, numbers and lower & upper case characters.
Informative article...!!!!
Honestly, this article is probably ok for beginners but I find it not in depth enough. I'm a bit disappointed in Moz's technical SEO articles lately. I would hardly even call this technical SEO.
I would like to change into https but I'm not sure of implications with the plugins I'm using (bbPress for forums and Woocommerce for shop) and with Adsense. I read a lot and I think it is not so easy....
Tienes que cambiarlo desde tu panel de control del hosting,en principio todos enlaces y imágenes deben convertirse en https automáticamente excepto los links y las fotos que tu mismo haz introducido en tu contenido. Si tienes muchos imagenes y enlaces adicionales,mejor haz una prueba duplicando la web en otro archivo en el hosting (si tienes espacio) y ver como sale. En este caso debes ajustar la web duplicada para no indexarla en google y recibir penalizaciones SEO de contenido duplicado
I don't know, Google really playing around with everyone just to keep their business around. It's like follow the monkey. Do this or that or else!
definitely. I think like so
On last Oct 18, 2017 Google informed that Google Has Started The Mobile First Indexing
On November 9, 2017 Google: Sites Not Ready For Mobile First Indexing Not Being Moved Yet
Hello Lindsay,
Very good advice, because the user must be told that the website is a safe place.
The secure htpps protocol is essential today in any website that wants to generate trust, otherwise Google may penalize SEO.
Greetings and many thanks for your useful contribution