Blog Post - SSL Certs & Website Security

Server Security

SSL Certificates

Get Them In Place Says Google


Note, late to the game after sending my clients an update last year, I have now decided to write a blog post about it.

If you haven’t seen it already, beginning July 2018, Google will start displaying a warning in the Chrome browser bar for websites that do not have an SSL certificate and are therefore deemed “un-secure” to Google (additional information on the subject can be found here and here). Displaying such a warning can have a negative affect on the website visitor and as such, Google may not wish to show the unsecure website in search results resulting in a slump in search rankings.

If you’re unsure what an SSL certificate is, it’s a feature that makes your website more secure and less susceptible to being hacked (think of the secure websites used by banks or websites that ask for payment information). Websites addresses that have an SSL certificate are displayed as https://www.yourwebsite.com (vs http://www.yourwebsite.com, which doesn’t have an “s” after the http).

SSL Certificates can be quite spendy if purchased from hosting companies and are sometimes difficult to implement so a website operates correctly. Fortunately, I have found a resource for a FREE SSL certificate - CloudFlare. Not only is it easier to implement and manage, but it also aids in proper website operation without any visitor confusion or loss of SEO. IE – automatic redirect from http to https is possible without a change to the htaccess file.

While the SSL certificate with CloudFlare is free, it does take time to properly set it up, incorporate it into the website via change of on-page seo code, change the DNS settings on the hosting side, and update related websites like Google Analytics & Google Webmaster Tools to ensure proper indexing of your website. To accomplish this, your webmaster needs the following:

(1) Access to your hosting account to change DNS settings.
(2) If you receive any verification emails, be sure to forward it to me.
(3) If I don’t have it already, they’ll need your Google account info so they can go in and update Google Analytics and Webmaster Tools to ensure the new website address is indexed properly.

Even though free is nice, paid is always better. If you would prefer to purchase an SSL certificate from your host (or already have), this is possible. It does however mean changes to the htaccess file is necessary for an additional level of redirects.

Finally, if you don’t have it already, you may want to also incorporate the services of SiteLock prevention, scan and removal (or similar service). SiteLock is an automatic monitoring service of your website to ensure there are no breaches or injection of malware files into your site. Should something be found, it’s taken care of quickly and without harm to your reputation with Google. Ask your host if they have such a service.

On a side note, if you have a WordPress site, and have a security plugin like Wordfence in place, you might want to consider disabling it and enabling security via the host (SiteLock) but outside of WordPress as sometimes plugins and the CMS database do not agree. Or at least this is my own personal experience – see my blog post “why I hate WordPress”.

Rob Shurtleff
The Website Guy