Many are stating that starting 2017, HTTPS will be mandatory for all websites, including WordPress powered websites. But do you really need to… (the internet now begins to both groan and scream “yes” and “no”). You see, HTTPS Encryption for WordPress seems only necessary for sites that pass data from user to website via the browser. According to Google, this is all of them.
Interesting point: Cookies retain data about you when you visit a site to read, purchase or interact with a website. HTTPS encrypt that data.
HTTPS is not just about Encryption.
HTTPS offers many more features than just data encryption. Here are a few:
- Authentication – makes sure servers are who they claim to be. Like for a bank
- Data integrity – It’s not modified in transit to you and the site
- Encryption – protects from ease droppers.
- TLS (transparent layer security) – e.g. Gmail delivery
User privacy
The goal of HTTPS is privacy. The job is to keep your internet traffic secure and private. However, there is an interesting fact. Google. Yep, Google has MASSIVE data on everyone already. This includes things like what sites you’ve been to, where you are surfing from, when you visited a link and so on. For them to be worried about your privacy is a little hypocritical. Still, their validation is in protecting user’s sensitive data in the face of statistics like every second there is a new site hacked.
It’s not cheap
The cost of HTTPS is not cheap and has layers. If you’re not protecting your websites (like we do) an attacker can trick your users into thinking that they (your users) are on your site, but they’re actually on the attackers clone website. Now they can steal passwords or anything that your users enter in on the attackers website.
A SSL certificate can be expensive depending on it’s use, and your need. A free certificate can come from certain host providers and online website services (like WordPress.com), but you need to look at the need of your site. At Element 502, a single host certificate (the cheapest one) we provide is about $70 annually. A multiple domain certificate is more expensive (about $149), for multiple domains, and a wildcard is over $150 – for ALL domains.
HTTPS guarantees that your users are on the correct site, and no one is stealing.
But what about users responsibility? HTTPS doesn’t escape, or excuse, lazy passwords, cheap hosting and not having external security (like Sucuri) on your WordPress site.
T-I-M-E and $$$
It seems like that Google is pushing like a school yard bully, but the web has become more dangerous and requires more resources from host providers and site owners. Site owners are not aware of the exact details for the cost of going about this. There is the developers time, the certificate cost, and host providers time to implement. Translation is OVERHEAD.
What should absolutely be encrypted?
- Online Stores collecting payments in the website.
- Any website with a login and subscribers – like Membership sites.
- Commercial websites.
Non-profits will suffer the most from this as cost of a website is often a struggle. Then, the realization that there is more costs like hosting, subscription of the domains, and emails. To add to expenses now 1 more thing, SSL certificates for all their domains.
The other party here that will have massive headaches because of this push is developers. Now Webmaster Tools has to have all variants of a website verified (both https and http).
Example:
- https://www.example.com
- https://example.com
- http://www.example.com
- http://example.com
Yay! More stuff to worry about and do. Unfortunately, website customers won’t care or understand the costs of their webmaster’s retainer. Inevitably, prices will go up. It’s a natural response in order to cover time and cost of owning and maintaining a website. We know that security is expensive, but business owners will all say sarcastically, “Thanks Google!”
To encrypt, or not encrypt, that is the question.
I’m not saying don’t encrypt. I’m just not easily accepting of this HTTPS business. Mostly because if you think about who’s making money from this. But no matter, everyone has been jumping on the HTTPS wagon since Google in 2014. No matter our opinions, we all have to move to more secured domains using HTTPS, even if your website isn’t collecting data, or payments. Google’s bots see HTTPS and that directly effects SEO. So, YAY AGAIN!
What do you think? Is the HTTPS a must for ALL websites?
Resources:
https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
