SSL – Is it necessary?
If you sell products? Probably. If you’re taking credit card payments directly on your website, you definitely need SSL in place to encrypt your customers’ credit card information. However, that doesn’t necessarily mean you need it on your entire site; you might decide to use SSL only on store or checkout pages, for instance. If you use PayPal exclusively to accept payments, you don’t need SSL since customers aren’t paying you directly.
If you offer memberships? Maybe. If you run a membership site, free or paid, SSL might be a good idea. After all, your members are giving you their email addresses, names, and passwords, all of which they likely use on other sites. Do you really want to risk being responsible for a security breach that results in your members’ information being spread across the whole internet?
If your visitors submit sensitive information via forms? Maybe. If your site’s visitors are submitting any personal information, documents, photos, etc. via forms on the site, you might consider SSL to keep that information safe. I won’t even talk about HIPAA compliance as that’s a whole separate issue (and in my opinion, the answer there is not using WordPress at all), but you might be surprised how much information you collect about your visitors even if you don’t sell products or offer memberships or subscriptions.
If your site is only a blog? Probably not. If you have a blog with no products, no memberships, no nothing except blog posts and maybe a contact form, SSL would be a waste of time, effort, and money. Any possible benefit from Google would be too miniscule to count.
Things You Should Know About Sitewide SSL
I mentioned that I recently changed this site to use SSL globally. Here were my reasons for doing so:
- Trust. When I visit a site where I intend to make a purchase or pay an invoice, I’m looking for that green padlock whether I’m on the checkout page or not. Since quite a bit of money passes through my site, I want partners and clients to know their information is safe.
- Experimentation. Just how painful is the transition to full SSL? Will I really see any increase in search traffic? I wanted to find out.
- Future-proofing. In the next year, I’ll be launching a number of new projects, products, and services that will require SSL across a few subdomains. I figured it was better to figure that out now than to wait until the week before launch.
All that said, the process of moving my site toward universal SSL was not an easy one, and I absolutely recommend against it unless you have a real reason for doing so. (In case you’re wondering, “Because Google said so” isn’t a real reason.)
Here are just a few of the challenges I encountered:
Social shares: Change all the permalinks on your site to use https, and guess what? Now all your social proof is gone! I lost all the Google+ comments on my posts as well as all my social share counts. It still hurts my feelings just thinking about it.
Edit August 2015: Social Warfare to the rescue! The Social Warfare plugin(which I currently use for sharing) just introduced a “share recovery” feature and I was able to get all my counts back. You can read about why I started using Social Warfare here: Read review.
Speaking of social…. Most social share plugins use non-https URLs for the various social network popup boxes. This can result in (1) social icons that don’t display at all, (2) that ugly non-green padlock in the browser bar, and (3) mixed content errors and/or warnings. I was “lucky” enough to experience all of the above while transitioning my site, and it required quite a bit of work to get my buttons working again.
Internal links: I’m still in the process of hunting down and replacing my internal links. While I do have a 301 redirect in place, I prefer to keep everything uniform across the site and to create links that don’t require the redirect (future-proofing yet again).
Random plugin problems: You haven’t seen plugin problems until you try to use SSL on your entire website. I couldn’t believe how many of my plugins were completely unequipped for that kind of transition, causing error after error that had to be resolved by either contacting the developer and begging for a patch or changing plugins altogether.
Webmaster Tools: The online consensus seems to be that you should remove and re-add your site in Google’s Webmaster Tools (or at least do a change of address) and submit a new sitemap to force re-indexing of your site using https. I did this and noticed an abrupt and immediate drop in my search traffic. Will it recover? Most likely. But I’ll have to wait and see, since it’s still too early to tell.
Load times: The “handshake” required to load a website over SSL leads to longer load times. Using SPDY at the server level (among other tweaks) can help with this, but there’s still a bit of latency that is driving me crazy.
SSL – Is it worth it?
This site has been all-SSL for about a month as of this writing. Benefits I’ve noticed are (1) a lower bounce rate (higher trust?), (2) fewer questions or concerns from people making payments on the site, and (3) the learning experience of a changeover where everything possible went wrong.
I buy my SSL certificates from Namecheap, which is also where I register all my domains. The process is very simple, and when I recently upgraded to an EV certificate (see my pretty green bar at the top of the screen?) their support was great in helping me get everything set up on my server.
If you’re worried that you might miss out on a teeny boost from Google because your site isn’t using SSL, I vote that you stop right now and find something else to do. I haven’t personally experienced any improvements in search rankings since making the switch, though that could change. Even so, the headaches it took to get here probably aren’t worth any benefits Google might give me, especially since Google could take those same benefits away just as quickly as it gave them. (Authorship, anyone?)