My website is not secure, what does that mean? What should I do?
Without getting too technical, if your website is labeled as not secure it means that some items on your site might accessible to the world with little or no restriction.
If your website has been around for a while, the site probably has not had some settings updated to meet newer standards.
When you visit a website, information is sent back and forth in digital form.
For example, if you fill out a form on the site, or make a purchase, private information is sent to the site, and possibly from there to another site.
You really want that information to be hidden.
When a site is “not secure,” that means it doesn’t have security settings in place to prevent bad guys from seeing, or grabbing, your data.
And it means your site is more open to hacking, too.
There’s a standard, accepted way to hide your data, and all modern browsers will analyze sites to see if the site has correctly protected its’ data. The technical terms include SSL (for “Secure Sockets Layer”) and HTTPS (“hypertext transfer protocol secure”).
A website that is not secure does not have SSL, or has not set up SSL completely. And no SSL means no HTTPS, which results in the warning message you see.
When a browser (e.g. Chrome, Firefox, Safari, Edge) detects a lack of SSL it will display some sort of indicator, either words, or a lock with a strikethrough. Secure sites will show the lock.
A rough analogy
You’ve seen cars with darkened windows, right? So as an analogy, people in cars with clear windows are “not secure” because you can see them easily.
If the car has partially darkened windows, the people are still not quite secure, but if the windows were completely dark, you couldn’t tell who or what was in the car… the people would be “secure.”
Is it important to have a “secure website”?
Does it really make a difference, since people can see my content anyway?
The short answer is yes.
1. You have an obligation to protect the visitors to your site, protecting their privacy and limiting the ways your site could be hacked.
2a. That warning message will be a turn off for some of the visitors to your site. It’s a question of trust… why should they stay on your site, which may not be safe, when they can simply visit a competitor?
2b. When people leave your site quickly (this is called a “bounce”), Google notices. Sites with a lower bounce rate get an edge in ranking.
How to fix a “not secure” WordPress website
To set up SSL and HTTPS the first thing to do is get and enable an “SSL Certificate.”
Check with your webhost to find out what they offer (you can also buy a certificate from a 3rd party, but that’s more involved and probably not necessary).
You might be able to get an SSL Certificate for free.
Siteground, one of the hosts we recommend, offers the free Let’s Encrypt SSL Certificate. We use that on our site, and have applied it for many of our customers.
After applying the certificate, you’ll have to change some things in WordPress.
The easiest way is via a plugin, Really Simple SSL. There is a free version available, but you’ll want the paid version for the “mixed content” feature.
If you’d rather not use (or pay for) another plugin, there are several steps to take manually, including changing URLs in the database and adding code to force HTTP requests to use HTTPS instead.
Either way, if you’d like help moving your site to SSL and HTTPS, just get in touch.