I’ve seen a lot of sites that don’t use HTTPS by default. I’ve heard the argument, “We don’t need it. We’re not e-commerce.” This is absurd thinking:
- You are probably using some sort of CMS product, possible a popular one like WordPress, Magento, Joomla, etc.
- There is a good chance that you are not keeping them as updated as you should, but for arguments sake, let’s assume that you are (or pretend to be).
- All of these products have default administrative login paths. If you monitor your logs, you will notice that bots from all over the world are hitting this default path constantly.
Read more: Why HTTPS? Here Are the 5 Reasons Folks
Step 1: Change your default admin path!
If you are on WordPress, there are several options for doing this. I personally like iThemes Security Pro, but it is not free (though it contains a lot of value-added features). There are free solutions to change the path.
As an example, a simple WordPress web site that was launched as little more than a business card was being hammered hundreds of times per week. By changing the /wp-admin path, this went to zero.
Step 2: Implement TLS
This is a matter of opinion and debate, but I don’t really see a reason not to enforce HTTPS on your web site anymore. Reasons:
- It makes some users more comfortable even if they are not using something that should be secure.
- There is debate that TLS improves SEO ranking (some say it is worth it, some say that it is insignificant).
- Why mix content when you don’t have to? You know that some poor developers forget to use and test relative URLs versus absolute, and every CMS and framework is different. Enforce HTTPS, and you’re less likely to encounter a problem.1
- Even if your site doesn’t need to me PCI compliant (for example, you have a blog and there are no user logins), you and your authors are still logging in. If you are at least using HTTPS for the admin pages, I commend you. I have seen many sites that do not.
- It is (de facto) required by HTTP/2.
- It’s free or cheap! (see below for explanation).
1For the record, you should rarely, if ever, have the protocol (http, https, etc) specified at the beginning of your URLs.
In the bad example, if you are switching between secure and insecure, at least remove the http: portion as such:
By doing so, the browser will choose the transport method that is currently being used and you will avoid errors. There are sometimes benefits to hosting your libraries locally, but that is not in the context of this article.
HTTPS/TLS is Usually Free or Cheap
Choose your scenario:
"Somebody takes care of my web site and I’m not sure what I have. What should I do?"
First of all, your browser will tell you which browsers are secure with a green padlock. To see what it looks like in Chrome, Firefox and Internet Explorer, take a look at the photo on this page (scroll about 4/5ths of the way down).
If you’re still confused or concerned, you can always ask your service provider (don’t let them negotiate you down, though. Tell them that a couple of clients are concerned about the security of your web site and that you require all of your pages to be over HTTPS/TLS (aka secure). They will probably make reasons why it is not necessary, but be strong! Tell them that you may have to seek another provider if they are unable to do it. (It is REALLY easy for them to do it, so don’t put up with their nonsense.)
Finally, if you think you are being scammed, I would be willing to take a quick look if you contact me. (no guarantees; no liability – I will just look to see if the pages are secure or not. I take a long time to respond to e-mails and if you are rude to me, I will automatically ignore you.)
"I run a small web site on a shared host."
All reputable hosts and most discount hosts offer HTTPS/TLS as an option. Some of them offer it for free, and some of them will charge you astronomically for it because they are looking for the upsell profit. They actually get it for next to nothing (if you don’t believe me, see this section below).
If you ask them, they will most likely give you complete HTTPS for a fee. If, for some reason, they do not support it or require that you get your own certificate, you are kind of on your own. You have three options:
- You could consider using a Universal SSL™ solution like CloudFlare’s Flexible SSL™ (this portion of their service is free2), but in this scenario, the traffic would be encoded between CloudFlare and your user, but not between CloudFlare and your server. There are a lot of benefits to this, but the drawback is that sensitive data between your host and CloudFlare is not secured.2
- If your host supports getting a certificate from a third-party, this is acceptable. However, you will need to be either:
- Technically savvy enough to figure this out3, or:
- Have a provider that will help you through the process
- Find a different provider. Below are some options that I would possible recommend, in no particular order:
…and many others. All of these hosts (as of the writing of this article) will assist you in migrating your site.
2They also offer encryption both ways for free (called Full SSL/Cypto), but you have to have your own certificate. See the next section for more info.
3There are several inexpensive resellers that will provide you with support. Some examples are: SSLs.com and CheapSSLSecurity.
"I run a web site with a fair amount of traffic on a shared provider."
My advice would be almost exactly the same as the above situation. Some modifications:
- I still think CloudFlare may be a good solution depending on your needs, but would recommend having their Full SSL Cypto (which is free), rather than Flexible SSL. They have other benefits for you beyond a poor-man’s “Flexible SSL,” as they call it.
- If your host does not support getting a cheap or free TLS (SSL) certificate from them, I would definitely consider moving on to another host. The web hosting providers listed above are very excellent.
- However, if you need top-tier quality, security, and support, you might consider WP Engine. They are rather expensive, but you get what you pay for if you do not know how to “roll your own.” They also offer limited git support (if you are a regular git user, you may find it frustrating and wish to consider the solution below this one). It is worth repeating, though, that they have a keen eye on security – but you will pay for it!
"I run several web sites on a cloud provider/VM."
The phrase “cloud provider” takes on many different and sometimes inaccurate forms. For the sake of argument, I’m going to assume that you know what you are talking about and are running something like Amazon AWS, DigitalOcean, Vultr, and/or all of the other similar services.
There are usually a few options for you. Excitingly, they are free or very cheap!
- ServerPilot – This is the one that it is not free. It is $10/server/month for unlimited provisions on that server. So, if you have multiple web sites, you may provision an SSL/TLS with the click of a button without and without extra costs. This may sound expensive on the surface, but they also offer oodles of extra features, which I believe to be worth it.
- If you run your own VM, there are two choices that I am aware of:
- Let’s Encrypt – Everyone’s favorite TLS authority.
- Pros: It’s free and easy (especially for Ubuntu users – they have a script that makes it simple)
- Cons: Let’s Encrypt certificates are valid for only 90 days, however, they allow you to auto-renew them via cron job so that they are free for the life of the service. This is what I use on my web sites.
- StartCom – I have not tried them, but they claim to offer free DV certificates for one year.
- Let’s Encrypt – Everyone’s favorite TLS authority.
"I run my web site(s) on dedicated servers."
If you need basic HTTPS, I would recommend Let’s Encrypt.
I would not recommend Symantec because I tried to get a brand new server with nothing on it removed from their blacklist (likely due to a previous owner of the IP) and they refused to work with me. I had to pay for a new IP because they wouldn’t work with me.