Recently in Google Chrome you may or may not have seen the warning that WordPress Not Secure in Google Chrome. This is quite alarming, but there’s nothing to be afraid of.
Your site is explicitly being told as being not secure, and this happens quite a lot in Google Chrome mainly.
What Has Happened?
Since Google Chrome 56, Google Chrome has been explicitly warning users if a site that contains fields which Chrome thinks could house sensitive data (such as password fields or credit card fields). This has been a recent change, but a substantial one as the web moves more towards HTTPS. An example of what you would see is similar to the below.
You can see it practically takes over the address field. This is subtle but just enough of a warning.
Why are you being told Your WordPress is Not Secure in Google Chrome?
Well first off, it is not a WordPress issue. WordPress is secure, but it still works on non secure servers. WordPress in itself recommends HTTPS support. WordPress is only affected out of the box due to the fact you have to use a password to log into WordPress, so whilst no warning will appear on the front end of the site, the second you enter the admin area you will get a warning.
Of course, it’s your decision if you decide to log in insecurely, but my suggestion would be to switch your site to HTTPS.
How Do I Fix It?
Luckily, it’s getting easier to fix these issues, thanks to the introduction of Lets Encrypt. Lets Encrypt is a free automated certificate authoring service that will allow you to get a free SSL Certificate for your site. There has been huge growth in this area in the past 12 months, and now many hosts support it.
Any Problems with Lets Encrypt?
The only thing that I’ve found a problem with Lets Encrypt has been that iTunes podcast feeds don’t support Lets Encrypt SSL Certificates. This was 6 months ago, so it may have changed. If you have a podcast, you may want to get a paid SSL Certificate, which are under £10.
What about SEO?
Well, people I know seem to have had issues switching from HTTP to HTTPS, but I cannot say I had many issues. I simply logged into WordPress after having the SSL certificate added to the site, changed the URL’s in the Settings from HTTP to HTTPS and was done with it. The three things to be aware of are the following:-
- Make sure you canonicalise your URL’s. What this means is that Google will recognise one of the URL’s as being the definite one, and rank that URL. This is easily done using Yoast SEO. This is done to avoid duplicate content.
- Make sure your HTTP redirects to HTTPS. If you have two versions of the same site, it can lead to some problems for things such as checkouts or any form of interaction. You can fix this with this guide on forcing SSL.
- Make sure you have the new URL of the site listed in Google Search Console and Google Analytics.
Aleyda Solis has a great HTTP to HTTPS SEO checklist of what she does during migration. My list is the basics but she has a more thorough list. Use that.
My Host Doesn’t Support SSL through Lets Encrypt? What Should You Do?
Move host. These warnings are going to get bigger and more substantial over time (Google has suggested that over time they will start showing the “not secure” warning for all sites), so it is in your best interest to put your site behind HTTPS. So here are a list of hosts I have verified have the ability to add LetsEncrypt to your site. If you can comment on your host having SSL please do so, and I’ll add it to the list.
|Host Name||Type of Host||LetsEncrypt?||Other SSL Certificates?||Price / Sites||Link|
|WP Engine||Managed WordPress||Yes||Yes||$29/month
|Visit WP Engine|