You’ve seen it pop up while browsing or building a website. You know it enables some sort of security. It’s those “HTTPS” letters at the beginning of a webpage URL. But what does HTTPS do, exactly? 🤔
And more importantly, is HTTPS something that you should be using on your website?
💡 In this post, you’ll learn everything that you need to know, including the following:
What is HTTPS?
HTTPS, or Hyper Text Transfer Protocol Secure, serves as a secure protocol for all communications between a website’s server and a visitor’s browser. Or, in more general terms, for all communications between a server and a client.
ℹ️ A protocol gets utilized every time an internet user accesses a website, but that site dictates the type of protocol: HTTP or HTTPS.
What’s the difference between HTTP and HTTPS?
HTTP (Hyper Text Transfer Protocol), as you might already be able to tell, lacks the “Secure” part we see in HTTPS.
They’re both highly efficient communication protocols, but they work in different ways.
HTTP works like this:
- A user tries to access an HTTP website using a web browser
- The browser sends unencrypted login data, such as the server username and password, to the server, using hypertext format
- The server responds with the necessary site data, which the browser uses to display site content to the user
The important detail here is that the data is unencrypted with regular HTTP. This means that it’s possible for someone to sit in the “middle” and read all the data as it passes between your web browser and the server.
For example, if you’re connected to public Wi-Fi at your favorite coffee shop, someone else on that network could snoop on the data.
On the other hand, HTTPS works like this:
- A user tries to access an HTTPS website using a web browser
- The browser sends encrypted login data, so it’s the same hypertext format, with the same login credentials, but it’s codified with random characters to prevent intrusions
- The server decrypts the message, then responds with the necessary site data, which the browser uses to display the visual site content to the user
With HTTPS, people can no longer snoop on that data. While they could still see that some type of data was moving between your web browser and the server, they wouldn’t be able to view the data itself because it’s encrypted. For example, instead of seeing your password, they’d just see a bunch of random text and numbers with no meaning.
How to see if a website uses HTTP or HTTPS
It’s easy for any website visitor to check if a site is protected by HTTPS.
Many browsers clear out the HTTP or HTTPS part of a URL for a cleaner interface, so you may not immediately see it next to the URL. However, browsers have unique indicators, such as Lock icons, to mark sites as using HTTPS.
The following screenshot shows that Lock icon, telling us that the site is secure with HTTPS.
You can also click on that Lock icon to reveal a section that tells you the “Connection is secure.”
Finally, to actually see the “HTTPS” in front of the domain name, copy the URL and paste it into a new tab or in a document. This gives you a look at the raw URL, with its “https://“ tag included at the front.
If your site is unprotected, or you land on an HTTP website, most browsers present a “Not Secure” message with some sort of icon warning, like an exclamation point.
Click on that warning to receive information about the security of the website. For HTTP, browsers recommend:
- Not entering sensitive data on the site
- Or to avoid the site altogether
Again, it’s possible to see the “http://“ part of a URL by copying it into a new tab. This is yet another indicator that the website lacks HTTPS and could potentially allow hackers to steal information communicated over that site.
What does HTTPS do? The main benefits
When answering the question of “what does HTTPS do?” we must look at the primary benefits that arise after you switch from HTTP. 😎
Here’s what you gain:
- Transactional (and non-transactional) security
- User confidence
- SEO improvements (and avoidance of penalties)
- Overall encryption, verification, and validation
- Mobile advantages
1. Transactional (and non-transactional) security
Most people think of HTTPS when discussing eCommerce, seeing as how online stores want to ensure sensitive transactional data—like credit card information and addresses—don’t get leaked from their site.
However, the mood about HTTPS has changed drastically to include non-transactional websites as well.
Overall, using HTTPS on any website boosts security for all of its users. The most common threats are called MitM (man-in-the-middle) attacks, which extract private information from users regardless of whether a site accepts transactions. Phishing is also a prevalent danger for websites not utilizing the security that comes with HTTPS.
Therefore, blogs without stores, basic business websites, and robust eCommerce sites should all have HTTPS to lock out hackers and protect users.
For example, let’s say you have your own WordPress blog. Maybe you’re on a trip and you log in to the blog using the airport Wi-Fi. Without HTTPS, someone else could potentially steal your WordPress login credentials and use them to access your site.
2. User confidence
Since word continues to spread about the risks of visiting an HTTP website, and many browsers post blatant warnings about the dangers, HTTP sites have a stigma that pushes visitors away.
In short, even non-tech-savvy visitors can read the warnings and turn around to look for an alternative site.
You increase user confidence with HTTPS because:
- A “secure” icon and message appear in the browser, often shown as a Lock icon
- Users can click through the “secure” icon to view the SSL information like its validity, when it was implemented, and what types of encryption it uses
- Users can copy and paste the URL to actually view the “https://“ in front of the site’s domain name
3. SEO improvements (and avoidance of penalties)
Google uses “search ranking signals” to compile information about websites and determine their ranking worthiness. It’s a big deal if you have poor ranking signals on your site, since Google automatically pushes your site down in the search results.
In 2014, Google added HTTPS as a search ranking signal, meaning that any website (not just eCommerce stores) without HTTPS would incur ranking penalties if not switched over from HTTP .
So, as you can see, this is not just a suggestion by SEO experts, but rather a requirement by the biggest search engine in the world to ensure that your websites rank as high as possible, and it’s all in the name of security.
Avoiding more penalties
Along with search engines, the payment processing industry has standards and regulations for doing business with sites, ranging from PCI-compliance to HTTPS requirements.
In short, it’s not entirely illegal to stick to the old HTTP option, but payment gateways have no interest in doing business with you, so it becomes impossible to sell anything online if you’re not protected with HTTPS.
You’ll notice these standards in other industries as well, like how hosting companies tend to prevent you, or at least warn you, about setting up an online store without the protection from an SSL certificate and HTTPS.
4. Overall encryption, verification, and validation
The actual process, or protocol, that HTTPS uses to encrypt, verify, and validate data provides incredible benefits for site owners, since you’re at a significantly lower risk of experiencing a security breach.
Encryption cloaks sensitive data with randomized characters, and the true data is only accessible to two parties: the user and server.
Even if a hacker gets the encrypted data, it’s useless to them. And it works both ways, so site owners protect their own data just as much as they protect customer data.
Along with encryption, HTTPS provides:
- Verification: It verifies that the data gets sent to the right server, and back to the appropriate browser, giving further protection against bots and people who attempt to hijack those connections by sending them to malicious servers.
- Data validation: It goes through the process of quickly validating all sender and receiver data. If something isn’t validated, the operation gets abandoned and the end user receives an error.
- Data storage protection: HTTP sites store visitors’ data on the client system, making it accessible to hackers. HTTPS sites, on the other hand, send data without storing it on the client side, meaning there’s no public area on those sites for hackers to break into.
5. Mobile advantages
One unique benefit of using HTTPS for your site is how it works with Google’s Accelerated Mobile Pages, also known as AMP.
AMP is a product that optimizes websites and domains for faster loading on mobile devices.
Because of the incredible performance improvements, AMP has shown to improve SEO rankings for sites with the technology implemented.
However, HTTP sites are restricted from using AMP. Therefore, you must have HTTPS to speed up your site with AMP and gain those potential mobile SEO benefits.
How to get HTTPS on your website
If you want to enable HTTPS on your website, you’ll need an SSL / TLS certificate. While TLS is the modern version of the protocol, you’ll usually just see these referred to as “SSL certificates.”
An SSL is the digital certificate used to implement the HTTPS protocol necessary for encryption of all data passed between browser and server.
Without an SSL certificate, you can’t get HTTPS on your website. Luckily, SSL certificates are easily found for free by using a service like Let’s Encrypt. Many web hosting providers also offer free SSL certificates when you pay for their hosting services. As an alternative, developers and site owners can find premium SSL certificates for a yearly fee.
To properly move a WordPress site from HTTP to HTTPS, follow our in-depth guide.
👉 In that guide, you’ll walk through these steps:
- Install an SSL certificate
- Use the Really Simple SSL plugin to link the certificate to your WordPress site
- Verify the activation on the frontend of your site
- Update your site’s new URL in Google Analytics
- Make a new property in Google Search Console
- Update your CDN URL to reflect the new domain
- Change any incoming links—like from social media and online directories—to the new URL.
Get started with HTTPS today 🏁
In this article, we showed:
- The definition of HTTPS
- The differences between HTTPS and HTTP
- What the secure protocol does for your site (its overall benefits)
- How to switch away from HTTP
🌱 We encourage you to review those benefits, since it’s almost impossible to deny that HTTPS is the stronger technology. From transactional security to user confidence, and mobile advantages to SEO improvements, it’s not only a must-have, but often a requirement to conduct business online.
If you’re still asking, “what does HTTPS do?” or you’d like to share your thoughts on the topic, leave us a comment in the section below!
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below: