Are HTTPS Websites Secure?

I saw an interesting discussion in a forum recently, during which it was asserted that once you move your website to HTTPS it becomes secure. But…

Just because a website is running on HTTPS that does not mean it is secure.

The only thing that an HTTPS website does is to protect the data that is transmitted from the site visitor to the website itself.

That does not make the website secure.

You should, of course, have your website running on HTTPS – and in some cases, for example with an online shop, it’s a requirement.

But HTTPS is only one (small) part of an overall security plan.

So let’s look at HTTPS – what it does and how to set it up.

In order to run your website on HTTPS you first need to install an SSL Security Certificate.

What is an SSL security certificate?

An SSL certificate confirms that the website with which you’re exchanging your data is owned by the person or company that claims to own it. It authenticates the identity of that website.

SSL stands for Secure Sockets Layer, which encrypts the data that you type into a form on a website so that no person other than the website owner can read it.

By ‘form on a website’ I mean the form into which you enter your details on Amazon when you’re buying something, a contact form on a website where you’re asking a question, a comment form on a blog, or a sign-up form where you’re subscribing to a newsletter.

A diagram of a Man in the Middle attackAny time you type your details into a website they are transmitted across the Internet to the website owner and, if they are not encrypted, they can be intercepted and stolen by a hacker.

Depending on what you’re doing, this can include your credit card details, your social security number, bank account details, your residential (delivery) address, your billing address, your date of birth, and so on.

Intercepting that data is easy for the hackers, if your site is not running on HTTPS, as I described here. (Scroll down to the section on Man in the Middle attacks).

If that data gets into the hands of the cyber criminals you have become exposed to all sorts of risks, from identity theft, to cyber-crime to physical burglary.

So an SSL certificate authenticates the identity of the site you’re browsing and indicates that the technology used to send your data across the internet to that site is secure.

This is indicated by the HTTPS prefix to the site’s internet address:

Screenshot showing the HTTPS prefix to the web address

How to set up HTTPS

Setting up HTTPS today is straight-forward, because most hosting providers (certainly the better ones) provide a free route to setting up the certificate.

The hosting provider I linked to above sets up HTTPS for all new sites by default.

However, if you’re operating a WordPress website that is still on HTTP, and you want to move it to HTTPS, then there are some additional things you need to do to ensure everything works properly.

If you’re not familiar with editing some code you should ask your hosting provider or a developer to undertake these steps for you.

But, for the adventurous, here’s the process for moving a WordPress website from HTTP to HTTPS:

  1. Set up the SSL certificate on your hosting provider (click the ‘LetsEncrypt’ icon in cPanel)
  2. In WordPress change http to https in the site fields in General Settings
  3. Using your File Manager or an FTP client, add this to the .HTACCESS file at the top:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  4. Add this to wp-config.php:
    define('FORCE_SSL_ADMIN', true);
  5. Update any links in the Robots.txt file – e.g. to the sitemap
  6. Check tracking code snippets to ensure they refer to your site as https, not http, and make the change if necessary
  7. Remove from, and re-add the site to Google Webmaster Tools
  8. Run BackupBuddy > Server tools > Database > Text change (or access your database via PHPMyAdmin) to change to (this changes the internal links throughout your site)
  9. Log out and log in again to make sure https in the site address fields in General Settings has been saved
  10. Check each page on the front of the site for consistent and full https (displaying a full green padlock in the address bar). If any pages are not rendering as full https (there’s a yellow warning triangle over the green padlock) view the page source code to find http links to your site and correct them (in the WordPress editor).

Yes, I know there’s some code fiddling in there and I apologise! This site is intended for non-technical people so by all means contact me if your hosting provider will not make these changes for you, and you have no access to a developer.

Why does that not make a website secure?

The SSL certificate and HTTPS protocol only protect the data travelling between the site visitor and the website.

They do not stop a hacker accessing the site illegally through a brute force attack, exploiting an out of date plugin or any other means.

In fact, if a hacker inserts malware on a site that’s running on HTTPS, the protocol ensures that the malware will reach the site visitor’s computer in pristine condition – so it helps them (the hacker, I mean) do their nasty stuff..!

That is why HTTPS on its own does not make a website secure. It has to be part of a wider security plan.

In closing

The fact is, though, that you should be running your site on HTTPS and using it as part of a wider security strategy.

It does protect the data of your site visitors when they give you their details for any reason and, assuming all other factors are equal, an HTTPS site will rank higher in the search results than one running on HTTP.

In a future article I’ll look at the main points of entry hackers can use to access and corrupt a WordPress website.

Have you moved your website onto HTTPS?

Let us know your experience in the comments below and please ask (in a comment) if I need to clarify anything.

Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them):


Martin Malden

Martin Malden
Owner – WP Security Basics