Making Sure Your WordPress Site Complies with Google’s Security Guidelines

Way back in 2014 Google made a push towards the use of HTTPS and SSL. Since then we all know that we need to check for the little lock on the address bar before we enter personal information. Right? But what does it mean for your website?

Learn in this post how to make sure your WordPress site complies with Google Security Guidelines.

HTTPS stands for Hypertext Transfer Protocol Secure. SSL is an acronym for Secure Socket Layer. Together they ensure that web communication is encrypted.

This is important for more than just securing your credit card details. Besides ensuring that all data is secured in transit, it also means that the site you are visiting is really what it claims to be.

• Check that the site is secure by clicking on the green lock:

But besides the benefits of having a secure site, the green padlock is important if you want to stay friends with Google. In August 2017, Google sent warnings to webmasters. Emails stated:

Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.

What this means is that users will be faced with a stern warning as soon as they visit HTTP sites.

Is this likely to deter visitors? That probably depends on the nature of your site. If you use forms to collect data, anything from simple contact forms, to marketing surveys, it is likely to make visitors think twice.

What can you do about it on your WordPress site?

Firstly, a quick check:

• Does your site use any text input fields? These could be logins, contact forms, or search boxes.
• Is your site using HTTP:// in the address bar?

If so, you are likely to find ‘not secure’ adorning your site in the near future.

SSL Certificates

The first step is to get an SSL certificate for your domain. Until recently, this was an extra cost. If you collect credit card details, you will probably still want a paid-for certificate.

But 2017 has seen many hosts implementing the free service from the open certificate authority, Let’s Encrypt. Check with your host.

Once you have SSL enabled, the next step is to tell your WordPress site to deliver only HTTPS pages. You can do it using .htaccess file. Visit our Using .htaccess to Move Your Site to SSL tutorial to learn how to do it.

Moving your site to HTTPS

If you are starting a new site from scratch then it usually a simple business of updating the .htaccess file and changing the site address under general settings:

But if you have had a site running for any length of time, you are likely to run into problems. With site elements like images, javascript, and CSS files and how they are loaded.

WordPress is notorious for using absolute URLs. If a page is loading elements using HTTP:// then your padlock will be accompanied by an exclamation point. To warn visitors that the site is not fully secure. This is often called ‘mixed content’.

While it is not clear how Google will deal with these sort of semi-secure sites, it is better to ensure that all elements are loaded using HTTPS://.

Fortunately, there is a really simple plugin called Really Simple SSL. That takes all the heavy lifting out of the process.

• Got to Plugins, search for ‘Really Simple SSL’
• Install the plugin
• Activate it.

• Once activated, the plugin will check whether SSL is installed and fix as much mixed content as it can.

The settings are fairly straightforward. You have an option to stop the plugin from rewriting the .htaccess file if you need to make other changes to that file yourself.

Usually, that’s all folks. Your site is now secure.

But. There’s always a but. Occasionally, the Really Simple SSL plugin may not manage and fix all the insecure content buried away on your site. There may be an embedded video on an old blog post that is being called via HTTP://. Or images in an old slideshow plugin.

In that case, you may need to use a plugin called ‘SSL Insecure Content Fixer‘.

• Install and activate the plugin
• From the Tools menu, you will find SSL Tests. Click there to check that your SSL settings are correct.

• Under settings, you will now find an item called SSL Insecure Content. Here you can decide how big a cleanup you need.

• If you have warnings from images, iframes, embedded videos and audio files, or scripts and CSS that are hard-coded into HTML, you will probably need to pick a level higher than Simple.
• The Content fix level cleans up images, iframes, and embeds in your page content and in text widgets.
• The Widgets fix level does everything the Content fix level does, but it doesn’t restrict its widget fixes to text widgets.
• The Capture fix level captures the entire page and fixes scripts, stylesheets, images, iframes, and embedded content anywhere on the page. Be aware that this can use a lot of memory on long, heavy pages. This can impact your website performance. Try the lower levels first.
• The Capture All fix level does everything above and deals with AJAX requests.

Once you’re happy that your site is secure, don’t forget to update your details with Google Analytics and Google Webmaster Tools.