Happy HTTPS 2017 to you!
Last year we made a big step towards making the SSL certificates more widely used. We backed financially the super cool open SSL project Let’s Encrypt and we provided an easy cPanel interface, from where all our users can issue free Let’s Encrypt certificates with a single click. This has resulted in more than 40 thousand new SSL installations on our servers. However, there is still a long way to go before we see HTTPS protocol completely replace the insecure HTTP. Now, in the very beginning of 2017, we are happy to announce that we have taken the next big step in this direction — we have started to automatically issue Let’s Encrypt certificates for every domain that is hosted on our shared servers.
Every site should have an SSL
The web is obviously moving into the direction of making HTTPS the preferred, if not the compulsory, protocol. These are just a few of the reasons why this trend will continue to be massive in 2017:
- Google has officially announced that HTTPS will be a factor for search results standings
- The use of HTTP/2 protocol, that results in serious loading speed gains, is supported by browsers only over encrypted connection.
- Google Chrome browser will gradually start to indicate more obviously non-HTTPS websites as insecure.
- Matt Mullenweg, the founder of WordPress has announced that some of the new WordPress features released in 2017 will be available only for sites using HTTPS (go to 31:00 minute to hear it).
So, with so many influential entities openly supporting this trend, there is no way back to HTTP.
We make the move to HTTPS easy
To make the transitions easier for our users we have made one more big step: during the holidays we have issued several hundred thousand certificates for all the domains that are already hosted on our shared servers. So our existing customers welcomed 2017 even more HTTPS-ready than before. We also have started to issue the Let’s Encrypt certificate and install it on the customer’s account automatically just a short time after a new domain is registered by us or detected to be directed to our servers. This includes not only the primary account domains but also addon domains created by our users through the cPanel. All certificates will be renewed automatically by us too, as long as the domains they have been issued for are pointed to our servers.
All this does not mean that our users’ websites have started to work by HTTPS by default JUST YET. You still need to configure your site to use the issued certificate. (Here you can read more about how to configure a WordPress site to use HTTPS or how to do the trick by editing your htaccess file). If this seems like too much work for you, just wait for our next big SSL-related surprise, which will be announced soon!
Comments ( 89 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Brian Hochstein
BRAVO! Good to see a host truly be security minded instead of lag behind the times with outdated approaches to things! :)
Joe
Good Job guys!
Daniel
Great job Siteground, I'll wait for the next big SSL surprise to update my Joomla! website.
Hristo Pandjarov Siteground Team
You can use the Joomla Toolkit in your cPanel to easily configure it to work with SSL: https://www.siteground.com/tutorials/joomla-wordpress-toolkit/configure-ssl.htm
Zoran Filipović
Excellent job! SiteGroud is: The Joy of Web!
Justin Rains
No unique IP?
Justin Rains
Downtime?
Hristo Pandjarov Siteground Team
Not at all :)
Hristo Pandjarov Siteground Team
Since SNI is enabled on all servers we don't need to issue IPs per each certificate.
Dave
But for any domains we want to add SSL to we still need to go to Let's Encrypt in cPanel and kick things off right? So does this just slightly speed up that process of communication that takes place when doing this? Definitely appreciative, just want to understand expectations.
Hristo Pandjarov Siteground Team
Our system will try to issue a Let's Encrypt certificate once you purchase a new account or if you add an Addon domain to an existing account. However, sometimes the issuing of the certificate can take longer (due to domain propagation times) or can fail. That is why I would advise anyone to first check the Let’s Encrypt interface in the cPanel if the certificate for the domain is issued and if not, to issue it manually.
Jaswinder Kaur
Glad to know about this all. I am waiting for your next big SSL-related surprise!
Plinio IWEB
Great upgrade!! perfect and smooth i switch to https in 5 min!!
Pietro Montagna
Hello Hristo, using cloudflare (free plan) I cann't use SSL Let’s Encrypt, right?
Hristo Pandjarov Siteground Team
We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.
Pietro Montagna
:( Thank for your reply.
Olga
Great move- but what happens to the ones that have bought CloudFlare Plus plan? we paid for one year in advance (on January 8th 2017) - why do have to renew it then?
Hristo Pandjarov Siteground Team
The recent changes don't affect in any way the CloudFlare integrations we have. With the Plus plan, you can freely use the LE certificate.
Brian Prows
I think Hristo's answer should have been "...you can only use their shared certificate if you want to have an encrypted connection on the [paid[ plan." This sucks. If you're going to headline your blog post "Https for Everyone," you've got to resolve the situation with CloudFlare. I have a GoGeek plan which, for the price, should include a paid CloudFlare plan. Right now, I have my main site on an upgraded CloudFlare plan. but others are on CloudFlare's free plan. It's interesting that if you sign up your domain first with CloudFlare, you can use CloudFlare's free plan with Https.
Hristo Pandjarov Siteground Team
We're discussing with CF all the possibilities to improve integrations and to allow our customers to use LE certificates with their free plan. Hopefully soon we will have more info on that matter.
Pino
"Every site should have an SSL" Every site, or only every public site? If you're testing your site on a local LAN before you deploy it to SiteGround hosting, it's hard to test features that require HTTPS because Let's Encrypt issues certs only for names on public TLDs. What's the typical solution for that?
Hristo Pandjarov Siteground Team
Soon, you will be able to use LE for almost every domain out there. Meanwhile, yoou can try using a self-signed SSL certificate on your local environment.
Davor
And what if we use Cloudflare CDN free plan (no support for SSL)?
Hristo Pandjarov Siteground Team
We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.
Anders
Is there an impact on say affiliate tracking etc if switching to HTTPS?
Hristo Pandjarov Siteground Team
No, all sales should be tracked correctly despite having a certificate or not.
William James
This is great initiative. It will improve our non secured to secured sites on the internet. Is it I need to configure or it will automatically configured for my site?
Hristo Pandjarov Siteground Team
Yes, you will need to configure your application to work through SSL and if you want to make sure all the traffic is through https, you need to "force" this with an .htaccess rule: https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/
Brian Prows
This will not resolve Google Chrome's HTTPS insecure element check. If you're using WordPress, you either need to change all your internal links to HTTP or, more easily, use this plugin: https://wordpress.org/plugins/ssl-insecure-content-fixer/
Hristo Pandjarov Siteground Team
If the application and its extensions are configured properly, there shouldn't be any insecure content. However, yes, if such exists, the Insecure Content Fixer is one of the plugins we recommend for that job.
Rob
I am using https for a few sites now and this is so easy to setup. Thanks Siteground!! Rob
bawbag
Google chrome announced they are going to flag non ssl sites as "non secure" from version 56 in the browser so "the man" is going to be very happy about this.
Ric Raftis
I have been using Cloudflare's direct Flexible SSL now for some time because you the free account and admin interface wouldn't work with the Siteground usage. Would be interested in seeing a blog post on how this may have changed and is it better to run your SSL site from Siteground or Cloudflare. The Cloudflare page rules make it nice and easy and the Simbunch CDN extension for Joomla. Cheers,
Hristo Pandjarov Siteground Team
I really hope that soon you will be able to use your LE certificate with CloudFlare. We will surely post more information about this when it becomes reality!
Brian Prows
Flexible SSL only encrypts website user to CloudFlare but not to SiteGround. I've been through this exercise with SiteGround techs and CloudFlare. CloudFlare stated flatly it can't (won't) be done. I'm not sure if it's a technical or money issue. To my knowledge, the only way to establish full encryption is to upgrade your free SiteGround CloudFlare connection to paid, which is cheaper than setting up your domain's DNS with CloudFlare @$20 per month. With GoBig and GoGeek accounts, SiteGround should offer the paid CloudFlare upgrade in the hosting package.
Hristo Pandjarov Siteground Team
Hopefully, you will be able to use your LE certificate with the free CF package very soon :)
bonnie
Good news.
David Harper
As a site admin who doesn't have a tech's deep understanding of these things I must admit I remain intimidated by the propsect of making the switch. Your article makes it sound like simplicity itself, but the true picture seems far more complex, especially when considerations like SEO come into play, the need to create 301-redirects, the risk of negating inbound links and paths ... . Searchengineland provide a 29-point checklist for the transition procedure and they still identify any number of potential pitfalls. Until you can offer intimidated customers like me complete reassurance that there's no risk of messing up a client's site, or their Google visibility, then our reluctance to switch may continue. Again, I emphasise that I'm not saying I don't appreciate the case for switching, but fear the consequences of breaking something in the process.
Hristo Pandjarov Siteground Team
As said, we are working on a solution that will provide our customers with a very easy mechanism to have everything on-site working properly through https. Of course, 3rd party applications and services may require additional configuration. We will make it as easy as possible. In addition to that, you don't need to redirect each URL you have, just force https with a good 301 redirect (https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/). We've been very careful not to break things in that process and right now we're not forcing anything, just making it easier for our customers to configure their sites to work through encrypted connection.
Lars Rubeson
"how to configure a WordPress site to use HTTPS" when will you have the "how to configure a Joomla site to use HTTPS"? Seems clear why you always promote Wordpress in every circumstances for some reason I dont understand..Why?
Hristo Pandjarov Siteground Team
Here's a link to the article on how to configure your Joomla website: https://www.siteground.com/kb/configure-joomla-site-use-https/ I wouldn't say we promote WordPress, it's just web application that our customers use most.
fawad
Great news for every site member, specially the one like me, as i need this SSL
Bharat
Hello, Does this mean that existing shared hosting plans such as those in Reseller hosting plans will have Let's Encrypt SLL certificates installed automatically if they are not installed manually and also renewed automatically whether or not they were installed automatically?
Hristo Pandjarov Siteground Team
Yes, all domains associated with those accounts will get free LE certificates that will be renewed automatically too. If you already have LE certificate installed, it's already being renewed automatically.
Kaj Jensen
I noticed that if you install a domain from Softaculous and chose SSL when installing using LE it is considered more safe by for example chrome browser than if you convert your site to SSL by using plugins such as SSL Insecure Content Fixer and changing the URL in Wordpress from 'http://' to 'https://' I also added the additional strength by using this guide How to force SSL with .htaccess from Siteground but still the domain is considered less safe than the domain built and installed from scratch with LE SSSL. You can check it from these two domains. www.fortalezarealestate.com.br (installed with LE SSL from scratch) www.imoveisemceara.com.br (configured with the Siteground guide How to configure WordPress to use my own private SSL certificate. Hopefully it should be possible to get the full site secure label without having to re-install your website - am waiting for your next big SSL-related surprise :-)
Hristo Pandjarov Siteground Team
The difference you see is because you are loading insecure content on the site. If you want to use https, every resource has to be loaded securely in order for you to see the green padlock. That's straight forward for new sites, but existing ones requrie some reconfiguration, thus the difference. Check out this plugin, it will do the trick and your existing sites will look exactly the same as the new ones in your browser: https://wordpress.org/plugins/ssl-insecure-content-fixer/
Bob
How does this work with shared hosting? If I have three or four sites on say a WP Growbig account does each site get a certificate?
Hristo Pandjarov Siteground Team
Yes, each domain associated with your account will get a free LE certificate. We use the SNI technology to issue more than one certificate per IP address.
Peter
What if we don't want a Let's Encrypt certificate for a particular website?
Hristo Pandjarov Siteground Team
You can remove it with a single click from the Let's Encrypt tool in cPanel.
Todd E Jones
Are we automatically getting https or is there an upgrade charge? Glad to see how proactive you guys are!
Hristo Pandjarov Siteground Team
All Let's Encrypt certificates are free :)
MaAnna
This explains what I've been seeing in site audits. There are now two listings in AWStats for every domain - the SSL version and the original. What I'm also seeing is that the site is suddenly now available on https and does not redirect to http because there is nothing in .htaccess to force it to do so. I'm also seeing that bots are already hitting on the SSL version too. I understand your desire to issue certs to get ahead of this curve. But a few security and performance issues have been overlooked in the doing of it. Until the site is actually converted to https, and all routes to the site have come under whatever access and security measures have been put in place, no https access should be given. Can we request that the cert be removed and then reissued when the site is actually converted?
Hristo Pandjarov Siteground Team
You can remove the certificate at any time from the Let's Encrypt tool in cPanel and then install a new one at any time, when you're ready. As to your other question, if you're not linking to your site both through https and http there won't be any problem for your rankings and that's the case for most sites. Google are amongst the organisations that push web encryption hardest. As to the AW Stats, it's normal because they operate on server level and you can see stats for both versions. Note, that even if HTTPS is forced, you will get records for the non-encrypted version because hits are recorded before the redirect.
Gerrit de Jager
Thank you for this information. I understand the importance of https, but where can I find a simple step by step guide to convert my websites? I am not an expert in this matter....
Hristo Pandjarov Siteground Team
There are different configurations that must be made, depending on the software you're using. I would recommend posting a ticket in your Help Desk, my colleagues from the Support team will tell you how to proceed based on your particular app.
Lise King
Great job SiteGround! Can't wait for the next big SSL surprise update... Great service, Great Tech Support and keep up with technology... Thank you Guys
Peter
I switched to https at the end of the last year by simply using this protocoll on my existing web page. I was surprised that it already worked without configuring anything in the c-panel. Some little changes to my application and all the work was done. Thanks, very good job!
Jerry Stevens
Let's Encrypt is universally available but on most hosts, it takes some work to install it. One of the reasons I was attracted to Siteground in the first place was that they make it easy. Once there I found other things to like about it.
Sergio
SiteGround supports HSTS (HTTP Strict Transport Security)?
Hristo Pandjarov Siteground Team
Having a properly working HSTS requires a header to be send to the browser and your application to be well-written. So, yes - if your application is using it correctly, it will work fine on SiteGround accounts with a certificate for that domain.
Ovidiu Nicolae
Hi Hristo, I just installed Let's encrypt for my website running on WordPress, GoGeek plan. I remember reading somewhere else that HSTS is not enabled by default with Let's Encrypt (it requires a flag before installing it: ./letsencrypt-auto --hsts), meaning I can't simply add the header rule to the .htaccess file. Is that the case here? Thanks
Hristo Pandjarov Siteground Team
Defining the header rule in your .htaccess will enable the HSTS correctly and that can be verified either using curl or any online SSL checker :)
Patrick
My Standard AlphaSSL auto renewed on Dec 15th, does that mean it is now obsolete or are those of us who have paid getting something over and above LE? What is the advantage of the Standard AlphaSSL offering?
Hristo Pandjarov Siteground Team
With your certificate, you've received a dedicated IP address while the new ones we issue use the SNI technology and share one IP. That's the major difference between the purchased and free certificates we offer. Once your certificate expires, you can either renew it and get a wildcard one on the same price, or cancel it and get a free Let's Encrypt one, depending on your needs.
myron bernard
You really are the best! Thank You!
Patty
Is it still necessary to follow the additional steps recommended by Wordpress if I have a Wordpress site?
Hristo Pandjarov Siteground Team
Yes, you still need to reconfigure your application to work over https.
Z
This is so rad. You guys just get better and better.
webmaster@ncmrc.org
What about Joomla sites?
Hristo Pandjarov Siteground Team
We've issued certificates for all domains no matter what application they are using. Joomla sites must be reconfigured to work through https too.
Tova
You guys are terrific!
Ja
When will we have auto HTTPS, so there really isn't a choice to go back? Plans this year or soon after to make this default?
Hristo Pandjarov Siteground Team
I am not really sure when we would make such a step. There are numerous things that can go wrong. We host all sort of different sites and there are use cases in which a non-encrypted connection is necessary. This said, we will do our best to make https default and easily(one-click) configurable for the majority of our customers but can't really say when or if we will force it to everyone.
Dominic-K
But what about sites that have mixed content? I configured the LE certificate, only to discover that all of the videos that were embedded on my site disappeared, being blocked by the browser, and that neither YouTube nor Vimeo (I use both) supported https for embeds. I had to undo it and go back to http. This is frustrating. I have to use the video widgets on my site, but would very much like to have it via https because there are also forms on the site that I would like to be secured. Who's going to put pressure on Vimeo and YouTube to make this possible?
Hristo Pandjarov Siteground Team
They actually work without problem over https. Your website most probably has iframes included that load those videos through http. Depending on the application you're using, there are multiple ways to fix this manually and with extension. I would recommend researching the available "insecure content fixer" tools for your app.
Dominic-K
It's a site built with Adobe Muse. The videos are embedded with the native Adobe Muse widgets for YouTube and Vimeo (which does the iframes). The only "fix" I've been able to find via the Adobe help forums was to remove the https -- that it simply won't work. If you think it can, I'd love to hear how.
Hristo Pandjarov Siteground Team
Well, in that case I would recommend to try modifying the default widget to include the videos through https because that's working for sure, it's just a flaw in the app.
Dominic-K
Thanks -- it's working now! I figured out I have to not use the widgets but just embed the code directly. Not it's working perfectly. So glad to be able to have this! The advice I original saw on the help forum was outdated.
Barb H.
Thanks for the reminder. Looking forward to seeing what you all do next...
Tamalita
Wow. Wow. thank you.
Ray
SiteGround just upped their cred ! I can't wait to hear what the next surprise is.
Anne Katzeff
Hi, I've got 2 situations: (1) My primary domain site is built with Bootstrap and has a WordPress blog. This primary domain also uses Cloudflare. (2) My subdomain site is WordPress, without Cloudflare. What are your recommendations for how I should transition to HTTPS on both the primary domain and on the subdomain? Should I force the HTTPS for the non-WordPress area via htaccess? After that, go through the steps you've outlined for WordPress sites using Cloudflare? thank you!
Hristo Pandjarov Siteground Team
Leave the subdomain without CF and simply force the HTTPS on it with the plugin. That should work right away. Then, check if the CF SSL option is set to Flexible in your CF panel, switch manually your non-WP application and test everything out. Once you make sure everything works, switch the SSL option to Full.
Anne Katzeff
OK, will give it a try. Do you have a link that leads to the instrux. for switching manually? thank you
Anne Katzeff
Is it this link? https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/
Hristo Pandjarov Siteground Team
Yes :)
Damian
Is it available for vps customers?
Hristo Pandjarov Siteground Team
Yes :)
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through