There is a persistent misconception that HTTPS makes WordPress slow. In fact, exactly the opposite is true: Thanks to HTTP/2, SSL-encrypted sites are sometimes extremely accelerated. And thanks to free SSL certificates and integrated installations, it has never been easier to switch WordPress to HTTPS. And that's a good thing, because HTTP-sites will soon have to put up with some disadvantages. We show what the changeover brings and how you can check with just one look if your host uses HTTP/2.
Today, actually every client and end user knows the difference between encrypted and unencrypted sites . At least on a subjective level: the green lock simply gives a good feeling. Just as well known as the positive effect on the trust of site visitors, however, is the misconception that SSL, or TLS (explain the difference between the two), is the best solution. difference e.g. the colleagues from CHIP.de) make WordPress slow.
And yes, theoretically this is true: If a site is delivered via HTTPS (the secure variant of HTTP), the connection between the web server and browser takes a little longer due to the so-called SSL handshake. But we are only talking about a few milliseconds.
Nowadays, it's a rumour that HTTPS WordPress is slowing down. Basically, an SSL certificate only brings your site advantages. And since Google will soon start to mark unencrypted sites ones with the words "not secure", it is high time to switch your own site to HTTPS now.
I'll show you today:
- Why now is the best time to switch WordPress to HTTPS
- How to switch WordPress to HTTPS
- Why HTTP/2 makes your WordPress sites faster
- What performance boost you can expect for a WordPress site under HTTPS you can expect
- A simple trick to see if your host is already using HTTP/2 (which it should be!)
Everything revolves around HTTPS, whether WordPress or not
Already three years ago Google called on its developer conference Google I/O Google proclaimed the motto "HTTPS everywhere". In short, the Google developers at the time, Pierre Far and Ilja Grigorik, took up the cudgels for the use of TLS (the successor protocol to SSL) and demonstrated in their session among other things, ways to implement it.
Only a few weeks later, in August 2014, the HTTPS was then included as an official ranking signal in the Google search rankings. So Google has been trying for years to get site operators to switch their websites to HTTPS by using arguments and creating facts.
The fact that Google Chrome will soon penalize HTTP-sites with the note "not secure" is certainly to be seen as the next big step in Google's "HTTPS everywhere" offensive. In fact, this notice has already been since Chrome version 56 for sites , which retrieves credit card information, for example. With the new version 62 of the Google browser, however, this rule is applied to all sites that allow customer input, such as contact forms or search fields.
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the "Not secure" warning when users type data into HTTP sites.
- Emily Schechter, Chrome Security Team
Free SSL: Never before has it been so convenient to switch WordPress to HTTPS
Three years ago, when the two Google developers made their plea for TLS, you still had to buy SSL certificates and install them yourself. That has since changed dramatically, and for the better.
In 2016, the Let's Encrypt initiative launched its issuance of free SSL certificates. Thanks to sponsors such as Chrome, but also Facebook and companies from the WordPress universe, the Californians can now provide almost 40 million active free SSL certificates.
This development has had a massive impact on the hosting landscape: free SSL certificates are now standard and even setup is now possible for any user thanks to the integration of one-click installations.
In the past, HTTPS was WordPress a real pain
Before the mass distribution of free SSL certificates a good two years ago, switching from WordPress HTTPS was a real pain. Especially for owners of small sites companies who only need domain-validated certificates.
Info: These types of SSL Certificates are available
- DV certificates: DV stands for Domain Validated. A DV certificate is used to check whether domain and web space "belong together". If everything is above board, you can assume that when you visit the domain, you really end up on the associated web space and not on a phishing sitesite . The setup process is still quite simple here: The domain admin confirms that he has the appropriate rights over a domain and may then encrypt his site accordingly.
- OV Certificates: OV stands for Organization Validated. In addition to domain validation, a certificate of this type guarantees that the site you are visiting really belongs to the company whose offer you wanted to call up.
- EV Certificates: The so-called Extended Validated Certificates go one step further: Here the certification body checks the company documents intensively. Among other things, the legal form of the company is included in the certificate.
Even setting up a simple DV certificate used to be a real pain for WordPress sites a real pain in the past and may not even be feasible for non-technicians. Because the process consisted of at least four steps:
- Buy a certificate: Here you had to look at the provider landscape and actively compare prices and terms even for simple DV certificates. This has also led to some providers inventing very creative features, such as insurance, to differentiate their products. With extended certificates, this is where the validation step comes in - proving that you, the domain owner, are also the business owner. Depending on the certificate, this process could take days or weeks.
- Set up certificate: The next step was to store the certificate information on the web server. Depending on the provider, this was more or less time-consuming. In the meantime, however, all hosting providers have actually created a more or less good workflow that guides you as a user through the setup process.
- PrepareWordPress for HTTPS: After the certificate itself was set up, site had to be prepared for the switch from HTTP to HTTPS. For this, every database entry and every resource of the site had to be converted to HTTPS and the result then checked for mixed content errors.
- Configure Google: After the conversion of site , the entities in Google Analytics and in Google Search Console (formerly Google Webmaster Tools) still had to be adjusted.
Due to the development initiated by Let's Encrypt towards free DV certificates, this process has been massively simplified. Many host now also offer a simplified installation, in which in the best case a certificate is activated and set up with one click and the site is automatically switched to HTTPS. And this is independent of whether it is a WordPress project or not.
TIP: Need to set up SSL without a one-click installation?
If you are unlucky, your host does not yet offer a simplified installation. In this case you have to make the WordPress settings for HTTPS yourself:
- Our colleague Jonas Tietgen, aka WP Ninjas, explains how it works.
- Similar also the instruction of René Dasbeck, aka netzgänger
- And also the colleague Finn Hillebrandt from blogmojo has dealt with the topic
No HTTP/2 without Google
I already mentioned it: Google has always been interested in running as many sites as possible with SSL certificates as part of its "HTTPS everywhere" offensive. This is probably also the reason why Chrome is an official sponsor of Let's Encrypt. The search engine giant was also significantly involved in the development of HTTP/2.
Because the predecessor protocol, SPDYwas initially developed by Google as an experiment to explore technical possibilities with which the almost antique HTTP/1 could be improved. That was in 2009. In 2015, the findings from the experimental SPDY project were then incorporated into the standardized HTTP/2 protocol.
That's why HTTP/2 makes your WordPress sites faster
HTTP/2 has been equipped with a wealth of new functions that enable data to be transferred many times faster:
- Multiplexing: With this feature, multiple different data streams can be loaded over one connection between the web server and the client (i.e. the browser of your site visitors). With HTTP/1, a separate connection must be opened for each data stream. And opening these connections takes time.
- Header Compression: Every HTTP request that a client makes to a web server contains meta-information so that the site can be built properly. This meta-information has grown in size over the years. HTTP/2 compresses this information and thus saves data volume.
- Server Push: Sometimes called cache push. The principle behind this feature is very simple: The vast majority of requests to site are very similar. If your web server recognizes the typical call pattern, for example for your homepage, then the server sends all the information it needs to build the site to the browser without being asked. This way the browser has to send much less HTTP requests to the server. This makes the page load faster.
So, that all sounds quite nice in theory. But what does it mean in practice? The test page HTTPS vs. HTTP shows impressively how big the difference between the two protocol generations is.
Of course, what's most interesting is how these new features will affect the load time of your sites in the real world. To find out if your site is running on an HTTP/2-enabled server, you can simply ask your host (or find out yourself using this simple trick). Provided of course WordPress is running on HTTPS.
The acid test: HTTPS is 45 percent faster WordPress in tests
Now let's get down to the nitty gritty: What kind of performance boost can you realistically expect from a conversion of an WordPress site to HTTPS? Because a finished site will not show the just measured 914 percent. Therefore we tested the whole thing with our homepage. I.e. we have tested raidboxes.de once with and once without HTTPS.
The test shows: A copy of our homepage becomes 45 percent faster with HTTPS in one fell swoop. Our detailed test with seven consecutive tests from German servers shows similar results.
Life hack for webmasters: How to tell at a glance if your host is using HTTP/2
And because HTTPS brings that convenient performance boost to your WordPress -WordPress projects, it's even more important that you know if your host uses HTTP/2. Of course, you can just ask support, but there is also a way to tell at a glance if yours, or any other site you are testing, benefits from HTTP/2.
For this you only need one thing: A waterfall diagram of your site . You create this by measuring the load time with the tools Webpagetest, Pingdom or GTmetrix. Simply enter the URL to be tested and run the test. For this trick, by the way, it does not matter from where and with what specifications the test is performed.
In the finished waterfall diagram, you now only need to pay attention to whether individual requests are loaded simultaneously or exclusively chronologically. If they are loaded simultaneously, your site uses HTTP/2.
If you have HTTPS enabled on your WordPress -WordPress -projects and the requests are not loading in parallel, you should urgently contact your host 😉
Conclusion: HTTPS as a chance for your WordPress projects
Recently, Google has begun to send the first warning emails to operators of HTTPsites . Because from version 62, the Chrome browser sites , which allow user input, will be provided with the note "not secure".
This means in principle that every HTTP-site with contact form or comment function, is branded by Google. Fortunately, it has never been as easy as it is today to convert your own WordPress sites to HTTPS: SSL certificates are mostly free and one-click installations save a bunch of work in setting them up and allow even less tech-savvy webmasters to make the switch. And our test shows: Even with a less optimized sites WordPress can benefit extremely from HTTPS and simply loads significantly faster.
In the best case it only takes one click. So if you are still using sites under HTTP, we can only strongly advise you to change.