The misconception that HTTPS is WordPress slow is persistent. In fact, exactly the opposite is true: Thanks to HTTP/2, SSL-encrypted sites data is sometimes extremely fast. And thanks to free SSL certificates and integrated installations, it has never been easier than today to switch WordPress to HTTPS. And that is a good thing, because HTTP-sites will soon have to accept some disadvantages. We show what the changeover brings and how you can check with just one look whether your hoster uses HTTP/2.
Today, every client and end user knows the difference between encrypted and unencrypted sites . At least on a subjective level: the green lock simply gives a good feeling. However, just as well known as the positive effect on the trust of the site visitors is the misconception of SSL, or TLS (the Explaining the difference z. e.g. the colleagues from CHIP.de) WordPress slow down.
And yes, theoretically this is also true: If one is delivered site via HTTPS (i.e. the secure variant of HTTP), the connection between web server and browser takes a little longer due to the so-called SSL handshake. But we are only talking about a few milliseconds.
Nowadays, it's a rumour that HTTPS WordPress is slowing down. Basically, an SSL certificate only brings you site advantages. And since Google will soon start to mark unencrypted sites ones with the words "not secure", it is high time to switch your own site to HTTPS now.
I'm going to show you today:
- Why now is the best time to switch WordPress to HTTPS
- How to switch WordPress to HTTPS
- Why HTTP/2 is your WordPress sites accelerates
- What kind of performance boost you need for a WordPress site you can expect under HTTPS
- A simple trick to detect if your hoster is already using HTTP/2 (which it should!)
Everything revolves around HTTPS, whether WordPress or not
Already three years ago Google called at its developer conference Google I/O the motto "HTTPS everywhere". In short, the then Google developers Pierre Far and Ilya Grigorik took up the cudgels for the use of TLS (the successor protocol to SSL) and demonstrated in their Session Among other things, it identifies ways to implement them.
Just a few weeks later, in August 2014. HTTPS then as official ranking signal included in the Google search ranking. So Google has been trying for years to get site operators to switch their websites to HTTPS by means of arguments and the creation of facts.
The fact that Google Chrome is about to punish HTTP-sites with the note "not secure" is surely to be seen as the next big step in Google's "HTTPS everywhere" offensive. In fact, this hint is already since Chrome version 56 for sites displayedthat retrieve credit card information, for example. With the new version 62 of the Google browser, however, this rule is applied to all sites those that allow customer input, such as contact forms or search fields.
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the "Not secure" warning when users type data into HTTP sites.
– Emily SchechterChrome Security Team.
Free SSL: Never before has it been so convenient to switch WordPress to HTTPS
Three years ago, when the two Google developers made their case for TLS, you had to buy SSL certificates and install them yourself. This has changed dramatically in the meantime; and for the better.
In 2016, the Let's Encrypt initiative started issuing free SSL Certificates. Thanks Sponsors like - no wonder - Chrome, but also Facebook and companies from the WordPress -universe, Californians today can provide almost 40 million active free SSL certificates.
This development has massively influenced the hosting landscape: Free SSL certificates are standard today and even the setup is now possible for every user thanks to the integration of one-click installations.
In the past, HTTPS was WordPress a real pain
Before the mass distribution of free SSL certificates a good two years ago, switching from WordPress HTTPS was a real pain. Especially for owners of small sites companies who only need domain-validated certificates.
Info: These types of SSL certificates are available
- IT certificates: DV stands here for Domain Validated. A DV-certificate serves to check if domain and webspace "belong together". If everything is correct, you can assume that you really end up on the corresponding web space when you access the domain and not on a phishingsite . The setup process is still quite simple: The domain admin confirms that he has the appropriate rights over a domain and is then allowed to encrypt his site domain accordingly.
- OV certificates: OV stands for Organization Validated. In addition to the domain validation, such a certificate guarantees that the accessed certificate site really belongs to the company whose offer you wanted to access.
- EV certificates: The so-called Extended Validated Certificates go one step further: Here the certification body intensively checks the company documents. Among other things, the legal form of the company is included in the certificate.
Even setting up a simple DV certificate was not enough for WordPress sites used to be a real pain and may not be feasible for non-technicians. Because the process consisted of at least four steps:
- Buy certificate: Here one had to deal with the provider landscape and actively compare prices and conditions even for simple IT certificates. This has also led some providers to invent very creative features, such as insurance, to differentiate their products. In the case of extended certificates, the validation step is added here, i.e. proof that the domain holder is also the company owner. Depending on the certificate, this process could take days or weeks.
- Set up certificate: The next step was to store the certificate information on the web server. Depending on the provider, this was more or less complex. In the meantime, however, all hosting providers have created a more or less good workflow that guides you as a user through the setup process.
- WordPress prepare for HTTPS: After the certificate itself was set up, the site certificate had to be prepared for the changeover from HTTP to HTTPS. For this purpose, every database entry and every resource had to be converted site to HTTPS and the result had to be checked for mixed content errors.
- Configure Google: After the changeover, the entities in Google Analytics and in the Google Search Console (formerly Google Webmaster Tools) had site to be adjusted.
The development initiated by Let's Encrypt towards free IT certificates has massively simplified this process. Many hosters now also offer a simplified installation, where in the best case Activate and set up a certificate with one click and which is site automatically switched to HTTPS. This is the case regardless of whether the project is a WordPress -project or not.
TIP: You need to set up SSL without a one-click installation?
If you are unlucky, your hoster does not yet offer a simplified installation. In this case you have to make the WordPress settings for HTTPS yourself:
- My colleague Jonas Tietgen, aka WP Ninjas, explains how to do it.
- Similarly Instructions by René Dasbeck, aka netzgänger
- And also the colleague Finn Hillebrandt from blogmojo has dealt with the topic
Without Google no HTTP/2
I already mentioned it: Google has always been interested in having as many sites people as possible running with SSL certificates as part of its "HTTPS everywhere" offensive. This might be the reason why Chrome is the official sponsor of Let's Encrypt. The search engine giant has also been instrumental in the development of HTTP/2.
Because the previous protocol, SPDYwas first developed as an experiment by Google to explore technical possibilities with which the almost ancient HTTP/1 could be improved. That was in 2009. In 2015, the findings from the experimental SPDY project were transferred to the Standardized HTTP/2 protocol via.
That's why HTTP/2 makes your WordPress sites faster
HTTP/2 has been equipped with a wealth of new functions that enable much faster data transfer:
- Multiplexing: With this feature, several different data streams can be loaded via a connection between web server and client (i.e. the browser of your site visitors). With HTTP/1 a separate connection must be opened for each data stream. And opening these connections takes time.
- Header compression: Every HTTP request that a client makes to a web server contains meta information so that it can be built site correctly. This meta information has grown over the years. HTTP/2 compresses this information and thus saves data volume.
- Server Push: Sometimes also called cache push. The principle behind this feature is very simple: the vast majority of requests to one site are very similar. If your web server recognizes the typical call pattern, for example for your homepage, then the server sends all information to the browser without being asked. site This way, the browser has to make considerably fewer HTTP requests to the server. This makes the page structure faster.
Well, that all sounds quite nice in theory. But what does that mean in practice? The test page HTTPS vs. HTTP shows impressively how big the difference between the two protocol generations is.
Of course, it's especially interesting to see how these new features affect the loading time of yours sites in the real world. If yours site runs on a HTTP/2-enabled server, you can simply ask your hoster (or find out for yourself using this simple trick). Provided, of courseWordPress , that it runs under HTTPS.
The acid test: HTTPS is 45 percent faster WordPress in tests
But now let's get down to business: Which performance boost can you realistically expect from a conversion of a WordPress site on HTTPS? Because a finished site one will not show the 914 percent just measured. Therefore we have tested the whole thing with our homepage. That means we tested raidboxes.de once with and once without HTTPS.
The test shows: A copy of our homepage is 45 percent faster with HTTPS in one fell swoop. Our extensive test with seven consecutive tests of German servers shows similar results.
Life-Hack for webmasters: This is how you can tell at a glance whether your hoster uses HTTP/2
And because HTTPS gives your WordPress -WordPress projects that convenient performance boost, it's even more important to know if your hoster uses HTTP/2. Of course, you can just ask the support, but there is also a method that lets you see at a glance if your, or any other site one you are testing, is benefiting from HTTP/2.
You only need one thing: A waterfall diagram of your site . You create this by measuring the loading time with the tools Webpagetest.org, Pingdom , GTmetrix. Simply enter the URL to be tested and run the test. For this trick, by the way, it does not matter from where and with which specifications the test is performed.
In the finished waterfall diagram you now only have to pay attention to whether individual requests are loaded simultaneously or exclusively chronologically. If they are loaded at the same time, yours site uses HTTP/2.
If you have activated HTTPS on your WordPress -WordPress projects and the requests are not loaded in parallel, you should urgently contact your hoster 😉
Conclusion: HTTPS as a chance for your WordPress projects
Recently, Google has started to send the first warning emails to operators of HTTP-sites . Because from version 62, the Chrome Browsersites , which allows user input, will be marked "not secure".
That means in principle that every HTTPsite with contact form or comment function is branded by Google. Fortunately, it has never been as easy as today to create your own WordPress sites to switch to HTTPS: SSL certificates are mostly free of charge and one-click installations save a lot of work during setup and allow even less technically experienced webmasters to make the switch. And our test shows: Even with a less optimized sites one can profit WordPress extremely from HTTPS and simply loads much faster.
In the best case, it only takes one click. So if you are still sites using HTTP, we strongly recommend you to switch.