For whatever reason, the persistent myth that HTTPS slows WordPress down refuses to die. When it comes to performance, the exact opposite is in fact true: SSL-encrypted sites can get a real turbo boost with HTTP/2. Thanks to free SSL certificates and integrated installations, it's never been easier to switch WordPress to HTTPS. And there's never been a better moment as HTTP sites now face a number of disadvantages. We show you what benefits the switch brings and how you can instantly check whether your host uses HTTP/2.
By now, you can assume that every client and end user knows the difference between encrypted and unencrypted sites. At least on a subjective level, the green lock in the address bar is simply reassuring. Just as well known as the positive effect in terms of visitor trust, however, is the myth that SSL, or TLS (CHIP.de explains the difference) slows WordPress down.
And yes, this is theoretically true. When a page is delivered via HTTPS (the secure variant of HTTP), the connection between the web server and browser takes a little longer due to the so-called SSL handshake. But we're only talking about a few milliseconds here.
Nowadays, the idea that HTTPS slows WordPress down is nothing more than a lingering rumor. In actual fact, an SSL certificate only offers advantages for your site. Google now marks unencrypted sites with the words "not secure" so it's high time to switch your own site to HTTPS.
We'll look at the following points in this article:
- Why now is the best time to switch WordPress to HTTPS
- How to switch WordPress to HTTPS
- Why HTTP/2 makes your WordPress sites faster
- What performance boost you can expect for a WordPress site under HTTPS
- A simple trick to see if your host is already using HTTP/2 (which it should be!)
Everything revolves around HTTPS – not just WordPress
Way back when, Google proclaimed the motto "HTTPS everywhere" at its developer conference Google I/O. In short, Google developers Pierre Far and Ilja Grigorik took up the cudgels for the use of TLS (the successor protocol to SSL) and demonstrated in their session, among other things, different ways of implementing it.
Only a few weeks later, in August 2014, HTTPS was then included as an official ranking signal in the Google search rankings. So you can see, Google has already been giving site operators arguments for and reasons to switch their websites to HTTPS for a number of years.
The fact that Google Chrome penalizes HTTP sites with the addition "not secure" is certainly to be seen as the next big step in Google's "HTTPS everywhere" offensive. In fact, this notice has already existed since Chrome version 56 for sites receiving credit card information, for example. With the new version 62 of the Google browser, however, this rule applied to all sites that allow customer input, including contact forms or search fields.
Passwords and credit cards are not the only types of data that should be private. Any type of data that users enter into websites should not be accessible to others on the network. Starting in version 62, Chrome will display the "not secure" warning when users type data into HTTP sites.
- Emily Schechter, Chrome Security Team
Free SSL: There's never been a better moment to switch WordPress to HTTPS
When the two Google developers made their plea for TLS, you still had to buy SSL certificates and install them yourself. The situation has changed dramatically since then – and for the better.
In 2016, the Let's Encrypt initiative launched offering free SSL certificates. Thanks to sponsors such as Chrome, Facebook and companies from the WordPress universe, the Californian initiative can now provide almost 40 million active free SSL certificates.
This development has had a massive impact on the hosting landscape: free SSL certificates are now standard and even setup is now possible for any user thanks to one-click installations.
HTTPS for WordPress used to be a real pain
Before the mass distribution of free SSL certificates, switching from WordPress HTTPS was a real pain. Especially for owners of small sites who only needed domain-validated certificates.
There are three types of SSL certificates available:
- DV certificates: DV stands for Domain Validated. A DV certificate is used to check whether the domain and web space "belong together". If everything is above board, you can assume that when you visit the domain, you really end up on the associated web space and not on a phishing site. The setup process is quite simple here: the domain admin confirms they have appropriate rights over a domain and may then encrypt their site accordingly.
- OV Certificates: OV stands for Organization Validated. In addition to domain validation, a certificate of this type guarantees that the site you're visiting really belongs to the company whose offer you wanted to see.
- EV Certificates: The so-called Extended Validated Certificates go one step further. Here the certification body checks the company documents intensively. Among other things, the legal form of the company is included in the certificate.
Even setting up a simple DV certificate for WordPress sites used to be a real pain and sometimes not even feasible for non-technicians. The process consisted of at least four steps:
- Buy a certificate: You had to look at what different providers were offering and actively compare prices and terms even for simple DV certificates. This has also led to some providers inventing very creative features, e.g. insurance, to differentiate their products. With extended certificates, this is where the validation step comes in – proving that you, the domain owner, are also the business owner. Depending on the certificate, this process could take days or weeks.
- Set up the certificate: The next step was to store the certificate information on the web server. Depending on the provider, this was sometimes more and sometimes less time consuming. In the meantime, however, all hosting providers have actually created an adequate workflow to guide you as a user through the setup process.
- Prepare WordPress for HTTPS: After the certificate itself was set up, you needed to prepare your site for the switch from HTTP to HTTPS. For this, every database entry and every site resource had to be converted to HTTPS and the result then checked for mixed content errors.
- Configure Google: After the site was converted, the entities in Google Analytics and in Google Search Console (formerly Google Webmaster Tools) still had to be adjusted.
Thanks to the initiative towards free DV certificates pushed by Let's Encrypt, this process has been massively simplified. Many hosts now also offer a simple installation. Ideally, a certificate is activated and set up with one click and the site is automatically switched to HTTPS. Regardless of whether or not it's a WordPress project.
Do you need to set up SSL without a one-click installation?
In some unlucky cases, your hosting provider may not yet offer easy installation and you need to change the HTTPS setting for WordPress by yourself. Here are some useful tips and guides (in German) to help you:
- Jonas Tietgen, aka WP Ninjas, explains how it works
- Another guide is provided by René Dasbeck, aka netzgänger
- Finn Hillebrandt from blogmojo has also covered the topic
No HTTP/2 without Google
As mentioned before, Google has always been interested in running as many sites as possible with SSL certificates as part of its "HTTPS everywhere" offensive. It's likely the reason why Chrome is an official sponsor of Let's Encrypt in the first place. The search engine giant was also significantly involved in the development of HTTP/2.
The predecessor protocol, SPDY was initially developed by Google as an experiment to explore technical possibilities in improving the almost antique HTTP/1. That was back in 2009. In 2015, the findings from the experimental SPDY project were then incorporated into the standardized HTTP/2 protocol.
How HTTP/2 makes your WordPress sites faster
HTTP/2 has been equipped with a wealth of new functions that enable data to be transferred many times faster:
- Multiplexing: With this feature, multiple different data streams can be loaded over one connection between the web server and the client (i.e. your site visitor's browser). With HTTP/1, a separate connection must be opened for each data stream. And opening these connections takes time.
- Header compression: Every HTTP request that a client makes to a web server contains meta-information so the site can be built properly. This meta-information has grown in size over the years. HTTP/2 compresses this information and thus saves data volume.
- Server push: Sometimes called cache push. The principle behind this feature is really simple. The vast majority of requests to sites are very similar. If your web server recognizes the typical call pattern, e.g. for your homepage, then the server sends all the information it needs to build the page to the browser without being asked. This way the browser has to send far fewer HTTP requests to the server. This makes the page load faster.
That all sounds quite nice in theory, right? But what does it mean in practice? The test page HTTPS vs. HTTP shows just how striking the difference between the two protocol generations is.
Of course, what's most interesting is how these new features will affect the load time of your sites in the real world. To find out if your site is running on an HTTP/2-enabled server, you can simply ask your host – or find out directly using a simple trick. Obviously, this is provided WordPress is running under HTTPS too.
The acid test: HTTPS is 45 percent faster WordPress in tests
Now let's get down to the nitty gritty. What kind of performance boost can you realistically expect after converting your WordPress site to HTTPS? A finished site will not show the 914 percent we measured above. So we tested the whole thing with our homepage – with and without HTTPS.
The test shows that the clone of our homepage with HTTPS is 45 percent faster in one fell swoop. Our detailed test with seven consecutive tests show similar results.
Tip for webmasters: How to tell at a glance if your host is using HTTP/2
Because HTTPS brings such a decent performance boost to your WordPress projects, it's even more important to know whether your host uses HTTP/2. Of course, you could always ask support. But there's also a way to tell at a glance if your – or any other site – is benefitting from HTTP/2.
You only need one thing for this: a waterfall diagram of your site. You can create one by measuring the load time with the tools Webpagetest, Pingdom or GTmetrix. Simply enter the URL to be tested and run the test. By the way, for this trick it doesn't matter from where and with what specifications the test is performed.
In the finished waterfall diagram, you now only need to pay attention to whether individual requests are loaded simultaneously or exclusively chronologically. If they're loaded simultaneously, it means the site uses HTTP/2.
If you have HTTPS enabled on your WordPress project and the requests are not loading in parallel, you should contact your hosting provider urgently 😉
Conclusion: HTTPS as a chance for your WordPress projects
Google had already started sending the first warning emails to operators of HTTP sites before Chrome version 62. Because from that version onwards, Chrome displays the note "not secure" for pages allowing user entries.
In principle, this means that every HTTP page with a contact form or comment function gets branded by Google. Fortunately, it's never been easier to convert your own WordPress sites to HTTPS. SSL certificates are mostly free and one-click installations save a lot of working setting them up. All in all, it allows even less tech-savvy webmasters to make the switch. Our test proves even sites that haven't been especially optimized can still benefit hugely from HTTPS – and they simply load a great deal faster.
Ideally, you'll be able to use a one-click installation. If you're still using sites under HTTP, we highly recommend you make the switch right now.