There is a persistent misconception that HTTPS makes WordPress slow. In fact, the exact opposite is true: thanks to HTTP/2, SSL-encrypted sites are sometimes extremely fast. And thanks to free SSL certificates and integrated installations, it has never been easier to switch WordPress to HTTPS. And that's a good thing, because HTTP sites will soon have to put up with some disadvantages. We show you the benefits of the switch and how you can check whether your host uses HTTP/2 at a glance.
Today, every client and end user actually knows the difference between encrypted and unencrypted sites. At least on a subjective level: the green lock simply gives a good feeling. However, just as well-known as the positive effect on the trust of site visitors is the misconception that SSL, or TLS (the explain the difference e.g. by our colleagues at CHIP.de) makes WordPress slow.
And yes, theoretically this is true: if a site is delivered via HTTPS (i.e. the secure version of HTTP), the connection between the web server and browser takes a little longer due to the SSL handshake. However, we are only talking about a few milliseconds here.
Nowadays, it's safe to call it a rumor that HTTPS slows down WordPress. In fact, an SSL certificate for your site only brings advantages. And since Google will soon start labeling unencrypted sites as "not secure", it's high time to switch your site to HTTPS now.
I'll show you today:
- Why now is the best time to switch WordPress to HTTPS
- How you can switch WordPress to HTTPS
- Why HTTP/2 makes your WordPress sites faster
- What performance boost you can expect for a WordPresssite under HTTPS
- A simple trick with which you can recognize whether your host already uses HTTP/2 (which it should!)
Everything revolves around HTTPS, whether WordPress or not
Three years ago, at its developer conference Google I/O Google proclaimed the motto "HTTPS everywhere". In short, the Google developers at the time, Pierre Far and Ilja Grigorik, took up the cudgels for the use of TLS (the successor protocol to SSL) and demonstrated in their session ways to implement it, among other things.
Just a few weeks later, in August 2014, HTTPS was HTTPS was then included as an official ranking signal in the Google search rankings. Google has been trying for years to persuade website operators to switch their websites to HTTPS by using arguments and creating facts.
The fact that Google Chrome will soon be penalizing HTTP pages with the notice "not secure" can certainly be seen as the next big step in Google's "HTTPS everywhere" offensive. In fact, this notice has already been been displayed for pages since Chrome version 56that retrieve credit card information, for example. With the new version 62 of the Google browser, however, this rule will be applied to all pages that allow customer input, such as contact forms or search fields.
Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the "Not secure" warning when users type data into HTTP sites.
- Emily Schechter, Chrome Security Team
Free SSL: The situation has never been so favorable for switching WordPress to HTTPS
Three years ago, when the two Google developers made their plea for TLS, you still had to buy SSL certificates and install them yourself. This has now changed dramatically, and for the better.
In 2016, the Let's Encrypt initiative started issuing free SSL certificates. Thanks to sponsors such as - no surprise - Chrome, but also Facebook and companies from the WordPress universe, the Californians can now provide almost 40 million active free SSL certificates.
This development has had a massive impact on the hosting landscape: free SSL certificates are now standard and, thanks to the integration of one-click installations, setup is now possible for every user.
HTTPS used to be a real pain for WordPress
Before the mass distribution of free SSL certificates a good two years ago, switching WordPress to HTTPS was a real pain. Especially for owners of small sites who only needed domain-validated certificates.
Info: These types of SSL certificates are available
- DV certificates: DV stands for Domain Validated. A DV certificate is therefore used to check whether the domain and web space "belong together". If everything is above board, you can be sure that when you access the domain, you will actually end up on the corresponding web space and not on a phishing sitesite. The setup process is still quite simple here: The domain admin confirms that he has the appropriate rights to a domain and can then encrypt his site accordingly.
- OV certificates: OV stands for Organization Validated. In addition to domain validation, this type of certificate guarantees that the site you are visiting really belongs to the company whose website you are trying to access.
- EV certificates: The so-called Extended Validated Certificates go one step further: Here, the certification body intensively checks the company documents. Among other things, the legal form of the company is included in the certificate.
Even setting up a simple IT certificate used to be a real pain for WordPress sites and may not even be feasible for non-technicians. The process consisted of at least four steps:
- buy a certificate: Here you had to get to grips with the provider landscape and actively compare prices and conditions even for simple DV certificates. This has also led to some providers inventing very creative features, such as insurance, to differentiate their products. In the case of extended certificates, there is also the validation step, i.e. proving that the domain owner is also the company owner. Depending on the certificate, this process could take days or weeks.
- Set up the certificate: The next step was to store the certificate information on the web server. Depending on the provider, this was more or less time-consuming. In the meantime, however, all hosting providers have actually created a more or less good workflow that guides you as a user through the setup process.
- Preparing WordPress for HTTPS: Once the certificate itself had been set up, site had to be prepared for the switch from HTTP to HTTPS. To do this, every database entry and every resource of site had to be converted to HTTPS and the result then checked for mixed content errors.
- Configure Google: After the conversion of site , the entities in Google Analytics and Google Search Console (formerly Google Webmaster Tools) had to be adjusted.
The development initiated by Let's Encrypt towards free DV certificates has massively simplified this process. Many host now also offer a simplified installation where, in the best case scenario, a certificate is activated and set up with a single click and the site is automatically switched to HTTPS. Regardless of whether it is a WordPress project or not.
TIP: Need to set up SSL without a one-click installation?
If you are unlucky, your host does not yet offer a simplified installation. In this case, you will have to make the WordPress settings for HTTPS yourself:
- Our colleague Jonas Tietgen, aka WP Ninjas, explains how it works.
- Similar instructions from René Dasbeck, aka netzgänger
- And our colleague Finn Hillebrandt from blogmojo has also addressed the topic
No HTTP/2 without Google
I've already mentioned it: as part of its "HTTPS everywhere" offensive, Google has always been interested in ensuring that as many sites as possible run with an SSL certificate. Incidentally, this is probably also the reason why Chrome is an official sponsor of Let's Encrypt. However, the search engine giant was also significantly involved in the development of HTTP/2.
Because the predecessor protocol, SPDYwas initially developed by Google as an experiment to explore technical possibilities with which the almost antique HTTP/1 could be improved. That was in 2009. In 2015, the findings from the experimental SPDY project were then incorporated into the standardized HTTP/2 protocol.
Why HTTP/2 makes your WordPress sites faster
HTTP/2 has been equipped with a wealth of new functions that enable much faster data transmission:
- Multiplexing: With this feature, several different data streams can be loaded via a connection between the web server and client (i.e. the browser of your site visitors). With HTTP/1, a separate connection must be opened for each data stream. And opening these connections takes time.
- Header Compression: Every HTTP request that a client makes to a web server contains meta information so that the site can be set up correctly. This meta information has become larger and larger over the years. HTTP/2 compresses this information and thus saves data volume.
- Server Push: Sometimes also called cache push. The principle behind this feature is very simple: the vast majority of requests to site are very similar. If your web server recognizes the typical call pattern, for example for your homepage, then the server sends all the information it needs to the browser to set up the site without being asked. This means that the browser has to make far fewer HTTP requests to the server. This makes the page load faster.
So, that all sounds quite nice in theory. But what does it mean in practice? The test page HTTPS vs. HTTP shows impressively how big the difference is between the two protocol generations.
Of course, it is particularly interesting to see how these new features affect the loading time of your pages in the real world. You can easily find out whether your site is running on an HTTP/2-capable server by asking your host (or by using this simple trick). Provided, of course, that WordPress is running under HTTPS.
The acid test: HTTPS makes WordPress 45 percent faster in the test
But now to the nitty-gritty: What performance boost can you realistically expect from switching a WordPresssite to HTTPS? Because the 914 percent just measured will not show up on a finished site . That's why we tested the whole thing with our homepage. In other words, we tested raidboxes.de once with and once without HTTPS.
The test shows that a copy of our homepage is 45 percent faster in one go with HTTPS. Our detailed test with seven consecutive tests of German servers shows similar results.
Life hack for webmasters: How to tell at a glance whether your host uses HTTP/2
And because HTTPS gives your WordPress WordPress projects this convenient performance boost, it's even more important that you know whether your host uses HTTP/2. Of course, you can simply ask support, but there is also a method that allows you to see at a glance whether your, or any other site that you are testing, benefits from HTTP/2.
All you need is one thing: a waterfall chart of your site. You can create this by measuring the loading time with the tools Webpagetest, Pingdom or GTmetrix. Simply enter the URL to be tested and run the test. For this trick, it doesn't matter from where and with which specifications the test is carried out.
In the finished waterfall diagram, you now only need to pay attention to whether individual requests are loaded simultaneously or only chronologically. If they are loaded simultaneously, your site is using HTTP/2.
If you have activated HTTPS on your WordPress projects and the requests are not loaded in parallel, you should urgently contact your host 😉
Conclusion: HTTPS as an opportunity for your WordPress projects
Google recently began sending the first warning emails to operators of HTTP pages. From version 62 onwards, the Chrome browser will mark pages that allow user input as "not secure".
In principle, this means that every HTTPsite with a contact form or comment function is branded by Google. Fortunately, it has never been easier to switch your WordPress sites to HTTPS: SSL certificates are mostly free and one-click installations save a heap of work when setting them up, allowing even less technically savvy webmasters to make the switch. And our test shows: Even with a less optimized site, WordPress can benefit greatly from HTTPS and simply loads much faster.
Ideally, this should only take one click. So if you are still running sites under HTTP, we can only strongly recommend switching.