There are three major changes that it’s critical for people with websites to know how to deal with, and this article covers those changes – SSL conversion, site loading time, and the prevalence of hacking. This article is aimed at providing a management-level overview of these three issues so you can address them before they become a problem.
Trend one: https:// (aka SSL) is now becoming critical on your website
You’re probably aware that when you see the letters “https” (also known as SSL ie Secure Sockets Layer) and generally a green padlock in the URL bar, it means that you are visiting a website with an encrypted connection – that is, all traffic you send and receive from that website is securely encrypted between the server and your browser. This makes it harder for the bad guys to listen in and steal details such as your credit card details or login credentials or other details. For instance, if you login using public WiFi at an airport, and don’t use an encrypted connection, your login details are now very likely to be stolen in most airports worldwide. Of course, if you use a VPN as well, that does provide some degree of protection, but if you forget you will end up having to change all the passwords you used or suffer hacking at a later date.
Don’t forget — SSL only protects the communication path between the web browser and the server, it doesn’t really “secure” the site – it merely stops most eavesdropping en-route.
As a result of this and multiple security trends across the web industry, Google and others made a long term decision that it would push hard to get all website owners to encrypt content years ago, and started pushing harder for it to happen in 2016. The particular aim here is to make it harder to just watch all content as it flows past, which was what many of the security agencies were doing at the time.
To push websites to use https, Google decided to lower the rank websites not using https. They also decided to publish a warning in Chrome so that unencrypted websites would initially have a green “Not Secure” warning, and as time progresses, turning it red on all non-encrypted sites. In the first stages, unencrypted pages with passwords or credit card information will issue warnings. This may affect older sites, as in the past it wasn’t seen as necessary to encrypt a page that displayed a credit card form so long as the credit card itself was subsequently transmitted on a secure channel. However, forcing the initial page to SSL is better practice as it suggests to the user that credit card information will be transmitted securely.
In a nutshell, using https is becoming a clear mark of modern, well maintained websites – if you’re not on the bandwagon in coming months your site will look out of date and people will be discouraged from using it.
WD3 has provided free https certificates for some time now, and these are automatically installed on all sites using our shared servers. To check whether the free certificate is working on your site, change the first part of your URL from “http://” to “https://” – an error pop-up shows you that it is not working and no error will verify that it is working, even if the URL switches back to “http” at the start (the website programming may force it back).
If you haven’t converted your site yet, it’s usually quite simple to do; you are welcome to contact us for help or simply to do it yourself.
Trend two: Site load time now reflects in Google ranking
“Site load time” refers to the number of seconds it takes for a site to load and become visible. to the point where a user can see your webpage. It’s not necessary for the entire site to be loaded, just the visible part (which is called the part that is “above the fold”, ie like the visible part in a folded piece of paper).
Many people view sites from mobile devices and these can often use speed-sensitive technologies such as slower WAN technology where the data packets travel over long distance mobile data networks. If your site is slow on the desktop, it will generally be excruciating on a mobile device and, apart from anything else, this can lead to many of your users giving up on your site and thus not purchasing from you.
Google is also now using site performance as a ranking measure. Although it is only a smaller part of how sites rank, the faster of two sites would rank higher when they are otherwise equally ranked. This is particularly true of sites that are slow on mobile devices. Google also assesses sites for mobile support and can apply ranking penalties to sites that aren’t effective on mobile devices. Frankly, this is not a surprise as often the majority of a website’s traffic comes from mobile devices.
From a practical point of view, if you have a small site your site load time is not critical provided it’s reasonable. But if you have an eCommerce site it’s critical to get this right or you may be actively losing business.
If you’re a developer, you can check the mobile-readiness of your site easily on Page Insights and you can look at overall speed of your site on www.webpagetest.org.
Trend three: Everyone is getting hacked all the time
Hacking is now automated, and is thus much higher risk. The goal of hackers is often to infect your site and use it to infect PCs and possibly other websites. This means that if your website ranks well on Google it will be targeted more frequently with more insidious hacking attempts. And sometimes, some hacking attempts can be extrapolated to the server if accounts have not been isolated (they are on our cPanel servers).
Modern hackers don’t usually give the game away by defacing sites, they just want to use them to earn money in various ways (usually micro amounts), to blackmail people or act as illegal file server points, or to commit some sort of banking fraud. The problem here is that with many of these activities, if Google finds out they will list your site as hacked and visitors to your site will be presented instead with a red warning page, and, even worse for your traffic, people’s antivirus software may block access to the site. This will understandably affect user confidence in your product!
The temptation these days, with cPanel accounts easily supporting multi-domain hosting, is to put all your sites into one cPanel account, as apart from anything else, it’s cheaper. From a security point of view, you should know that this is a nightmare as hackers typically hack one site and extrapolate to hack all sites under the account, as multi-hosted sites are not isolated from each other (the isolation occurs at the cpanel account level). This also increases the risk of your sites exponentially as the number of sites grows. cPanel accounts are generally isolated using an isolation tool such as CloudLinux, which prevents one cPanel account from accessing the other at a kernel level.
What can you do to avoid being hacked? Here’s a quick summary, some of these things being tasks you can perform and others being those that are performed by your web host:
- Keep your site software up to date (eg WordPress)
- Be careful what themes and plugins you use, as insecure plugins are a common hacking entry point
- Keep personal backups off-server, and keep a rolling long-ish term history (we already keep rolling backups of your account, but we recommend you also keep backups of your website locally)
- Use a server company that isolates accounts from one another, or, if your site is high value, use a virtual or dedicated server
- Use a server company that does regular operating system software updates
- Use a server company that does regular virus scans of your site
In our experience across thousands of sites, nearly all the time sites that are hacked commonly haven’t been updated for a year or more! Not updating your site (or not setting it to auto-update) is just asking to be hacked. Why? The reason is that security “holes” or weak points are discovered on an almost weekly basis and fixes released generally within a few days. So, if you don’t update, you are allowing a published and known weakness to remain in your site and over time the likelihood of it getting exploited just goes up and up. Also, it’s worth keeping a rolling long-term backup history of your site – that way if the site is damaged or files lost in a hack and are no longer present in the shorter-term rolling backups that web companies keep. You can cover this off by downloading your own copy of backups on a periodic base, or by installing (for WordPress) software like UpdraftPlus. While UpdraftPlus is our current recommendation for WordPress backup, there are other excellent plugins – many will upload periodically to Dropbox or S3 and we wouldn’t be caught without them.
It’s also worth keeping an eye on what plugins and themes you install on your site. It’s best, for themes, to stick to a known and trusted vendor that does frequent updates. For plugins, avoid those that fail in more than a few areas out of these: good documentation, good star rating PLUS a good number of reviewers, solid number of installations, and track history of fixing security and other issues. Commercial plugins that solve a specific commercial requirement are of course an exception from this rule. One could write a lot about this specific issue as software selection is pretty vital to keeping your site going – and once you are relying on dodgy software it can become very expensive to maintain it if it wasn’t done properly in the first place or if the maintainer has gone AWOL.
In our mind, being aware of all three of these trends is critical. There’s no doubt that failing to address these will affect your site usability and your Google ranking and ultimately, the profitability you are taking our of your site.
WordPress Security Hardening service – Secure your WordPress website against hacking attempts
SSL Conversion service – Activate SSL throughout your website
Performance Assessment service – Get us to test your website speed and provide steps on what can be done to improve it
Securing your website – Why SSL is needed on your website moving forward
Making your WordPress site blazing FAST – Why page speed is important to increase your Google ranking
Getting Hacked – How having your website hacked can affect your business