You can tell the difference between a secure and an insecure site by the presence (or not!) of a padlock next to the URL in your browser. When you see the padlock it means that the data that you are exchanging with the website is being encrypted. Sites that have been through a process called “Enhanced Verification” or “EV” have had their real-world credentials checked and will present a green background on the URL/address bar to show their credentials.
We’ve had secure sites for a long time and the technology is essential in protecting credit card and other personal data as it moves across the web.
Google has been pushing something they call “HTTPS Everywhere” for quite a while too – the idea that every site (not page!) should use encryption at all times.
So keen are Google on this that they’ve been very open in stating that they’ve made it a “ranking signal” – something that directly affects your search engine ranking. So – even if you’re not collecting personal data, there’s a good reason to get your site secured right there.
It’s also an incredibly cheap thing to do – Google, Facebook, and others have been funding projects like www.letsencrypt.org, which issues completely free security certificates, for some time.
The process to set up a new certificate takes around fifteen minutes tops for a developer or system administrator – so there’s really no excuse for not getting this done as a matter of urgency if you currently don’t have it.
Getting a padlock does not mean your site is secure
Let’s be clear – just because a website has a padlock, even if it comes on a fancy green background, doesn’t mean that it is “secure”. All it means is that data you are exchanging with the website is secured whilst it is in transit across the internet. What happens to it once it arrives at the website is a whole different story.
It’s like posting a letter in a very secure envelope. It’s safe between the postbox and the destination, but once the envelope is removed the information is vulnerable again.
I’ve picked on WordPress a few times already but it is one of the worst culprits for unfixed security problems – 268 are listed on cvedetails.com as I write this.
Two. Hundred. And. Sixty. Eight.
And that’s just the core code – it doesn’t take into account plugins and themes that you may also be using on your website.