If so, you should take action immediately. The e-mail has either informed you that your page has (already) been infected with a virus or been hacked, or is “only” insecure. The latter warnings have been sent out rather frequently over the past few days, as Google will be labeling unencrypted websites as “INSECURE” in Chrome starting in October. Chrome is currently the most popular browser.
What does this mean?
“INSECURE” means that the data connection to your website is unencrypted. This is indicated by the fact that your domain begins with http instead of https. If your website transmits form data unencrypted, you risk falling in the rankings, damage to your reputation, and legal warnings. And of course the security of your users suffers. Important: Above all, this affects websites with forms. Forms are used e.g. in the following cases:
- Contact forms
- For comment boxes
- In online shops
- In live chats
If you are already using https, but still receive the security warning, the first thing you should do is check the encryption using GlobalSign’s free SSL test. Furthermore, I also recommend the Sucuri malware scan for ensuring that your page does not contain any viruses or trojans. You should repeat these scans no later than after successfully implementing encryption.
What do I have to do?
You can perform the encryption of your website yourself if you are at least somewhat familiar with the settings of your website’s content management system (CMS) and ideally know a little about HTML programming. Otherwise, it would be best to let a professional do it. The procedure is as follows:
- Ordering an SSL certificate: You can order the SSL certificate — a type of security code that you require for encryption — directly from your web host. Usually, you can get a free certificate (from Let’s Encrypt), but I recommend investing in a domain SSL certificate that has been issued exactly for your domain. Such a certificate usually costs between € 50 and € 150 a year. Unlike a shared SSL certificate, which is usually issued for your web host, the domain SSL certificate is issued for you, the domain owner or administrator. This makes it more secure, because you do not have to share it with other people. Shared certificates with others always also means that when another website is decrypted (illegally), it is highly likely that your website will also be attacked, as this takes very little extra effort. Ordering an SSL certificate is as easy as ordering a domain or an online shop purchase.
- Encryption settings in CMS and HTML files where necessary: All data should be transmitted via https. To ensure this, you should change the domain name to reflect this: from http://… to https:// in the URL settings of your website’s content management system.
Click here for the SSL guide for WordPress. If you are using a different content management system and are unsure where the settings are, you should ask your agency or your administrator.
- Adding canonical tags to index the encrypted website: In addition to an encrypted connection, I recommend setting a canonical tag. This meta tag indicates to search engines and users via the source code of your website that only the encrypted links of your website should be indexed from now on. It can be manually programmed in or activated via an SEO plugin such as ours.
- Setting the https URL in Google Analytics: In Google Analytics, go to Property Settings > Default URL. Here, change the URL of your website to the https variant.
- Checking backlinks: Subsequently, I recommend that you check your links and modify links which come from particularly important sources, or have them modified. You can obtain a list of your most important backlinks directly via Google Analytics. The most important links to redirect (i.e. from the http to the https variant) are those which currently direct the most visitors to your site. You will find the list in Google Analytics under Acquisition > Soruce/ Medium.
If you can modify the links yourself, do so. For most web indexes and social media sites, this can be done simply by updating your website address.
For other links which you cannot modify yourself because they are e.g. in press articles, the only thing you can do is send a message to the relevant contact (check the website info) requesting that they make the changes. However, it is usually rather unlikely that they will do so in the foreseeable future. Hence, you can ignore the links for now. That is because an observant webmaster will change the links sooner or later anyway.
Regardless of this, you should also redirect those links which you consider important (e.g. due to the name) but which do not appear in Analytics. You will find them via the Open Link Explorer or the Google Search Console.
- Finally, you should add a new property in Google Search: To do so, open the Google Search Console and click on “Add” on the top right. Now enter your domain name preceded by https:// and click on “Add”.
Ideally, you should then select the confirmation of your domain administration rights via Google Analytics under “Alternative methods” on the next page. Alternatively, you can also confirm the domain in another fashion, such as via the meta tag in the source code of the site or via an HTML file. Where necessary, it is also important that you consult your administrator or agency before doing so. If someone else has access rights to an existing account, he should be informed of this or involved in the process. Ideally, after confirmation, you then submit your newly generated sitemap (with encrypted URLs).
Final tasks for encryption
Finally, check the encryption with GlobalSign once again (see link above). In addition, visit the website using Chrome and click to the left of the domain:
If everything is as it should be in both cases, the encryption has been successful.
If (individual) files are still transmitted unencrypted, you will need to check your template/theme (programmed design) and the database once again. The best way to do this is simply search all files and tables for http://yourdomain and http://www.yourdomain and then change the links that have not yet been changed to https.