Happy HTTPS 2017 to you!

Last year we made a big step towards making the SSL certificates more widely used. We backed financially the super cool open SSL project Let’s Encrypt and we provided an easy cPanel interface, from where all our users can issue free Let’s Encrypt certificates with a single click. This has resulted in more than 40 thousand new SSL installations on our servers. However, there is still a long way to go before we see HTTPS protocol completely replace the insecure HTTP.  Now, in the very beginning of 2017, we are happy to announce that we have taken the next big step in this direction — we have started to automatically issue Let’s Encrypt certificates for every domain that is hosted on our shared servers.

Every site should have an SSL

The web is obviously moving into the direction of making HTTPS the preferred, if not the compulsory, protocol. These are just a few of the reasons why this trend will continue to be massive in 2017:

  1. Google has officially announced that HTTPS will be a factor for search results standings
  2. The use of HTTP/2 protocol, that results in serious loading speed gains, is supported by browsers only over encrypted connection.
  3. Google Chrome browser will gradually start to indicate more obviously non-HTTPS websites as insecure.
  4. Matt Mullenweg, the founder of WordPress has announced that some of the new WordPress features released in 2017 will be available only for sites using HTTPS (go to 31:00 minute to hear it).

So, with so many influential entities openly supporting this trend, there is no way back to HTTP.

We make the move to HTTPS easy

To make the transitions easier for our users we have made one more big step: during the holidays we have issued several hundred thousand certificates for all the domains that are already hosted on our shared servers. So our existing customers welcomed 2017 even more HTTPS-ready than before. We also have started to issue the Let’s Encrypt certificate and install it on the customer’s account automatically just a short time after a new domain is registered by us or detected to be directed to our servers. This includes not only the primary account domains but also addon domains created by our users through the cPanel. All certificates will be renewed automatically by us too, as long as the domains they have been issued for are pointed to our servers.

All this does not mean that our users’ websites have started to work by HTTPS by default JUST YET. You still need to configure your site to use the issued certificate. (Here you can read more about how to configure a WordPress site to use HTTPS or how to do the trick by editing your htaccess file). If this seems like too much work for you, just wait for our next big SSL-related surprise, which will be announced soon!

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Hristo Pandjarov

Product Innovation Director

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

Comments ( 89 )

author avatar

Brian Hochstein

Jan 12, 2017

BRAVO! Good to see a host truly be security minded instead of lag behind the times with outdated approaches to things! :)

Reply
author avatar

Joe

Jan 12, 2017

Good Job guys!

Reply
author avatar

Daniel

Jan 12, 2017

Great job Siteground, I'll wait for the next big SSL surprise to update my Joomla! website.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 13, 2017

You can use the Joomla Toolkit in your cPanel to easily configure it to work with SSL: https://www.siteground.com/tutorials/joomla-wordpress-toolkit/configure-ssl.htm

Reply
author avatar

Zoran Filipović

Jan 12, 2017

Excellent job! SiteGroud is: The Joy of Web!

Reply
author avatar

Justin Rains

Jan 12, 2017

No unique IP?

Reply
author avatar

Justin Rains

Jan 12, 2017

Downtime?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 12, 2017

Not at all :)

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 12, 2017

Since SNI is enabled on all servers we don't need to issue IPs per each certificate.

Reply
author avatar

Dave

Jan 12, 2017

But for any domains we want to add SSL to we still need to go to Let's Encrypt in cPanel and kick things off right? So does this just slightly speed up that process of communication that takes place when doing this? Definitely appreciative, just want to understand expectations.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 13, 2017

Our system will try to issue a Let's Encrypt certificate once you purchase a new account or if you add an Addon domain to an existing account. However, sometimes the issuing of the certificate can take longer (due to domain propagation times) or can fail. That is why I would advise anyone to first check the Let’s Encrypt interface in the cPanel if the certificate for the domain is issued and if not, to issue it manually.

Reply
author avatar

Jaswinder Kaur

Jan 12, 2017

Glad to know about this all. I am waiting for your next big SSL-related surprise!

Reply
author avatar

Plinio IWEB

Jan 12, 2017

Great upgrade!! perfect and smooth i switch to https in 5 min!!

Reply
author avatar

Pietro Montagna

Jan 13, 2017

Hello Hristo, using cloudflare (free plan) I cann't use SSL Let’s Encrypt, right?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 16, 2017

We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.

Reply
author avatar

Pietro Montagna

Jan 18, 2017

:( Thank for your reply.

Reply
author avatar

Olga

Jan 18, 2017

Great move- but what happens to the ones that have bought CloudFlare Plus plan? we paid for one year in advance (on January 8th 2017) - why do have to renew it then?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

The recent changes don't affect in any way the CloudFlare integrations we have. With the Plus plan, you can freely use the LE certificate.

Reply
author avatar

Brian Prows

Jan 18, 2017

I think Hristo's answer should have been "...you can only use their shared certificate if you want to have an encrypted connection on the [paid[ plan." This sucks. If you're going to headline your blog post "Https for Everyone," you've got to resolve the situation with CloudFlare. I have a GoGeek plan which, for the price, should include a paid CloudFlare plan. Right now, I have my main site on an upgraded CloudFlare plan. but others are on CloudFlare's free plan. It's interesting that if you sign up your domain first with CloudFlare, you can use CloudFlare's free plan with Https.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

We're discussing with CF all the possibilities to improve integrations and to allow our customers to use LE certificates with their free plan. Hopefully soon we will have more info on that matter.

Reply
author avatar

Pino

Jan 13, 2017

"Every site should have an SSL" Every site, or only every public site? If you're testing your site on a local LAN before you deploy it to SiteGround hosting, it's hard to test features that require HTTPS because Let's Encrypt issues certs only for names on public TLDs. What's the typical solution for that?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 16, 2017

Soon, you will be able to use LE for almost every domain out there. Meanwhile, yoou can try using a self-signed SSL certificate on your local environment.

Reply
author avatar

Davor

Jan 14, 2017

And what if we use Cloudflare CDN free plan (no support for SSL)?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 16, 2017

We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.

Reply
author avatar

Anders

Jan 18, 2017

Is there an impact on say affiliate tracking etc if switching to HTTPS?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

No, all sales should be tracked correctly despite having a certificate or not.

Reply
author avatar

William James

Jan 16, 2017

This is great initiative. It will improve our non secured to secured sites on the internet. Is it I need to configure or it will automatically configured for my site?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 16, 2017

Yes, you will need to configure your application to work through SSL and if you want to make sure all the traffic is through https, you need to "force" this with an .htaccess rule: https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/

Reply
author avatar

Brian Prows

Jan 18, 2017

This will not resolve Google Chrome's HTTPS insecure element check. If you're using WordPress, you either need to change all your internal links to HTTP or, more easily, use this plugin: https://wordpress.org/plugins/ssl-insecure-content-fixer/

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

If the application and its extensions are configured properly, there shouldn't be any insecure content. However, yes, if such exists, the Insecure Content Fixer is one of the plugins we recommend for that job.

Reply
author avatar

Rob

Jan 17, 2017

I am using https for a few sites now and this is so easy to setup. Thanks Siteground!! Rob

Reply
author avatar

bawbag

Jan 17, 2017

Google chrome announced they are going to flag non ssl sites as "non secure" from version 56 in the browser so "the man" is going to be very happy about this.

Reply
author avatar

Ric Raftis

Jan 17, 2017

I have been using Cloudflare's direct Flexible SSL now for some time because you the free account and admin interface wouldn't work with the Siteground usage. Would be interested in seeing a blog post on how this may have changed and is it better to run your SSL site from Siteground or Cloudflare. The Cloudflare page rules make it nice and easy and the Simbunch CDN extension for Joomla. Cheers,

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 18, 2017

I really hope that soon you will be able to use your LE certificate with CloudFlare. We will surely post more information about this when it becomes reality!

Reply
author avatar

Brian Prows

Jan 18, 2017

Flexible SSL only encrypts website user to CloudFlare but not to SiteGround. I've been through this exercise with SiteGround techs and CloudFlare. CloudFlare stated flatly it can't (won't) be done. I'm not sure if it's a technical or money issue. To my knowledge, the only way to establish full encryption is to upgrade your free SiteGround CloudFlare connection to paid, which is cheaper than setting up your domain's DNS with CloudFlare @$20 per month. With GoBig and GoGeek accounts, SiteGround should offer the paid CloudFlare upgrade in the hosting package.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Hopefully, you will be able to use your LE certificate with the free CF package very soon :)

Reply
author avatar

bonnie

Jan 18, 2017

Good news.

Reply
author avatar

David Harper

Jan 18, 2017

As a site admin who doesn't have a tech's deep understanding of these things I must admit I remain intimidated by the propsect of making the switch. Your article makes it sound like simplicity itself, but the true picture seems far more complex, especially when considerations like SEO come into play, the need to create 301-redirects, the risk of negating inbound links and paths ... . Searchengineland provide a 29-point checklist for the transition procedure and they still identify any number of potential pitfalls. Until you can offer intimidated customers like me complete reassurance that there's no risk of messing up a client's site, or their Google visibility, then our reluctance to switch may continue. Again, I emphasise that I'm not saying I don't appreciate the case for switching, but fear the consequences of breaking something in the process.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

As said, we are working on a solution that will provide our customers with a very easy mechanism to have everything on-site working properly through https. Of course, 3rd party applications and services may require additional configuration. We will make it as easy as possible. In addition to that, you don't need to redirect each URL you have, just force https with a good 301 redirect (https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/). We've been very careful not to break things in that process and right now we're not forcing anything, just making it easier for our customers to configure their sites to work through encrypted connection.

Reply
author avatar

Lars Rubeson

Jan 18, 2017

"how to configure a WordPress site to use HTTPS" when will you have the "how to configure a Joomla site to use HTTPS"? Seems clear why you always promote Wordpress in every circumstances for some reason I dont understand..Why?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Here's a link to the article on how to configure your Joomla website: https://www.siteground.com/kb/configure-joomla-site-use-https/ I wouldn't say we promote WordPress, it's just web application that our customers use most.

Reply
author avatar

fawad

Jan 18, 2017

Great news for every site member, specially the one like me, as i need this SSL

Reply
author avatar

Bharat

Jan 18, 2017

Hello, Does this mean that existing shared hosting plans such as those in Reseller hosting plans will have Let's Encrypt SLL certificates installed automatically if they are not installed manually and also renewed automatically whether or not they were installed automatically?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Yes, all domains associated with those accounts will get free LE certificates that will be renewed automatically too. If you already have LE certificate installed, it's already being renewed automatically.

Reply
author avatar

Kaj Jensen

Jan 18, 2017

I noticed that if you install a domain from Softaculous and chose SSL when installing using LE it is considered more safe by for example chrome browser than if you convert your site to SSL by using plugins such as SSL Insecure Content Fixer and changing the URL in Wordpress from 'http://' to 'https://' I also added the additional strength by using this guide How to force SSL with .htaccess from Siteground but still the domain is considered less safe than the domain built and installed from scratch with LE SSSL. You can check it from these two domains. www.fortalezarealestate.com.br (installed with LE SSL from scratch) www.imoveisemceara.com.br (configured with the Siteground guide How to configure WordPress to use my own private SSL certificate. Hopefully it should be possible to get the full site secure label without having to re-install your website - am waiting for your next big SSL-related surprise :-)

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

The difference you see is because you are loading insecure content on the site. If you want to use https, every resource has to be loaded securely in order for you to see the green padlock. That's straight forward for new sites, but existing ones requrie some reconfiguration, thus the difference. Check out this plugin, it will do the trick and your existing sites will look exactly the same as the new ones in your browser: https://wordpress.org/plugins/ssl-insecure-content-fixer/

Reply
author avatar

Bob

Jan 18, 2017

How does this work with shared hosting? If I have three or four sites on say a WP Growbig account does each site get a certificate?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Yes, each domain associated with your account will get a free LE certificate. We use the SNI technology to issue more than one certificate per IP address.

Reply
author avatar

Peter

Jan 18, 2017

What if we don't want a Let's Encrypt certificate for a particular website?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

You can remove it with a single click from the Let's Encrypt tool in cPanel.

Reply
author avatar

Todd E Jones

Jan 18, 2017

Are we automatically getting https or is there an upgrade charge? Glad to see how proactive you guys are!

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

All Let's Encrypt certificates are free :)

Reply
author avatar

MaAnna

Jan 18, 2017

This explains what I've been seeing in site audits. There are now two listings in AWStats for every domain - the SSL version and the original. What I'm also seeing is that the site is suddenly now available on https and does not redirect to http because there is nothing in .htaccess to force it to do so. I'm also seeing that bots are already hitting on the SSL version too. I understand your desire to issue certs to get ahead of this curve. But a few security and performance issues have been overlooked in the doing of it. Until the site is actually converted to https, and all routes to the site have come under whatever access and security measures have been put in place, no https access should be given. Can we request that the cert be removed and then reissued when the site is actually converted?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

You can remove the certificate at any time from the Let's Encrypt tool in cPanel and then install a new one at any time, when you're ready. As to your other question, if you're not linking to your site both through https and http there won't be any problem for your rankings and that's the case for most sites. Google are amongst the organisations that push web encryption hardest. As to the AW Stats, it's normal because they operate on server level and you can see stats for both versions. Note, that even if HTTPS is forced, you will get records for the non-encrypted version because hits are recorded before the redirect.

Reply
author avatar

Gerrit de Jager

Jan 18, 2017

Thank you for this information. I understand the importance of https, but where can I find a simple step by step guide to convert my websites? I am not an expert in this matter....

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

There are different configurations that must be made, depending on the software you're using. I would recommend posting a ticket in your Help Desk, my colleagues from the Support team will tell you how to proceed based on your particular app.

Reply
author avatar

Lise King

Jan 18, 2017

Great job SiteGround! Can't wait for the next big SSL surprise update... Great service, Great Tech Support and keep up with technology... Thank you Guys

Reply
author avatar

Peter

Jan 18, 2017

I switched to https at the end of the last year by simply using this protocoll on my existing web page. I was surprised that it already worked without configuring anything in the c-panel. Some little changes to my application and all the work was done. Thanks, very good job!

Reply
author avatar

Jerry Stevens

Jan 18, 2017

Let's Encrypt is universally available but on most hosts, it takes some work to install it. One of the reasons I was attracted to Siteground in the first place was that they make it easy. Once there I found other things to like about it.

Reply
author avatar

Sergio

Jan 18, 2017

SiteGround supports HSTS (HTTP Strict Transport Security)?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Having a properly working HSTS requires a header to be send to the browser and your application to be well-written. So, yes - if your application is using it correctly, it will work fine on SiteGround accounts with a certificate for that domain.

Reply
author avatar

Ovidiu Nicolae

Jul 01, 2018

Hi Hristo, I just installed Let's encrypt for my website running on WordPress, GoGeek plan. I remember reading somewhere else that HSTS is not enabled by default with Let's Encrypt (it requires a flag before installing it: ./letsencrypt-auto --hsts), meaning I can't simply add the header rule to the .htaccess file. Is that the case here? Thanks

Reply
author avatar

Hristo Pandjarov Siteground Team

Jul 02, 2018

Defining the header rule in your .htaccess will enable the HSTS correctly and that can be verified either using curl or any online SSL checker :)

Reply
author avatar

Patrick

Jan 18, 2017

My Standard AlphaSSL auto renewed on Dec 15th, does that mean it is now obsolete or are those of us who have paid getting something over and above LE? What is the advantage of the Standard AlphaSSL offering?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

With your certificate, you've received a dedicated IP address while the new ones we issue use the SNI technology and share one IP. That's the major difference between the purchased and free certificates we offer. Once your certificate expires, you can either renew it and get a wildcard one on the same price, or cancel it and get a free Let's Encrypt one, depending on your needs.

Reply
author avatar

myron bernard

Jan 18, 2017

You really are the best! Thank You!

Reply
author avatar

Patty

Jan 18, 2017

Is it still necessary to follow the additional steps recommended by Wordpress if I have a Wordpress site?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

Yes, you still need to reconfigure your application to work over https.

Reply
author avatar

Z

Jan 18, 2017

This is so rad. You guys just get better and better.

Reply
author avatar

webmaster@ncmrc.org

Jan 18, 2017

What about Joomla sites?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

We've issued certificates for all domains no matter what application they are using. Joomla sites must be reconfigured to work through https too.

Reply
author avatar

Tova

Jan 19, 2017

You guys are terrific!

Reply
author avatar

Ja

Jan 19, 2017

When will we have auto HTTPS, so there really isn't a choice to go back? Plans this year or soon after to make this default?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

I am not really sure when we would make such a step. There are numerous things that can go wrong. We host all sort of different sites and there are use cases in which a non-encrypted connection is necessary. This said, we will do our best to make https default and easily(one-click) configurable for the majority of our customers but can't really say when or if we will force it to everyone.

Reply
author avatar

Dominic-K

Jan 19, 2017

But what about sites that have mixed content? I configured the LE certificate, only to discover that all of the videos that were embedded on my site disappeared, being blocked by the browser, and that neither YouTube nor Vimeo (I use both) supported https for embeds. I had to undo it and go back to http. This is frustrating. I have to use the video widgets on my site, but would very much like to have it via https because there are also forms on the site that I would like to be secured. Who's going to put pressure on Vimeo and YouTube to make this possible?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 19, 2017

They actually work without problem over https. Your website most probably has iframes included that load those videos through http. Depending on the application you're using, there are multiple ways to fix this manually and with extension. I would recommend researching the available "insecure content fixer" tools for your app.

Reply
author avatar

Dominic-K

Jan 20, 2017

It's a site built with Adobe Muse. The videos are embedded with the native Adobe Muse widgets for YouTube and Vimeo (which does the iframes). The only "fix" I've been able to find via the Adobe help forums was to remove the https -- that it simply won't work. If you think it can, I'd love to hear how.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jan 20, 2017

Well, in that case I would recommend to try modifying the default widget to include the videos through https because that's working for sure, it's just a flaw in the app.

Reply
author avatar

Dominic-K

Jan 20, 2017

Thanks -- it's working now! I figured out I have to not use the widgets but just embed the code directly. Not it's working perfectly. So glad to be able to have this! The advice I original saw on the help forum was outdated.

Reply
author avatar

Barb H.

Jan 19, 2017

Thanks for the reminder. Looking forward to seeing what you all do next...

Reply
author avatar

Tamalita

Jan 22, 2017

Wow. Wow. thank you.

Reply
author avatar

Ray

Jan 23, 2017

SiteGround just upped their cred ! I can't wait to hear what the next surprise is.

Reply
author avatar

Anne Katzeff

Feb 25, 2017

Hi, I've got 2 situations: (1) My primary domain site is built with Bootstrap and has a WordPress blog. This primary domain also uses Cloudflare. (2) My subdomain site is WordPress, without Cloudflare. What are your recommendations for how I should transition to HTTPS on both the primary domain and on the subdomain? Should I force the HTTPS for the non-WordPress area via htaccess? After that, go through the steps you've outlined for WordPress sites using Cloudflare? thank you!

Reply
author avatar

Hristo Pandjarov Siteground Team

Feb 27, 2017

Leave the subdomain without CF and simply force the HTTPS on it with the plugin. That should work right away. Then, check if the CF SSL option is set to Flexible in your CF panel, switch manually your non-WP application and test everything out. Once you make sure everything works, switch the SSL option to Full.

Reply
author avatar

Anne Katzeff

Feb 28, 2017

OK, will give it a try. Do you have a link that leads to the instrux. for switching manually? thank you

Reply
author avatar

Anne Katzeff

Feb 28, 2017

Is it this link? https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/

Reply
author avatar

Hristo Pandjarov Siteground Team

Mar 01, 2017

Yes :)

Reply
author avatar

Damian

Mar 06, 2017

Is it available for vps customers?

Reply
author avatar

Hristo Pandjarov Siteground Team

Mar 07, 2017

Yes :)

Reply

Start discussion