Happy HTTPS 2017 to you!

Last year we made a big step towards making the SSL certificates more widely used. We backed financially the super cool open SSL project Let’s Encrypt and we provided an easy cPanel interface, from where all our users can issue free Let’s Encrypt certificates with a single click. This has resulted in more than 40 thousand new SSL installations on our servers. However, there is still a long way to go before we see HTTPS protocol completely replace the insecure HTTP.  Now, in the very beginning of 2017 we are happy to announce that we have taken the next big step in this direction -- we have started to automatically issue Let's Encrypt certificates for every domain that is hosted on our shared servers.

Every site should have an SSL

The web is obviously moving into the direction of making HTTPS the preferred, if not the compulsory, protocol. And these are just few of the reasons why this trend will continue to be massive in 2017:

  1. Google has officially announced that HTTPS will be a factor for search results standings
  2. The use of HTTP/2 protocol, that results in serious loading speed gains, is supported by browsers only over encrypted connection.
  3. Google Chrome browser will gradually start to indicate more obviously non-HTTPS websites as insecure.
  4. Matt Mullenweg, the founder of WordPress has announced that some of the new WordPress features released in 2017 will be available only for sites using HTTPS (go to 31:00 minute to hear it).

So, with so many influential entities openly supporting this trend, there is no way back to http.

We make the move to HTTPS easy

To make the transitions easier for our users we have made one more big step: during the holidays we have issued several hundred thousands certificates for all the domains that are already hosted on our shared servers. So our existing customers welcomed 2017 even more HTTPS ready than before. We also have started to issue the Let’s Encrypt certificate and install it on the customer’s account automatically just a short time after a new domain is registered by us or detected to be directed to our servers. And this includes not only the primary account domains, but also addon domains created by our users through the cPanel. All certificates will be renewed automatically by us too, as long as the domains they have been issued for are pointed to our servers. All this does not mean that our users’ websites have started to work by https by default JUST YET. You still need to configure your site to use the issued certificate. (Here you can read more about how to configure a WordPress site to use HTTPS or how to do the trick by editing your htaccess file). If this seems like too much work for you, just wait for our next big SSL-related surprise, which will be announced soon!

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

80 Comments

  1. Reply January 11, 2017 / 18:11 Brian HochsteinSiteGround Team

    BRAVO!

    Good to see a host truly be security minded instead of lag behind the times with outdated approaches to things! 🙂

  2. Reply January 11, 2017 / 18:13 JoeSiteGround Team

    Good Job guys!

  3. Reply January 12, 2017 / 05:09 DanielSiteGround Team

    Great job Siteground, I'll wait for the next big SSL surprise to update my Joomla! website.

  4. Reply January 12, 2017 / 07:58 Zoran FilipovićSiteGround Team

    Excellent job! SiteGroud is: The Joy of Web!

  5. Reply January 12, 2017 / 09:11 Justin RainsSiteGround Team

    No unique IP?

    • Reply January 12, 2017 / 09:12 Justin RainsSiteGround Team

      Downtime?

      • January 12, 2017 / 09:15 Hristo PandjarovSiteGround Team

        Not at all 🙂

    • Reply January 12, 2017 / 09:15 Hristo PandjarovSiteGround Team

      Since SNI is enabled on all servers we don't need to issue IPs per each certificate.

  6. Reply January 12, 2017 / 10:33 DaveSiteGround Team

    But for any domains we want to add SSL to we still need to go to Let's Encrypt in cPanel and kick things off right? So does this just slightly speed up that process of communication that takes place when doing this? Definitely appreciative, just want to understand expectations.

    • Reply January 13, 2017 / 05:23 Hristo PandjarovSiteGround Team

      Our system will try to issue a Let's Encrypt certificate once you purchase a new account or if you add an Addon domain to an existing account. However, sometimes the issuing of the certificate can take longer (due to domain propagation times) or can fail. That is why I would advise anyone to first check the Let’s Encrypt interface in the cPanel if the certificate for the domain is issued and if not, to issue it manually.

  7. Reply January 12, 2017 / 10:48 Jaswinder KaurSiteGround Team

    Glad to know about this all.

    I am waiting for your next big SSL-related surprise!

  8. Reply January 12, 2017 / 11:01 Plinio IWEBSiteGround Team

    Great upgrade!! perfect and smooth i switch to https in 5 min!!

  9. Reply January 13, 2017 / 05:25 Pietro MontagnaSiteGround Team

    Hello Hristo,
    using cloudflare (free plan) I cann't use SSL Let’s Encrypt, right?

    • Reply January 16, 2017 / 06:02 Hristo PandjarovSiteGround Team

      We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.

      • January 18, 2017 / 04:45 Pietro MontagnaSiteGround Team

        🙁
        Thank for your reply.

      • January 18, 2017 / 05:46 OlgaSiteGround Team

        Great move- but what happens to the ones that have bought CloudFlare Plus plan? we paid for one year in advance (on January 8th 2017) - why do have to renew it then?

      • January 19, 2017 / 05:38 Hristo PandjarovSiteGround Team

        The recent changes don't affect in any way the CloudFlare integrations we have. With the Plus plan, you can freely use the LE certificate.

      • January 18, 2017 / 13:08 Brian ProwsSiteGround Team

        I think Hristo's answer should have been "...you can only use their shared certificate if you want to have an encrypted connection on the [paid[ plan."

        This sucks. If you're going to headline your blog post "Https for Everyone," you've got to resolve the situation with CloudFlare. I have a GoGeek plan which, for the price, should include a paid CloudFlare plan.

        Right now, I have my main site on an upgraded CloudFlare plan. but others are on CloudFlare's free plan. It's interesting that if you sign up your domain first with CloudFlare, you can use CloudFlare's free plan with Https.

      • January 19, 2017 / 05:50 Hristo PandjarovSiteGround Team

        We're discussing with CF all the possibilities to improve integrations and to allow our customers to use LE certificates with their free plan. Hopefully soon we will have more info on that matter.

  10. Reply January 13, 2017 / 11:48 PinoSiteGround Team

    "Every site should have an SSL" Every site, or only every public site?

    If you're testing your site on a local LAN before you deploy it to SiteGround hosting, it's hard to test features that require HTTPS because Let's Encrypt issues certs only for names on public TLDs. What's the typical solution for that?

    • Reply January 16, 2017 / 05:57 Hristo PandjarovSiteGround Team

      Soon, you will be able to use LE for almost every domain out there. Meanwhile, yoou can try using a self-signed SSL certificate on your local environment.

  11. Reply January 14, 2017 / 12:58 DavorSiteGround Team

    And what if we use Cloudflare CDN free plan (no support for SSL)?

    • Reply January 16, 2017 / 06:02 Hristo PandjarovSiteGround Team

      We're currently discussing with CloudFlare the possibility of using LE with their free plan but right now, you can only use their shared certificate if you want to have an encrypted connection on the free plan.

      • January 18, 2017 / 04:18 AndersSiteGround Team

        Is there an impact on say affiliate tracking etc if switching to HTTPS?

      • January 19, 2017 / 02:07 Hristo PandjarovSiteGround Team

        No, all sales should be tracked correctly despite having a certificate or not.

  12. Reply January 15, 2017 / 22:50 William JamesSiteGround Team

    This is great initiative. It will improve our non secured to secured sites on the internet. Is it I need to configure or it will automatically configured for my site?

    • Reply January 16, 2017 / 05:03 Hristo PandjarovSiteGround Team

      Yes, you will need to configure your application to work through SSL and if you want to make sure all the traffic is through https, you need to "force" this with an .htaccess rule: https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/

      • January 18, 2017 / 13:14 Brian ProwsSiteGround Team

        This will not resolve Google Chrome's HTTPS insecure element check. If you're using WordPress, you either need to change all your internal links to HTTP or, more easily, use this plugin: https://wordpress.org/plugins/ssl-insecure-content-fixer/

      • January 19, 2017 / 05:43 Hristo PandjarovSiteGround Team

        If the application and its extensions are configured properly, there shouldn't be any insecure content. However, yes, if such exists, the Insecure Content Fixer is one of the plugins we recommend for that job.

  13. Reply January 17, 2017 / 09:46 RobSiteGround Team

    I am using https for a few sites now and this is so easy to setup. Thanks Siteground!!
    Rob

  14. Reply January 17, 2017 / 14:48 bawbagSiteGround Team

    Google chrome announced they are going to flag non ssl sites as "non secure" from version 56 in the browser so "the man" is going to be very happy about this.

  15. Reply January 17, 2017 / 15:23 Ric RaftisSiteGround Team

    I have been using Cloudflare's direct Flexible SSL now for some time because you the free account and admin interface wouldn't work with the Siteground usage. Would be interested in seeing a blog post on how this may have changed and is it better to run your SSL site from Siteground or Cloudflare. The Cloudflare page rules make it nice and easy and the Simbunch CDN extension for Joomla.

    Cheers,

    • Reply January 18, 2017 / 02:42 Hristo PandjarovSiteGround Team

      I really hope that soon you will be able to use your LE certificate with CloudFlare. We will surely post more information about this when it becomes reality!

    • Reply January 18, 2017 / 13:24 Brian ProwsSiteGround Team

      Flexible SSL only encrypts website user to CloudFlare but not to SiteGround. I've been through this exercise with SiteGround techs and CloudFlare. CloudFlare stated flatly it can't (won't) be done. I'm not sure if it's a technical or money issue. To my knowledge, the only way to establish full encryption is to upgrade your free SiteGround CloudFlare connection to paid, which is cheaper than setting up your domain's DNS with CloudFlare @$20 per month.

      With GoBig and GoGeek accounts, SiteGround should offer the paid CloudFlare upgrade in the hosting package.

      • January 19, 2017 / 05:49 Hristo PandjarovSiteGround Team

        Hopefully, you will be able to use your LE certificate with the free CF package very soon 🙂

  16. Reply January 17, 2017 / 20:45 bonnieSiteGround Team

    Good news.

  17. Reply January 18, 2017 / 04:11 David HarperSiteGround Team

    As a site admin who doesn't have a tech's deep understanding of these things I must admit I remain intimidated by the propsect of making the switch. Your article makes it sound like simplicity itself, but the true picture seems far more complex, especially when considerations like SEO come into play, the need to create 301-redirects, the risk of negating inbound links and paths ... . Searchengineland provide a 29-point checklist for the transition procedure and they still identify any number of potential pitfalls. Until you can offer intimidated customers like me complete reassurance that there's no risk of messing up a client's site, or their Google visibility, then our reluctance to switch may continue. Again, I emphasise that I'm not saying I don't appreciate the case for switching, but fear the consequences of breaking something in the process.

    • Reply January 19, 2017 / 05:48 Hristo PandjarovSiteGround Team

      As said, we are working on a solution that will provide our customers with a very easy mechanism to have everything on-site working properly through https. Of course, 3rd party applications and services may require additional configuration. We will make it as easy as possible. In addition to that, you don't need to redirect each URL you have, just force https with a good 301 redirect (https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/). We've been very careful not to break things in that process and right now we're not forcing anything, just making it easier for our customers to configure their sites to work through encrypted connection.

  18. Reply January 18, 2017 / 04:18 Lars RubesonSiteGround Team

    "how to configure a WordPress site to use HTTPS" when will you have the "how to configure a Joomla site to use HTTPS"? Seems clear why you always promote WordPress in every circumstances for some reason I dont understand..Why?

  19. Reply January 18, 2017 / 05:05 fawadSiteGround Team

    Great news for every site member, specially the one like me, as i need this SSL

  20. Reply January 18, 2017 / 05:16 BharatSiteGround Team

    Hello,
    Does this mean that existing shared hosting plans such as those in Reseller hosting plans will have Let's Encrypt SLL certificates installed automatically if they are not installed manually and also renewed automatically whether or not they were installed automatically?

    • Reply January 19, 2017 / 03:42 Hristo PandjarovSiteGround Team

      Yes, all domains associated with those accounts will get free LE certificates that will be renewed automatically too. If you already have LE certificate installed, it's already being renewed automatically.

  21. Reply January 18, 2017 / 05:20 Kaj JensenSiteGround Team

    I noticed that if you install a domain from Softaculous and chose SSL when installing using LE it is considered more safe by for example chrome browser than if you convert your site to SSL by using plugins such as SSL Insecure Content Fixer and changing the URL in WordPress from 'http://' to 'https://' I also added the additional strength by using this guide How to force SSL with .htaccess from Siteground but still the domain is considered less safe than the domain built and installed from scratch with LE SSSL. You can check it from these two domains.

    http://www.fortalezarealestate.com.br (installed with LE SSL from scratch)
    http://www.imoveisemceara.com.br (configured with the Siteground guide How to configure WordPress to use my own private SSL certificate.

    Hopefully it should be possible to get the full site secure label without having to re-install your website - am waiting for your next big SSL-related surprise 🙂

    • Reply January 19, 2017 / 05:51 Hristo PandjarovSiteGround Team

      The difference you see is because you are loading insecure content on the site. If you want to use https, every resource has to be loaded securely in order for you to see the green padlock. That's straight forward for new sites, but existing ones requrie some reconfiguration, thus the difference. Check out this plugin, it will do the trick and your existing sites will look exactly the same as the new ones in your browser: https://wordpress.org/plugins/ssl-insecure-content-fixer/

  22. Reply January 18, 2017 / 06:08 BobSiteGround Team

    How does this work with shared hosting? If I have three or four sites on say a WP Growbig account does each site get a certificate?

    • Reply January 19, 2017 / 03:40 Hristo PandjarovSiteGround Team

      Yes, each domain associated with your account will get a free LE certificate. We use the SNI technology to issue more than one certificate per IP address.

  23. Reply January 18, 2017 / 08:01 PeterSiteGround Team

    What if we don't want a Let's Encrypt certificate for a particular website?

    • Reply January 19, 2017 / 03:26 Hristo PandjarovSiteGround Team

      You can remove it with a single click from the Let's Encrypt tool in cPanel.

  24. Reply January 18, 2017 / 08:29 Todd E JonesSiteGround Team

    Are we automatically getting https or is there an upgrade charge? Glad to see how proactive you guys are!

    • Reply January 19, 2017 / 03:40 Hristo PandjarovSiteGround Team

      All Let's Encrypt certificates are free 🙂

  25. Reply January 18, 2017 / 09:04 MaAnnaSiteGround Team

    This explains what I've been seeing in site audits. There are now two listings in AWStats for every domain - the SSL version and the original.

    What I'm also seeing is that the site is suddenly now available on https and does not redirect to http because there is nothing in .htaccess to force it to do so.

    I'm also seeing that bots are already hitting on the SSL version too.

    I understand your desire to issue certs to get ahead of this curve. But a few security and performance issues have been overlooked in the doing of it.

    Until the site is actually converted to https, and all routes to the site have come under whatever access and security measures have been put in place, no https access should be given.

    Can we request that the cert be removed and then reissued when the site is actually converted?

    • Reply January 19, 2017 / 06:20 Hristo PandjarovSiteGround Team

      You can remove the certificate at any time from the Let's Encrypt tool in cPanel and then install a new one at any time, when you're ready. As to your other question, if you're not linking to your site both through https and http there won't be any problem for your rankings and that's the case for most sites. Google are amongst the organisations that push web encryption hardest. As to the AW Stats, it's normal because they operate on server level and you can see stats for both versions. Note, that even if HTTPS is forced, you will get records for the non-encrypted version because hits are recorded before the redirect.

  26. Reply January 18, 2017 / 09:09 Gerrit de JagerSiteGround Team

    Thank you for this information. I understand the importance of https, but where can I find a simple step by step guide to convert my websites? I am not an expert in this matter....

    • Reply January 19, 2017 / 03:21 Hristo PandjarovSiteGround Team

      There are different configurations that must be made, depending on the software you're using. I would recommend posting a ticket in your Help Desk, my colleagues from the Support team will tell you how to proceed based on your particular app.

  27. Reply January 18, 2017 / 09:36 Lise KingSiteGround Team

    Great job SiteGround!
    Can't wait for the next big SSL surprise update...

    Great service, Great Tech Support and keep up with technology...

    Thank you Guys

  28. Reply January 18, 2017 / 12:13 PeterSiteGround Team

    I switched to https at the end of the last year by simply using this protocoll on my existing web page. I was surprised that it already worked without configuring anything in the c-panel.

    Some little changes to my application and all the work was done.

    Thanks, very good job!

  29. Reply January 18, 2017 / 12:26 Jerry StevensSiteGround Team

    Let's Encrypt is universally available but on most hosts, it takes some work to install it. One of the reasons I was attracted to Siteground in the first place was that they make it easy. Once there I found other things to like about it.

  30. Reply January 18, 2017 / 13:04 SergioSiteGround Team

    SiteGround supports HSTS (HTTP Strict Transport Security)?

    • Reply January 19, 2017 / 02:18 Hristo PandjarovSiteGround Team

      Having a properly working HSTS requires a header to be send to the browser and your application to be well-written. So, yes - if your application is using it correctly, it will work fine on SiteGround accounts with a certificate for that domain.

  31. Reply January 18, 2017 / 13:54 PatrickSiteGround Team

    My Standard AlphaSSL auto renewed on Dec 15th, does that mean it is now obsolete or are those of us who have paid getting something over and above LE?

    What is the advantage of the Standard AlphaSSL offering?

    • Reply January 19, 2017 / 05:41 Hristo PandjarovSiteGround Team

      With your certificate, you've received a dedicated IP address while the new ones we issue use the SNI technology and share one IP. That's the major difference between the purchased and free certificates we offer. Once your certificate expires, you can either renew it and get a wildcard one on the same price, or cancel it and get a free Let's Encrypt one, depending on your needs.

  32. Reply January 18, 2017 / 15:21 myron bernardSiteGround Team

    You really are the best! Thank You!

  33. Reply January 18, 2017 / 16:24 PattySiteGround Team

    Is it still necessary to follow the additional steps recommended by WordPress if I have a WordPress site?

    • Reply January 19, 2017 / 02:58 Hristo PandjarovSiteGround Team

      Yes, you still need to reconfigure your application to work over https.

  34. Reply January 18, 2017 / 16:27 ZSiteGround Team

    This is so rad. You guys just get better and better.

  35. Reply January 18, 2017 / 17:11 webmaster@ncmrc.orgSiteGround Team

    What about Joomla sites?

    • Reply January 19, 2017 / 02:26 Hristo PandjarovSiteGround Team

      We've issued certificates for all domains no matter what application they are using. Joomla sites must be reconfigured to work through https too.

  36. Reply January 18, 2017 / 21:13 TovaSiteGround Team

    You guys are terrific!

  37. Reply January 18, 2017 / 23:38 JaSiteGround Team

    When will we have auto HTTPS, so there really isn't a choice to go back?

    Plans this year or soon after to make this default?

    • Reply January 19, 2017 / 02:57 Hristo PandjarovSiteGround Team

      I am not really sure when we would make such a step. There are numerous things that can go wrong. We host all sort of different sites and there are use cases in which a non-encrypted connection is necessary. This said, we will do our best to make https default and easily(one-click) configurable for the majority of our customers but can't really say when or if we will force it to everyone.

  38. Reply January 19, 2017 / 02:48 Dominic-KSiteGround Team

    But what about sites that have mixed content? I configured the LE certificate, only to discover that all of the videos that were embedded on my site disappeared, being blocked by the browser, and that neither YouTube nor Vimeo (I use both) supported https for embeds. I had to undo it and go back to http. This is frustrating. I have to use the video widgets on my site, but would very much like to have it via https because there are also forms on the site that I would like to be secured. Who's going to put pressure on Vimeo and YouTube to make this possible?

    • Reply January 19, 2017 / 02:55 Hristo PandjarovSiteGround Team

      They actually work without problem over https. Your website most probably has iframes included that load those videos through http. Depending on the application you're using, there are multiple ways to fix this manually and with extension. I would recommend researching the available "insecure content fixer" tools for your app.

      • January 19, 2017 / 20:42 Dominic-KSiteGround Team

        It's a site built with Adobe Muse. The videos are embedded with the native Adobe Muse widgets for YouTube and Vimeo (which does the iframes). The only "fix" I've been able to find via the Adobe help forums was to remove the https -- that it simply won't work. If you think it can, I'd love to hear how.

      • January 20, 2017 / 04:00 Hristo PandjarovSiteGround Team

        Well, in that case I would recommend to try modifying the default widget to include the videos through https because that's working for sure, it's just a flaw in the app.

      • January 20, 2017 / 05:59 Dominic-KSiteGround Team

        Thanks -- it's working now! I figured out I have to not use the widgets but just embed the code directly. Not it's working perfectly. So glad to be able to have this! The advice I original saw on the help forum was outdated.

  39. Reply January 19, 2017 / 12:56 Barb H.SiteGround Team

    Thanks for the reminder. Looking forward to seeing what you all do next...

  40. Reply January 22, 2017 / 16:32 TamalitaSiteGround Team

    Wow. Wow. thank you.

  41. Reply January 23, 2017 / 11:06 RaySiteGround Team

    SiteGround just upped their cred !
    I can't wait to hear what the next surprise is.

Reply

* (Required)