Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Thanks for the feedback.
*Looks at handbook page*
Two things in this article are no longer true with the latest updates from Google.
You’re discussing SEO and that page is a guide that talks about setting up SSL on your WordPress site.
That page is not for opining on SEO, it’s only for establishing TLS encryption for a reasonable expectation of privacy from the WordPress installation to the user’s browsers.
That page actually has several pieces of content that are false, though, and relating to SEO.
There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy.
But there is a reason to serve an HTTPS webpage – it now improves SEO ranking.
Additionally:
As there is no need to serve the whole website with both HTTPS URLs and HTTP URLs (that is harmful for SEO just like www and non www β Google will mark as duplicate contents)
This is false. Google does not mark the content as duplicated.
Because those two things need to be updated, then this final point should also be changed:
Bad Practices for HTTPS for WordPress #
Making the whole website to be served from both HTTPS and HTTP urls
The only reason it’s a “bad practice” is if there is no benefit, and if SEO is marked as duplicate. Since there is a benefit, and SEO is not ranked lower, then making a whole website to be served from both HTTPS and HTTP is no longer a bad practice.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
But there is a reason to serve an HTTPS webpage – it now improves SEO ranking.
…
The only reason it’s a “bad practice” is if there is no benefit, and if SEO is marked as duplicate. Since there is a benefit, and SEO is not ranked lower, then making a whole website to be served from both HTTPS and HTTP is no longer a bad practice.
You keep mentioning SEO. That’s not going to get the page updated. π
However that said, this part is now removed.
(that is harmful for SEO just like www and non www β Google will mark as duplicate contents)
I missed that in the 850+ words and you are correct that part is not accurate. π The rest will stay for now.
Totally acceptable. Thanks for doing that. π
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
No problem, thanks for pointing that out. π
There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy.
I have had a problem with that statement for a long time and have written and deleted without posting comments about it a few times. It’s not about privacy– it’s more about authentication and integrity. Every sites should use https, regardless of SEO, because auth and integ are the real reasons Google makes it an SEO thing. It’s not SEO for SEO sake……
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
It’s not about privacy– it’s more about authentication and integrity.
Sort of.
*Drinks coffee*
Disclaimer: I secure my sites using TLS. Even my test sites. I do it in the same fashion that I keep my software up to date. It’s easy when you know how and there are X.509 certificate providers that will and do provide free and valid certificates. The Let’s Encrypt effort is a terrific step in that direction.
I like TLS, I like the idea behind end to end encryption between my web server and users communicating with it.
But unless you know what you are doing and how it works then I don’t really recommend it for everyone. It requires maintenance and attention and is not yet “fire and forget”. If people visit your site and you let your certificate expire then thanks to Google Chrome they will get freaked out at the warning.
There is also the problem that the idea behind TLS gives some people a unrealistic sense of security. If you are running on a Windows platform then it’s really not that difficult intercept that traffic as users have found out.
https://en.wikipedia.org/wiki/Superfish#Lenovo_security_incident
There are others such as the Sony root kit incident.
Network providers (and others) can also perform man in the middle attacks provided they can get the users to install their root certificate. That’s not hard to do and users do things like that without realizing it. Yes, that sort of thing is discoverable if you know what to look for but the average user doesn’t have any awareness in that area.
*Drinks more coffee*
The point I’m heading to in a roundabout way is
1. Yes, a TLS based site is good.
2. No, it’s not for everyone yet.
3. Yes, people should learn about it.
Once they can support their own installation then they should use it. But only when they know what it really means and what it gives you. π
The point I’m heading to in a roundabout way is
1. Yes, a TLS based site is good.
2. No, it’s not for everyone yet.
3. Yes, people should learn about it.
I agree with the above plus everything else you wrote.
*Drinks tea*
It’s unfortunate that the Internet is connected by duct tape. It’s too bad the default is not an SSL/TLS config on every server/site. The mindset should be: “TLS, yes!” for plugin developers and theme creators.
I think it *should* be for everybody. It’s ridiculously easy to install a certificate, and many hosts will provide free legit certs to customers who have a dedicated IP. However, though it is easy to install, I agree it takes a bit of “getting one’s head around it” to understand the intricacies of either installing via SSH or via a control panel like cPanel, ISPmanager, etc.
So something is broken, and only someone with the the heft of WordPress can help to navigate away from the old ways and to a new, more secure world. So I wish the line “There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy” could instead state “There is always a need to use and install TLS on your sites, and a friendly community at WordPress.org and on many other forums will always have people ready to assist you.”
Installing and using TLS should not be a magical act or voodoo from a black box — it should be easy for one to get one’s <head> around it.
