website security

Why Your Website Says Not Secure

Is your web browser telling you your website is "Not Secure"? This security warning is shown on all websites using the HTTP protocol and what that means is your website is not providing a secure connection to the browser. If your website is not secure it might be costing you customers.

website not secure

When a browser connects to a website it uses one of two options, HTTP on port 80(not secure), and HTTPS on port 443 (secure). If you're website is not secure, it's because it's using HTTP to connect. As a small business owner, you should always protect your website with HTTPS. This applies even if your website doesn't handle sensitive communications. Aside from implementing critical security and data integrity for both your website and your customers' personal information, HTTPS is now required for many new browsers. Keep in mind that HTTPS doesn't secure your website, but rather secures (encrypts) the information being sent between your website and it's visitors. To help you understand the difference between HTTPS and HTTP we created an infographic that you can view here.

website not secure

HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Hackers exploit unprotected communications (HTTP) to trick your users into revealing sensitive information or installing malware, they can also insert their own advertisements into your resources. Hackers exploit every unprotected resource that travels between your website and your users. Images, cookies, scripts, HTML … they’re all exploitable.

HTTPS protects the privacy and security of your users. A common mistaken belief about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications with their users. This is simply not true. Every unprotected HTTP request that takes place on your website can potentially reveal personal information about the behaviors and identities of your users. Although a single visit to your unprotected website may seem like no big deal, hackers look at the collective browsing activities of your users to make inferences about their behaviors and social-engineer their identities.

"Some third parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities."
Kayce Basques
Google Chrome DevTools

How to Secure a Website

Before you start you will want to check with your web host to see if they can do this for you. It might take a couple of days but may be worth it if you're not technically sound, some of these steps can get complicated. With that being said, the first thing you need to do is buy an SSL certificate. There are a number of SSL providers that range in price, so do your own research and find the one you are comfortable with. Just make sure it has SHA-2 and 2048-bit encryption. Also, your web host may do this process for you so you might want to check with them first because this process can get a bit complicated. From here on I will be using cPanel as the host of my website as the example. The steps should be very similar for other hosting providers. I will break this down into steps.

Step 1: Once you have your SSL certificate you will need to verify you own your domain before you can apply it to your website. You have two options to verify you own a certain domain.

The First is an Email based validation. Here you will need to receive an email to the admin at the domain associated email address. Example: admin@yourcoolwebsite.com. Most people don't set up an admin email address for their website, it's more common to have your name or info@yourcoolwebsite.com. If this is the case for you as well and you don't have an admin email address, you can create one or create an alias for for an already existing email.

The next is DNS based validation. This method requires you to create a CNAME entry in your DNS records. To do this you will want to sign-in to your web host account and click on 'manage DNS'.

why your website says not secure

From here you will want to find the 'records' section and click add. Select CNAME from the drop down.

why your website says not secure

You will then need to fill in the HOST and POINTS TO sections of the CNAME. Don't forget to push save to complete the process.

why your website says not secure

Step2: Now we need to activate the certificate. You will need to generate a CSR inside your web hosting control panel - such as a C-Panel. Find the SSL/TLS admin area and choose the "Generate SSL Certificate" and fill out the forms.

website says not secure

After you have filled this out you should see a screen like this.

website says not secure

Log into your SSL provider then paste the first block of text which is the signing request, this is your "CSR". This is needed to activate your SSL. Just paste it into the fields needed and your SSL provider will email you a .crt file with your certificate. Once you have your .crt file log back into your web host provider and click upload Upload Certificate. Return back to the SSL manager page and under "Install and Manage SSL for your site (HTTPS)", click "Manage SSL Sites". On this page find "Install an SSL Website" and click "Browse Certificates". Find the certificate you just uploaded and click "Use Certificate". At the bottom of the page click on "Install Certificate". If you were successful installing your certificate you should get a pop-up that says successfully installed.

Step3: Now you need to write some server side code to redirect your previous HTTP site to your new HTTPS site. This is called a 301 redirect and you do this in your htaccess.txt file. This process also prevents search engines from storing duplicate information from your website. One from the HTTP version and one from the HTTPS version. Duplicate information can hurt your SEO on Google. A 301 redirect takes any insecure version of your website and redirects it to the secure version. So no matter what way it is typed into the web browser it is redirected. For example: www.coolwebsite.com -> https://www.coolwebsite.com | coolwebsite.com -> https://www.coolwebsite.com

RewriteEngine On
RewriteCond %{HTTP_HOST} ^([a-z.]+)?yourcoolwebsite\.com$ [NC]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .? http://www.%1yourcoolwebsite.com%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule ^index\.html$ / [NC,R,L]

RewriteRule ^index\.html$ / [R=301,L]
RewriteRule ^(.*)/index\.html$ /$1/ [R=301,L]

Feel free to use this code. Just remember to replace the 'yourcoolwebsite' placeholder with your website name.

What makes a website secure?

In most cases, what makes a website secure is having an SSL certificate properly installed. As a small business owner this is really all you need to make you and your visitors less prone to attacks. Any information submitted on your website will be encrypted and safer from man in the middle attacks.

Here at Local Marketing Takeover we handle the move to HTTPS for our clients to ensure the process is smooth and bug free.

We created an infographic to explain more about what HTTPS is and how still using HTTP puts you and your customers at risk. You can view that here.