Why No Padlock? – Is Your Website Connection Secure?
Every year technology gets better, and every year hackers find a way around the newest forms of security. So security gets updated and continues to work until it’s hacked again and the cycle continues. That’s why it’s so important to keep your website up to date and reduce the chances of your website being compromised. This article will give you some pointers on how to tell if your website is safe and steps you can take to secure it.
Why No Padlock
The first step is to check if the site is secure, go to https://www.whynopadlock.com/ and enter your website homepage. This will scan the home page and give an idea about the state of security. The three sections you will see are “Test Information”, “SSL Connection”, and “Mixed Content”. It’s important to know that this will only scan your home page, not the whole website. This only matters when we start talking about mixed content, which I’ll talk most about later.
Test Information
The Test Information section shows which URL was tested, when it was tested and displays a URL you can use to view the test. You might want to save the results URL before you make the site secure. Then, you can send it to your client or boss to show your updates were successful.
SSL Connection
SSL Connection is the most important part of this test. If you failed this part of the test, it’s likely many customers will never see your website. Modern browsers will warn users that “the connection is not secure”. Most people will see this warning and not even bother to try to connect. It used to be that only sites that accepted credit cards needed an SSL certificate, but Google changed that in July, 2018. That’s when their Google browser Chrome began labeling sites without an SSL certificate as insecure. It’s very easy to make your site secure, just call your hosting company and they will set you up with an SSL. It’s useful to know that there are FREE SSL options out there, and they are just as good as the paid versions. Almost all SSL certificates are 256-bit encryption, paid and free. The difference between them is usually a warranty and how long they last. Free SSL’s often only last for a few months, but hosting companies will often update these automatically for free.
You may have noticed that you passed the SSL Connection test but that the Protocols section is giving you a warning. As of right now this is only an issue if you need your website to be PCI compliant. Updating this is even easier, just call your hosting company and let them know you need to be PCI compliant and you’d like to upgrade from TLSv1 to the newest version. They will take care of the rest. If you don’t need to be PCI compliant, DON’T have them update you. The newest versions of TLS are not supported by older browsers, so people who are slow to change or update their machines will not be able to visit your site.
Mixed Content
Our last topic is mixed content, and unless your comfortable with HTML, I’d call a professional to help with this. Even if you passed this section you’re not totally covered yet. As I mentioned before, Why No Padlock is only scanning your home page. There may still be mixed content on other pages. You’ll need to go through each page and make sure the padlock in your URL is secure. If it’s not, you can scan that page, or use the browsers built-in developer mode and check the console. Either way will tell you what content is causing the problem. The fix is just a matter of changing the URL you are using for the content from HTTP to HTTPS. Often times it’s an image on the page or a link to Youtube, but other links can cause this too. If you notice that lots of pages have mixed content I’d recommend using a search and replace tool to change all URLs at once. IMPORTANT – Back up your website before using a search and replace tool! And, be careful to enter the information correctly. You’ll want to search for all URLs with your address (example http://yourwebsite.com) and change them to include “https://“ (example https://yourwebsite.com). If you change anything else while using a search and replace tool you can break the website, so be extra careful.
Recap
Let’s recap! Why No Padlock (whynopadlock.com) is a useful tool that lets you know your website is secure. If you notice any warning signs (besides Protocols), contact your hosting company’s tech support and get them fixed. Again, as of writing this article Protocols SHOULD show a warning sign about TLSv1, this should only be updated if you need to be PCI compliant. Mixed content is scanned for the home page only. You’ll need to check all the other pages on your site. This can be done more efficiently using the browsers developer mode, rather than scanning every page on Why No Padlock. Also, I know there is a bulk scanning option but most sites are small enough it won’t take you long to check every page. If your site has 100’s of pages you might consider paying for bulk scanning. Hope this was helpful. Feel free to contact us if you have questions.