Look at your browser's address bar right now. See the little lock icon before the URL? That means this page is served over HTTPS — the connection between your browser and the server is encrypted. If your website doesn't have that lock, browsers are actively warning your visitors that your site is "Not Secure."
What HTTPS actually does
HTTPS (Hypertext Transfer Protocol Secure) encrypts everything sent between a visitor's browser and your server. Without it, the data travels in plain text — meaning anyone on the same network (like public WiFi) can potentially read it.
This matters most when your site has forms. Contact forms, login pages, checkout flows — any information your visitors type is vulnerable without HTTPS. But even on pages without forms, the lack of encryption means someone could intercept and modify your page content before your visitor sees it.
Why Google requires it
Google started using HTTPS as a ranking signal in 2014. Since 2018, Chrome has displayed a "Not Secure" warning on all HTTP pages. The ranking impact is modest — HTTPS alone won't rocket you to page one — but when you're competing with similar businesses, it can be the difference between position 8 and position 12.
More importantly, the "Not Secure" warning in the browser is a conversion killer. Studies show that 85% of online shoppers avoid insecure websites. Even if your site doesn't sell anything directly, that warning erodes trust. If your health score is suffering, a missing SSL certificate might be why.
SSL vs. TLS vs. HTTPS
You'll hear these terms used interchangeably, which is confusing. Here's the simple version:
- SSL (Secure Sockets Layer) — the original encryption protocol, now outdated
- TLS (Transport Layer Security) — the modern replacement for SSL, currently on version 1.3
- HTTPS — HTTP with SSL/TLS encryption. When someone says "SSL certificate," they actually mean a TLS certificate that enables HTTPS
Don't worry about the technical distinction. When someone says "you need SSL," they mean "you need HTTPS enabled."
How to set up HTTPS (for free)
If you're on managed hosting (Squarespace, Wix, Shopify)
Good news: these platforms include HTTPS automatically. You don't need to do anything. If for some reason it's not enabled, check your domain settings — there's usually a toggle for "Force SSL" or "Secure connection."
If you're on shared hosting (cPanel, Namecheap, GoDaddy, Bluehost)
- Log into your hosting dashboard (usually cPanel)
- Find "SSL/TLS" or "Let's Encrypt" or "Security"
- Click to install a free Let's Encrypt certificate
- Enable "Force HTTPS" or "Redirect HTTP to HTTPS"
- Wait a few minutes for it to activate
Let's Encrypt is a free, nonprofit certificate authority. Most hosting providers have a one-click installer for it. The certificate is just as secure as paid certificates — there's no reason to pay for SSL unless you need specific features like warranty or extended validation.
If you're on WordPress
After enabling SSL through your host, install the "Really Simple SSL" plugin. It automatically detects your certificate and fixes mixed content issues (where some resources still load over HTTP).
Common problems after enabling HTTPS
Mixed content warnings: Your page loads over HTTPS, but some images, scripts, or stylesheets still load over HTTP. Fix by updating the URLs in your content to use HTTPS, or use protocol-relative URLs (starting with //).
Redirect loops: If your site gets stuck in an infinite redirect, check your .htaccess file or hosting settings — you may have conflicting redirect rules.
Certificate expired: Let's Encrypt certificates expire every 90 days but auto-renew. If yours expires, check that auto-renewal is enabled in your hosting panel.
Not sure if your HTTPS is set up correctly? Antileak checks for valid SSL certificates, proper redirects, mixed content, and HSTS headers as part of every security scan. Run a scan to find out.