It seems I’m always on my SSL soapbox and it feels like most people just are not listening. Every time I do a website audit or bring on a new SEO retainer client, one of the first things I check is the health of their SSL implementation. It’s one of my first steps, because about 95% of websites are doing it wrong.
Every time I talk to a client about the health of their SSL implementation, they question if it really matters. My standard replies include:
- Google has been preaching the need for secure websites for years. It is important to Google, which means it should be important to you and your digital marketing efforts.
- SSL health is part of Google’s algorithm, which means it will influence your keyword rank and overall website traffic from search.
As of this month, I can add a third item to the list:
- In December 2019, the Chrome browser will begin blocking content on website pages that include a mix of SSL and non-SSL content. This can quickly make these web pages appear broken and make it much more difficult for the rendering of all your content within the page.
This means websites that have a mix of resources in HTTPS and HTTP will produce a warning message to potential website visitors. This begins with the introduction of Chrome 79, but it is just the start of what is to come. The original role out will offer an unlocking option, but in January of 2020 Google will remove the unblocking option.
You may think you have no issues and that your content is safe and secure, but I encourage you to take a closer look. If you crawl your website fully, you’ll be surprised at what lies beneath. Scripts, styles, links, and images can all cause issues without you even knowing they are present.
Google’s Definition of Mixed Content
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
There two types of mixed content are:
Passive mixed content refers to content that doesn’t interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.
Active mixed content interacts with the page as a whole and allows an attacker to do almost anything with the page. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other code that the browser can download and execute.
Learn more about mixed content and managing it via Google’s Web Fundamentals for developers.
Ways to Locate Mixed Content
There are multiple routes you can take to find mixed content. The best route will depend on factors such as your time, your coding ability, and the size of your website. A small five page website could be manually reviewed fairly quickly, but a one hundred page website would take an extensive effort and much more time than most people have to allocate. If your website is large and thousands of URLs, you are looking at a massive undertaking.
Here are some ways you can locate your mixed content issues:
- Request a website audit from a trusted SEO professional.
- Manually review the source code of your website page by page.
- Use Screaming Frog to crawl the website. This is a paid tool, but relatively low cost as it only has an annual fee.
- Use SEMrush to crawl the website. This is a much more expensive tool, but for SEO consultants like me, it is a must-have tool.
- Use JitBit SSL Checker, which is a free online scanner that will scan up to 400 pages of your site.
- Use SSL Insecure Content Fixer WordPress Plugin to scan your site and alert you to insecure resources and help you fix them.
Once your mixed content issues are found, you need to fix the offenders quickly. A far warning is you may need help resolving these issues. While I can fix some myself, I do require the assistance of my developers at times.
Clean Up Your Website Now
Don’t wait until December to review your website. Get ahead of this important change by auditing your website and fixing all those technical SEO issues that creep in. Technical SEO is a core part of today’s SEO and you cannot have high rank and search traffic without a healthy website.
If you’d like professional help auditing or cleaning up your website, we’d love to help. I’ve been doing professional website audits since 2011 and my team has been working with websites since 2009. We’d love to help you clean up your website and boost your SEO.