WordPress HTTPS: A simple certificate can speed up your site enormously

WordPress under HTTPS: How a simple certificate makes your pages faster in one fell swoop

There is a persistent misconception that HTTPS makes WordPress slow. In fact, the exact opposite is true: thanks to HTTP/2, SSL-encrypted sites are sometimes extremely fast. And thanks to free SSL certificates and integrated installations, it has never been easier to switch WordPress to HTTPS. And that's a good thing, because HTTP sites will soon have to put up with some disadvantages. We'll show you the benefits of the switch and how you can check whether your host uses HTTP/2 at a glance.

Today, every client and end user actually knows the difference between encrypted and unencrypted sites. At least on a subjective level: the green lock simply gives a good feeling. However, just as well-known as the positive effect on the trust of site visitors is the misconception that SSL, or TLS (the explain the difference e.g. by our colleagues at CHIP.de) makes WordPress slow.

And yes, theoretically this is true: if a page is delivered via HTTPS (i.e. the secure version of HTTP), the connection between the web server and browser takes a little longer due to the SSL handshake. However, we are only talking about a few milliseconds here.

Nowadays, it's safe to call it a rumor that HTTPS slows down WordPress. Basically, an SSL certificate only benefits your site. And since Google will soon start labeling unencrypted sites as "not secure", it's high time to switch your site to HTTPS now.

I'll show you today:

  • Why now is the best time to switch WordPress to HTTPS
  • How you can switch WordPress to HTTPS
  • Why HTTP/2 makes your WordPress sites faster
  • What performance boost you can expect for a WordPress site under HTTPS
  • A simple trick with which you can recognize whether your host already uses HTTP/2 (which it should!)

Everything revolves around HTTPS, whether WordPress or not

Three years ago, at its developer conference Google I/O Google proclaimed the motto "HTTPS everywhere". In short, the Google developers at the time, Pierre Far and Ilja Grigorik, took up the cudgels for the use of TLS (the successor protocol to SSL) and demonstrated in their session ways to implement it, among other things.

Just a few weeks later, in August 2014, HTTPS was HTTPS was then included as an official ranking signal in the Google search rankings. Google has been trying for years to persuade website operators to switch their websites to HTTPS by using arguments and creating facts.

The fact that Google Chrome will soon be penalizing HTTP pages with the notice "not secure" can certainly be seen as the next big step in Google's "HTTPS everywhere" offensive. In fact, this notice has already been been displayed for pages since Chrome version 56that retrieve credit card information, for example. With the new version 62 of the Google browser, however, this rule will be applied to all pages that allow customer input, such as contact forms or search fields.

Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the "Not secure" warning when users type data into HTTP sites.

- Emily Schechter, Chrome Security Team

Free SSL: The situation has never been so favorable for switching WordPress to HTTPS

Three years ago, when the two Google developers made their plea for TLS, you still had to buy SSL certificates and install them yourself. This has now changed dramatically, and for the better.

In 2016, the Let's Encrypt initiative started issuing free SSL certificates. Thanks to sponsors such as - no surprise - Chrome, but also Facebook and companies from the WordPress universe, the Californians can now provide almost 40 million active free SSL certificates.

WordPress HTTPS Let's Encrypt growth figures. Since October 2016, the number of active certificates has increased almost eightfold.
As you can see, the growth of Let's Encrypt has picked up strongly since October 2016. Since then, the number of active certificates has increased almost eightfold.

This development has had a massive impact on the hosting landscape: free SSL certificates are now standard and, thanks to the integration of one-click installations, setup is now possible for every user.

HTTPS used to be a real pain for WordPress

Before the mass distribution of free SSL certificates a good two years ago, switching WordPress to HTTPS was a real pain. Especially for owners of small sites who only needed domain-validated certificates.

Info: These types of SSL certificates are available

  • DV certificates: DV stands for Domain Validated. A DV certificate is therefore used to check whether the domain and web space "belong together". If everything is above board, you can be sure that when you access the domain, you will actually end up on the corresponding web space and not on a phishing site. The set-up process is still quite simple here: the domain admin confirms that he has the appropriate rights over a domain and can then encrypt his site accordingly.
  • OV certificates: OV stands for Organization Validated. In addition to domain validation, this type of certificate guarantees that the page you are visiting really belongs to the company whose website you are trying to access.
  • EV certificates: The so-called Extended Validated Certificates go one step further: Here, the certification body intensively checks the company documents. Among other things, the legal form of the company is included in the certificate.

Even setting up a simple DV certificate used to be a real pain for WordPress sites and may not even be feasible for non-technicians. This is because the process consisted of at least four steps:

  1. buy a certificate: Here you had to get to grips with the provider landscape and actively compare prices and conditions even for simple DV certificates. This has also led to some providers inventing very creative features, such as insurance, to differentiate their products. In the case of extended certificates, there is also the validation step, i.e. proving that the domain owner is also the company owner. Depending on the certificate, this process could take days or weeks.
  2. Set up the certificate: The next step was to store the certificate information on the web server. Depending on the provider, this was more or less time-consuming. In the meantime, however, all hosting providers have actually created a more or less good workflow that guides you as a user through the setup process.
  3. Preparing WordPress for HTTPS: After the certificate itself was set up, the site had to be prepared for the switch from HTTP to HTTPS. To do this, every database entry and every resource on the site had to be converted to HTTPS and the result then checked for mixed content errors.
  4. Configure Google: After converting the site, the entities in Google Analytics and Google Search Console (formerly Google Webmaster Tools) had to be adjusted.

The development towards free DV certificates initiated by Let's Encrypt has massively simplified this process. Many hosters now also offer a simplified installation where, in the best case, a certificate is activated and set up with a single click and the site is automatically switched to HTTPS. Regardless of whether it is a WordPress project or not.

TIP: Need to set up SSL without a one-click installation?

If you're unlucky, your host doesn't yet offer a simplified installation. Then you will have to make the WordPress settings for HTTPS yourself:

No HTTP/2 without Google

I've already mentioned it: as part of its "HTTPS everywhere" offensive, Google has always been interested in ensuring that as many sites as possible run with an SSL certificate. Incidentally, this is probably also the reason why Chrome is an official sponsor of Let's Encrypt. However, the search engine giant was also significantly involved in the development of HTTP/2.

Because the predecessor protocol, SPDYwas initially developed by Google as an experiment to explore technical possibilities with which the almost antique HTTP/1 could be improved. That was in 2009. In 2015, the findings from the experimental SPDY project were then incorporated into the standardized HTTP/2 protocol.

Why HTTP/2 makes your WordPress sites faster

HTTP/2 has been equipped with a wealth of new functions that enable much faster data transmission:

  • Multiplexing: With this feature, several different data streams can be loaded via a connection between the web server and client (i.e. the browser of your site visitors). With HTTP/1, a separate connection must be opened for each data stream. And opening these connections takes time.
  • Header Compression: Every HTTP request that a client makes to a web server contains meta information so that the page can be built correctly. This meta information has become larger and larger over the years. HTTP/2 compresses this information and thus saves data volume.
  • Server Push: Sometimes also called cache push. The principle behind this feature is very simple: the vast majority of requests to a page are very similar. If your web server recognizes the typical call pattern, for example for your homepage, then the server sends all the information it needs to the browser to build the page without being asked. This means that the browser has to make far fewer HTTP requests to the server. This makes the page load faster.

So, that all sounds quite nice in theory. But what does it mean in practice? The test page HTTPS vs. HTTP shows impressively how big the difference is between the two protocol generations.

In a comparison between HTTPS and HTTP, HTTPS can be much faster in some cases.
In one of our tests, the HTTP/1 vs. HTTP/2 test revealed differences in loading times that were like night and day. The HTTP version of the test was 914 percent slower than the HTTP/2 version. These are good signs for switching your WordPress sites to HTTPS.

Of course, it's particularly interesting to see how these new features affect the loading time of your pages in the real world. You can easily find out whether your site is running on an HTTP/2-capable server by asking your host (or by using this simple trick). Provided, of course, that WordPress is running under HTTPS.

The acid test: HTTPS makes WordPress 45 percent faster in the test

But now to the nitty gritty: What performance boost can you realistically expect from switching a WordPress site to HTTPS? After all, the 914 percent just measured will not show up on a finished site. That's why we tested the whole thing with our homepage. In other words, we tested raidboxes.de once with and once without HTTPS.

WordPress HTTPS without SSL takes Raidboxes more than 5 seconds to load
WordPress HTTPS with SSL takes Raidboxes just under 3 seconds to load
We carried out the actual test with Webpagetest. The loading time of a clone of raidboxes.de was measured via German test servers. A total of seven consecutive tests were carried out for both the HTTPS and HTTP versions and the results were averaged. It is important to note that the site shows a very poor performance score. This is because certain resources only work under the correct domain of the site. Therefore, only the load time is decisive for the comparison.

The test shows that a copy of our homepage is 45 percent faster in one go with HTTPS. Our detailed test with seven consecutive tests of German servers shows similar results.

Life hack for webmasters: How to tell at a glance whether your host uses HTTP/2

And because HTTPS brings this convenient performance boost to your WordPress projects, it's even more important that you know whether your host uses HTTP/2. Of course, you can simply ask support, but there is also a method that allows you to see at a glance whether your site, or any other site you are testing, benefits from HTTP/2.

All you need is one thing: a waterfall chart of your site. You can create this by measuring the loading time with the tools Webpagetest, Pingdom or GTmetrix. Simply enter the URL to be tested and run the test. For this trick, it doesn't matter from where and with which specifications the test is carried out.

In the finished waterfall diagram, you now only need to pay attention to whether individual requests are loaded simultaneously or only chronologically. If they are loaded simultaneously, your page is using HTTP/2.

WordPress HTTPS vs WordPress HTTP
As you can see, the individual requests in the left-hand version (HTTP) are loaded chronologically, i.e. one after the other. In the right-hand version (WordPress with HTTPS), all requests are loaded simultaneously.

If you have activated HTTPS on your WordPress projects and the requests are not loaded in parallel, you should urgently contact your host 😉

Conclusion: HTTPS as an opportunity for your WordPress projects

Google recently began sending the first warning emails to operators of HTTP pages. From version 62 onwards, the Chrome browser will mark pages that allow user input as "not secure".

WordPress HTTPS example for an HTTP page in the new Chrome version 62
For example, this is what the address bar of our colleagues at t3n would look like if Chrome displayed the "Not secure" notice for all HTTP pages.

In principle, this means that every HTTP page with a contact form or comment function is branded by Google. Fortunately, it has never been easier to switch your WordPress site to HTTPS: SSL certificates are mostly free and one-click installations save a heap of work when setting them up, allowing even less tech-savvy webmasters to make the switch. And our test shows: Even with a less optimized site, WordPress can benefit greatly from HTTPS and simply loads much faster.

Ideally, this should only take one click. So if you are still running sites under HTTP, we can only strongly recommend switching.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *