This is a series of articles explaining how to speed up WordPress, the use of which is growing rapidly for CMS-based business sites and media sites. This time, we will add support for Always-On SSL and HTTP/2 to our WordPress site, and explain how to get a free SSL certificate from Let's Encrypt.
In the last issue, we verified how fast KUSANAGI, the “1000x speed tuned” virtual machine for WordPress, really is.
In this practical guide, we will enable Always-On SSL and the high-speed transfer protocol HTTP/2 on a WordPress site. We will also explain how to get a free SSL certificate from Let's Encrypt.
What is Always-On SSL?
Always-On SSL strengthens websites' security by turning on HTTPS (SSL/TLS encryption) for the whole site.
Up until now, it was normal to only use SSL for part of a website. On WordPress, for example, it was common to protect web forms where users input personal information with HTTPS, but leave the rest of the site unencrypted with HTTP. HTTPS increases the load on the server because it has to encrypt and unencrypt the pages getting sent. Users feel the burden too, because page load time increases. Therefore it became common to encrypt only the necessary parts.
However, in the present 2016, HTTPS overhead is small compared to PHP and MySQL, and therefore is not worth worrying about.
Now, the trend is towards aggressively implementing Always-On SSL. The next few points outline its merits.
Strengthened security
Aside from the visible contents of the webpage, header information is also sent between the web server and the browser. Even if personal information is not included in the header, cookies with login information might be. With Always-On SSL, even these would be encrypted.
Greater ease of use
The new HTTP/2 protocol increases transfer and rendering speed by changing from sequence to parallel requests.
The major browsers only support HTTP/2 under HTTPS. Therefore if the server supports HTTP/2, using Always-On SSL increases convenience for the user.
Always-On SSL is being rapidly adopted by major web services
For the two reasons noted above, Google, Facebook, Twitter and other major web services are quickly adopting Always-On SSL.
Google is stepping to the forefront by recommending to all web administrators that they change from HTTP to HTTPS. They made a big announcement that using HTTPS will influence websites' search rank. Starting in 2017, they plan to introduce a warning message for all websites that don't use HTTPS.
(Helpful link) HTTPS as a ranking signal (Google Webmaster Central Blog)
(Helpful link) Moving towards a more secure web (Google Security Blog)
Revolution in SEO Strategy / Business outlook
Referrer data, used for analyzing site access, is not transferred when going from an HTTPS page to an HTTP page.
Now that HTTPS is being used by major web services, if your website uses HTTP, you will not be able (or it will at least be difficult) to get data telling you where the traffic came from.
New free SSL certificates
Free SSL certificates through certificate authorities like Let's Encrypt and Symantec Encryption Everywhere have made it easier to get trusted SSL certificates instead of self-signed certificates.
Free certificates have some limitations when used for business. However, I think being able to use public certificates for small scale / private websites or staging environments is ground-breaking.
On the next page, I will explain practically how to set up an Always-On SSL WordPress site.