It seems I’m always on my SSL soapbox and it feels like most people just are not listening. Every time I do a website audit or bring on a new SEO retainer client, one of the first things I check is the health of their SSL implementation. It’s one of my first steps, because about 95% of websites are doing it wrong.
Every time I talk to a client about the health of their SSL implementation, they question if it really matters. My standard replies include:
- Google has been preaching the need for secure websites for years. It is important to Google, which means it should be important to you and your digital marketing efforts.
- SSL health is part of Google’s algorithm, which means it will influence your keyword rank and overall website traffic from search.
As of this month, I can add a third item to the list:
- In December 2019, the Chrome browser will begin blocking content on website pages that include a mix of SSL and non-SSL content. This can quickly make these web pages appear broken and make it much more difficult for the rendering of all your content within the page.
This means websites that have a mix of resources in HTTPS and HTTP will produce a warning message to potential website visitors. This begins with the introduction of Chrome 79, but it is just the start of what is to come. The original role out will offer an unlocking option, but in January of 2020 Google will remove the unblocking option.
Read Google’s official announcement titled “No More Mixed Messages about HTTPS” ->
You may think you have no issues and that your content is safe and secure, but I encourage you to take a closer look. If you crawl your website fully, you’ll be surprised at what lies beneath. Scripts, styles, links, and images can all cause issues without you even knowing they are present.
Google’s Definition of Mixed Content
Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources.
There two types of mixed content are:
Passive mixed content refers to content that doesn’t interact with the rest of the page, and thus a man-in-the-middle attack is restricted to what they can do if they intercept or change that content. Passive mixed content includes images, video, and audio content, along with other resources that cannot interact with the rest of the page.
Active mixed content interacts with the page as a whole and allows an attacker to do almost anything with the page. Active mixed content includes scripts, stylesheets, iframes, flash resources, and other code that the browser can download and execute.
Learn more about mixed content and managing it via Google’s Web Fundamentals for developers.
Ways to Locate Mixed Content
There are multiple routes you can take to find mixed content. The best route will depend on factors such as your time, your coding ability, and the size of your website. A small five page website could be manually reviewed fairly quickly, but a one hundred page website would take an extensive effort and much more time than most people have to allocate. If your website is large and thousands of URLs, you are looking at a massive undertaking.
Here are some ways you can locate your mixed content issues:
- Request a website audit from a trusted SEO professional.
- Manually review the source code of your website page by page.
- Use Screaming Frog to crawl the website. This is a paid tool, but relatively low cost as it only has an annual fee.
- Use SEMrush to crawl the website. This is a much more expensive tool, but for SEO consultants like me, it is a must-have tool.
- Use JitBit SSL Checker, which is a free online scanner that will scan up to 400 pages of your site.
- Use SSL Insecure Content Fixer WordPress Plugin to scan your site and alert you to insecure resources and help you fix them.
Once your mixed content issues are found, you need to fix the offenders quickly. A far warning is you may need help resolving these issues. While I can fix some myself, I do require the assistance of my developers at times.
Clean Up Your Website Now
Don’t wait until December to review your website. Get ahead of this important change by auditing your website and fixing all those technical SEO issues that creep in. Technical SEO is a core part of today’s SEO and you cannot have high rank and search traffic without a healthy website.
If you’d like professional help auditing or cleaning up your website, we’d love to help. I’ve been doing professional website audits since 2011 and my team has been working with websites since 2009. We’d love to help you clean up your website and boost your SEO.
Thank you for so clearly explaining that. I downloaded that plugin to help. I’m getting a WordPress site ready, but I don’t have Google indexing it yet, so this is perfect timing to learn about this.
Unrelated question: Is there a reason you don’t have a search function on your site? Pros and cons?
Thank you!
I’m glad the article was helpful Carol!
The sidebar of this article actually has a search option on the bottom. Since it is not overly intuitive, I’ve moved it to the top. Thanks for the heads up on that issue.
Hey Rebecca,
Amazing Article !! I have now understood the thing that why the message like ” You are not fully secure” is shown. Due to mixed content, such a website URL shows this message.
Thanks for sharing.
My pleasure! I’m glad it was helpful.
I’m wondering if it will cause any issues with ad network blocks on pages.
I’m not sure Loretta. I’d use one of the above tools to crawl the site and validate it. It is always better to be safe than sorry in these types of situations.
Excellent article Ms. Rebecca.
Thanks for helping all of us do our jobs correctly!
I’m going to have to spend more time surfing. . .this could turn out to be a great ice breaker for introducing my services and helping business owners get this issue corrected.
So does Chrome mixed content errors only apply if an actual SSL in installed? Hence “mixed” content. I’m aware of and have talked to a number of past clients about getting their websites on SSL, but in typical fashion, they just are not getting out of the starting gate. I incorrectly presumed that with all this mixed content hype I’d start getting support calls in January to help with them with these error messages. Hmm. . .
Hi Rebecca,
Thanks for the update. Even SSL will not be purely locked unless all the media and contents of the website are redirecting to the https version perfectly. I have faced this issue already. One of my images was fetched from the old http version then I found the image URL from the console delete the old version and upload it again. Now my SSL is purely locked(Green).