What does the “Chrome will show security warnings” message(s) I received mean? And how do I fix it?
August 18, 2017 - SEO
In the last 24-36 hours, millions of webmasters received a message from Google Search Console (formerly Google Webmaster Tools), warning them that their websites will begin showing “security warnings” if they don’t make changes to their site by October 2017.
This isn’t much of a surprise to anyone that’s been follows SEO and Google’s algorithm updates. because Google is doing exactly what they said in a blog post back in April: “Eventually, we plan to show the ‘not secure’ warning for all HTTP pages, even outside Incognito mode.” That time has come.
What Does the “Chrome will show security warnings” Mean?
Getting these type of notifications from Google is always alarming but what do these particular messages actually mean? First let’s start out with what the warning email I received actually says. Here’s a screenshot of the message with my website and URLs blocked out:
Chrome will show security warnings on [website]
To owner of [website],
Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.
The following URLs on your site include text input fields (such as < input type=”text” > or < input type=”email” >) that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, so that you can take action to help protect users’ data. This list is not exhaustive.
If you’re not very technical, you might be concerned (or freaking out a little/lot), but don’t worry too much because you aren’t the only one that’s being targeted. As we mentioned, millions of website owners have received this warning.
So then, what’s wrong with non-secure (HTTP no ‘S’) websites? If you have some technical understanding, then reading that last sentence says it all, but if you need more, I’ll lean on PC World to explain that in layman’s terms:
The danger with HTTP pages is that any data transmitted to them is unencrypted, leaving it open to be spied on. Hackers can intercept the data by compromising internet routers, snooping over public Wi-Fi networks, or through man-in-the-middle attacks that involve impersonating legitimate web services.
In short, it just makes the transmission of data, important or not, much more secure. It used to be just e-commerce sites and any site/page that asked for credit card info or required a password to login had be secure, but Google is now taking that reqruirement wider. Much wider. They want every page, no matter if it’s a meaningless blog post about dry, preserved Chinese sausage, to be treated as though it’s as confidential as your account information when you log into AmericanExpress.com.
Again, it’s no surprise to SEOs. This is just another step in Google’s long goal of securing the web, ensuring user privacy is protected, and their battle against SEO practitioners. They’ve been moving forward on security and user privacy for at least 5-6 years at least.
How to Fix the “Chrome Will Show Security Warnings” Problem</h2>
Now that you have a better understanding of what that message means in the broader sense and what it means to your website, what do you have to do to resolve the issue?
Luckily, it’s pretty simple — you can remove all the offending modules, apps, or code that has any sort of “user text input field” from every page on your site (this includes newsletter sign-ups, search boxes, or contact forms and more). Or you can “secure” your site by purchasing an SSL certificate for your website which will make your site (or pages that have inputs) HTTPS.
Here’s a couple examples of offending “user input fields” on stuarte.co. You can see them in the left nav
Moving to HTTPS isn’t difficult at all — it’s nothing new. Most huge brands and well-known websites have been “secure” for years now because not only because they want the trust of their visitors, but to protect customer data. Not only that, HTTPS is (ironically) better for SEO.
(We say ironically because HTTPS was the move that caused SEOs to lose out on valuable keyword data)
For smaller websites and blogs that aren’t secure, the good news is there will be a slew of webmasters that will be looking to secure their websites moving forward meaning that there’ll be plenty of questions, many running into the same implementation problems, how-to=migrate guides, blog posts and forum threads dedicated to migrating a HTTP site to HTTPS. To start out, here’s a few resources to give you a deeper understanding of what/how to move to secure.
- Secure your site with HTTPS (Google)
- Migrating WordPress to HTTPS / SSL the Easy Way (W3Guy)
- What is an SSL Certificate? (GlobalSign)
You can do the short term way or you can do the long term solve. Depending on your time and resources, it’s better just to go with the solution that fixes it permanently which is spending the money (usually about $10/year) and migrating your website or blog to HTTPS.