Back in the dark ages of 2012, I posted about the benefits of encrypted web traffic, but https was a pain to implement for small websites and frankly, there was no incentive to be ahead of the curve when only 5% of websites were secure.
Times have changed, and a majority of websites are now using https. Google’s choice in 2016 to flag http-based websites as insecure in their popular Chrome browser had its intended effect. What started with sites containing password forms and credit cards has now become the status quo.
So what about small websites? Well, you can get a free SSL certificate from Let’s Encrypt and many hosts are installing them automatically. From there, it’s just a matter of enforcing https throughout the site, so even legacy links (e.g., my old theme pointed to its CSS file using an http link) are transformed to their secure equivalents. On WordPress, if you don’t want to touch your config files, you can get a plugin to do this for you.
There’s now no excuse to put your site’s visitors at risk. But some of the biggest sites in the world still do. If you use one of the 100 insecure sites listed at https://whynohttps.com/, you can first be appalled, then move your traffic elsewhere.