19 Comments

  1. Jim Walker

    Re: Additionally, our auto-installer is being updated to install all new WordPress sites as https-ready.”

    New websites with not content – not much of an issue.

    Existing websites auto install and configure all internal links and WordPress settings without customer involvement… A nice challenge (not sure it’s even possible).

    Report

  2. Marcelo Pedra

    Hello guys. Besides the article looks a bit biased, I just wanted to mention that all cPanel based hosting providers are actually entitled to auto issue Let’s Encrypt certificates. And to auto renew them too. We started doing that in past November.

    We also preconfigured Softaculous to choose https protocol by default for new installations.

    So, if your provider is based on cPanel and still not providing Let’s Encrypt certs, just ask them to enable that NOW. Because it’s just a switch to turn on for the cPanel sysadmin ;)

    Also, in a couple month from now, cPanel v62 or v64 will automatically issue the certs as soon as you create the account.

    So, credit must be given: say thanks to cPanel awesome staff of engineers for making this integration possible :)

    Best regards

    Report

    • Hristo Pandjarov

      We’ve developed our own Let’s Encrypt integration back in February 2016. Also, we were the first provider to enable certificates installation with a single click and renewal that is activated automatically without any further interaction required.

      AutoSSL wasn’t available in stable, public release until August 2016 and again – it requires manual action to install the certificate.

      Right now, we’re automatically installing certificates on all new domains, added to our accounts – something that none of our competitors does. Or at least the ones I am aware of.

      Of course, in months to come, tools will be released and more people will add them to their services. Which is good, because eventually, more people will have encrypted websites. However, we’ve always strived to stay ahead of everyone else and adopt the technology we need and believe is beneficial for our customers first.

      Report

  3. Brin Wilson

    That’s great news – really great to see SiteGround blazing the way here… are there any other hosts about to do this yet I wonder…? It’s only a matter of time until we’ll see this as completely standard practice I guess, hopefully (although I’ll bet it will take a fair number of hosts quite a while to catch up). :)

    Report

  4. Julio Maysonet

    Thanks for sharing.

    That’s really nice of Siteground to do that for their customers.

    I deal with a few Domain Registrars and I haven’t heard of anyone doing this for their customers yet.

    Report

  5. Mustaasam Saleem

    A good step. Worried how internal links will work on existing sites? As they need a bit more work to make the site completely compatible with https.

    Report

  6. Wassim

    I don’t know if this is good news or bad news. The biggest problem with Let’s Encrypt is that it democratizes access to https for anyone. And while, on the surface, this should be positive, the fact that this will make things easier for people with bad intentions scares me a little bit.

    Most websites visitors won’t know the difference between the https “green bar” with just a padlock and the one which includes the company name next to the padlock. And they will give them the same level of trust.

    What most people don’t realize is that a secure connection to an untrustworthy website doesn’t mean it’s safe to use.

    I’m curious what SiteGround, or any other web host, have to say about this.

    Report

    • Hristo Pandjarov

      I personally don’t think that this is a problem at all since cheap, domain-validated certificates have been around for ages and any site can purchase and install those.

      Encrypted connection protects visitors from a variety of attacks and possible exploits. Now, whether they will willingly to to a dangerous site is up to the given individual to decide. I don’t really think that someone will decide to share information or even make a purchase solely because of a green padlock in their browsers. On the contrary, a red “INSECURE” label is scary enough at least to make them check twice whether that’s a legitimate website :)

      Report

  7. peter

    How are they going to do this? I have a lot of questions… Does SiteGround plan to fix all the mixed media, broken links and other transitional issues that arise from a website HTTP to HTTPS migration? Will they readjust Google Search and Analytics settings to be applied to the HTTPS website?

    What if a business wants an OV or EV certificate? Or, a cert from a different CA? Will they have to clean up the Lets Encrypt mess before installing those certs?

    Report

    • Hristo Pandjarov

      Right now, we’re working on a way to reconfigure WordPress, fix all mixed media resource requests and force the https usage with the push of a single button.

      Since we don’t have any access to Google service, that will be up to the customer to edit and fix.

      As to your other question, we will continue selling wildcard and EV certificates. The customer doesn’t have to uninstall the LE certificate manually and install the new one – we will take care of this :)

      Report

  8. Mark Roth

    I’ve been considering a switch from HostGator to SiteGround. This policy-practice-provision tips my scales further toward SiteGround. And Hristo’s helpful, polite interactions here almost push me headlong into the jump. :D Thank you, sir, for staying classy with your answers.

    Report

  9. Jeffrey

    Nice job SiteGround

    Report

  10. MaAnna

    At least this explains what I’ve been seeing suddenly in site audits for non-converted sites.

    There are two instances of AWStats now, one for SSL and one for non. Bots are hitting on the SSL version.

    And because of the way the server listens on the different ports, there is no redirect to the http version.

    Seems to me that bots, including bad ones, can now run end around any security measures or firewalls set up for the http version, all without the site owner’s knowledge.

    And, should a host, that doesn’t offer managed hosting services, take it upon themselves to convert sites? There’s a LOT of things that can be adversely affected, like a podcast or RSS feed. Not to mention the changes that need to happen for 3rd party accounts, like Google. No instructions are given to the clients for that.

    Plus, when they do convert just a database, is relying on a plugin the best method for mopping up the rest of the mixed media and other issues? I don’t think so.

    I understand about wanting to make things easier on non-techie site owners. But, I’m not sure this is the best way to do that.

    Report

    • Hristo Pandjarov

      What we’re trying to do is to provide our customers with a “single-click” solution to enable, configure and force the https usage on a WordPress website. I don’t see us forcing https on all customers any time soon to be honest because as you said, that would affect a lot of different scripts. I think that would happen natually in the course of time, especially when certain features in WordPress become available only for sites with SSL configured.

      As to your security concerns, if a firewall relies on http requests, it’s simply not a good firewall and I would look for an alternative. Besides, we wouldn’t do such change without informing our customers beforehand.

      Report

  11. Jakson

    I switched to SiteGround a couple months back for a few reasons and it’s been mega cool.

    Used the Let’s Encrypt feature the other day and it was a complete walk in the park.

    WooCommerce SSL check-out in under 3 minutes – nice.

    Totally recommended.

    Report

Comments are closed.

%d bloggers like this: