If your website is still running on HTTP rather than HTTPS, you are behind the curve. Google has used HTTPS as a ranking signal since 2014. Every major browser displays a "Not Secure" warning on HTTP pages. In 2026, there is no credible reason not to have HTTPS on your website, and the good news is that it has never been easier or cheaper to set it up.
What is HTTPS?
When you visit a site with a padlock icon in the browser address bar, that site is using HTTPS. The "S" stands for secure, meaning all data transmitted between your browser and the web server is encrypted. On a plain HTTP site, that data travels in clear text and can be intercepted.
HTTPS is made possible by an SSL certificate installed on the web server. Years ago, SSL certificates cost money and required manual configuration. That is no longer the case.
SSL certificates are free in 2026
Thanks to Let's Encrypt, a non-profit certificate authority backed by Mozilla, Google, and others, free SSL certificates are available to any website. The vast majority of reputable web hosts now integrate Let's Encrypt directly into their control panel, meaning you can often enable HTTPS with a single button click.
If your hosting provider does not offer this, that is a strong signal it is time to move to a better host. Free SSL support is a basic expectation in 2026.
Why it matters for your ExpressionEngine site
- Search rankings. Google confirmed HTTPS as a ranking factor back in 2014, and its importance has only grown since. HTTP sites are at a measurable disadvantage.
- Browser warnings. Chrome, Firefox, Edge, and Safari all display "Not Secure" in the address bar on HTTP pages. Visitors filling in contact forms see this warning, and it damages trust.
- Core Web Vitals and Page Experience. Google's page experience signals treat HTTPS as a baseline requirement. Non-HTTPS pages cannot achieve full marks regardless of other performance improvements.
- User confidence. The padlock is a simple, recognised signal of professionalism and care. It matters to visitors, even those who could not explain why.
Installing HTTPS on an ExpressionEngine site
For most ExpressionEngine installations, the process involves three stages:
- Install the SSL certificate. Enable Let's Encrypt via your hosting control panel (cPanel, Plesk, DirectAdmin), or ask your host's support team to do it for you.
- Update your EE configuration. Set your site URL and base URL in
config.phpto usehttps://. Update the site URL in the EE control panel under Admin, General Configuration. - Resolve mixed content. Any hardcoded
http://references in your templates, channel entries, file manager paths, or embedded resources will need updating tohttps://to prevent browser warnings.
In a well-maintained EE installation this is typically a straightforward task. In an older or more complex site, tracking down every mixed content reference can take more time, particularly if content editors have hardcoded URLs into rich text fields over the years.
Already on HTTPS but still seeing "Not Secure"?
Mixed content errors are the most common cause. These occur when a page served over HTTPS loads resources (images, scripts, stylesheets, iframes) via HTTP. Your browser's developer tools, specifically the Console and Network tabs, will show you exactly which resources are causing the problem.
If your ExpressionEngine site needs HTTPS set up or you are dealing with persistent mixed content warnings, get in touch and I can sort it out for you.