SSL sadness with GoDaddy

Short version

• GoDaddy uses their SSL certificates as a cash cow, and hopes you won’t know any better to not pay $$$ for something others give you for free as part of their basic package
• seriously, SiteGround has free SSL on ALL of their plans
• Cloudflare’s flexible SSL is a godsend if you can’t be bothered to move from GoDaddy
• SSL Insecure Content fixer plugin for WordPress will help you a lot

Long version

I think GoDaddy is unreasonable when it comes to charging for their SSL certs.

The story began a few days ago when a friend of mine wanted to showcase her skills on a purpose built website, as part of her application to different companies. My response was along the lines of “This is awesome, though it’s http only — not secure.”

That got her thinking. Yes, Chrome was showing Not Secure in the URL bar too, which is a tad jarring. “Don’t worry, all we need to do is get you an SSL certificate, and your site is going to be served over https.”

:-)

Yeah, turns out it’s not straightforward on GoDaddy without paying through the nose.

SSL on GoDaddy is a rip-off

She’s on Managed Hosting. GoDaddy’s offering was $74.99 (as of 4th June, 2018, 09:41am GMT+1, currently discounted at $59.99/yr for the first year) at a time where everyone else pretty much just gives you the SSL for free.

Okay, so let’s not buy GoDaddy’s SSL. There’s Cloudflare, and I can get a free one.

Cloudflare and free SSL

Sign up for Cloudflare, change nameservers, turn on flexible SSL, turn on https redirect, and only https traffic, and that should be it, right?

Sort of. For whatever reason some of the enqueued scripts and images in the content wouldn’t update to using https, despite the rewrite.

So let’s change the configured home and site url to use https.

Which we can’t. The fields are disabled, most probably because the values are declared as constants in the wp-config.php file, but there’s also a notice to call support, because they’ll do it for you.

Which they’ll start with upselling the $74.99 SSL cert.

Nope.

Enter SSL Insecure Content Fixer plugin

This one: https://wordpress.org/plugins/ssl-insecure-content-fixer/.

It has varying levels of functionality. For a well built site, the “content” level is going to be enough. That does the following:

• it filters the URL with which scripts and styles are enqueued, and replaces http:// with https://
• filters media include URLs and turns them to https
• filters the_content, and swaps included images to use https

And bam, just like that, the site is now on https.

Alternatives

GoDaddy should not be pricing the SSL certs so high. For comparison, this is SiteGround (as of 4th June, 2018, 09:41am GMT+1), where even their most basic offering has free SSL included.

Closing thoughts

I tried pinging folks from GoDaddy for a while on PostStatus Slack team, because I know there are a few of them there, but no one responded.

I get that GoDaddy is publicly traded, and as such, their first and foremost concern is to make money, but they’re also big enough to be able to influence a large part of the internet. Advocating for security and safety should absolutely be part of that responsibility — which, ironically, they’re doing with the blue call-out to Google’s Not-Secure initiative —, but with predatory pricing like that, it paints a very different picture.

Most consumers who end up using GoDaddy aren’t knowledgeable about the internet, and they’d believe what their host tells them, because the host knows best, right? It’s taking advantage of people who don’t know any better, and it makes me sad :(.

If you’re a consumer on GoDaddy, migrate to SiteGround.

I don’t get paid for this, it’s merely based on two things:

• SiteGround is big enough as well
• they also have very affordable plans for hosting, and
• they give you free SSL
• and I want your site to be on https

Now go forth and put the locks on your sites!

Photo by Casey Allen on Unsplash