This is what we first saw:
Let’s work through how we approached this problem.
WordPress Site Health
Introduced in WordPress 5.2, Site Health is a panel found on your WP admin dashboard. Clicking through brings you to a summmary of your site’s status – a kind of health check on your WP configuration.
Site Health checks issues concerning performance, security and, dependent on your plug ins, factors such as SEO (via Yoast).
Why is HTTPS important?
HTTPS stands for Hypertext Transfer Protocol Secure.
What it signifies is secure communication to and from a website. Visitors will be assured of a site’s authenticity as well as knowing their communications and identity are kept private.
This is essential for ecommerce because payment details are encrypted, but is also highly desirable for all sites as it demonstrates trustworthiness.
How do we check our website security?
The browser you use when you visit a secure site will display a padlock symbol in the url address bar. The url will be proceeded by ‘https’. Some also colour the site url in green as further indication.
Modern browsers go further and proactively warn you if you are about to visit a site that does not certify as secure.
What is the solution?
So, why is Site Health warning me that my site is not secure?
Check the url. HTTPS is displaying, as is a green padlock. I check my site in different browsers. Firefox is my default but both Safari and Chrome report no problems. Hmmm.
Check the security certificate. An SSL certificate is the authorisation that a site is genuine and allows access over HTTPS. Trusted authorities issue these via web hosting companies, related parties or directly, for example Lets Encrypt, a non-profit issuer.
Certificates need to be renewed regularly, so perhaps it was out of date.
In my case the certificate is issued by Cloudflare as part of their free tier of CDN services. It checked out as active and in date. Now what to try?
What does Google think? Other search engines are available (shout out to DuckDuckGo) but the boss of search is the big G. If they have a problem with my site security then that could be catastrophic for my rankings and SEO efforts.
Taking a look at Google Search Console and Analytics shows no security issues and no change in visitor traffic. Google seems to be happy.
Conclusion. One source (WP Site Health) reports a serious problem. Several other, varied sources do not confirm any effects of that problem. I’m tending to believe that there is no real issue and instead a bug in Site Health is misreporting an issue.
Another of my sites (same host, same WP configuration) which has a different certificate authority has no reported problem.
I am willing to bet that a conflict exists between WP Site Health and Cloudflare SSL certificates. Further, particularly as there is no real world consequence of this HTTPS issue, I am going to do precisely nothing about it from my side. After my initial fright I am comfortable in ignoring this ghost of a problem.
I will keep an eye on Search Console and post my thoughts on the WP forum, but otherwise just wait for an update.
As of April 15th, the WordPress update to 5.7.1 has removed the warning from Site Health. Yay! I will keep an eye on it for a while but IMHO this is fixed… for now at least.
Postscript: I have deliberately kept details of HTTPS, SSL, Google’s services etc brief. Wikipedia, W3C and any of the big hosts will have more comprehensive information if you want to seek it out.