You have probably noticed that little padlock icon in your browser when you visit a website. Maybe you have wondered what it means, or whether your own website has one. This guide explains what that padlock is, why it matters, and what you should do if your site is missing it.
What HTTPS actually means
HTTPS stands for HyperText Transfer Protocol Secure. Do not worry about remembering that. All you need to know is that it is the secure version of the system your website uses to send information back and forth between your site and your visitors.
Think of it like this. When someone fills in a contact form on your website, that information travels across the internet to reach you. Without HTTPS, it travels in plain text, a bit like sending a postcard. Anyone who intercepts it along the way can read it. With HTTPS, that same information is scrambled (encrypted, meaning turned into unreadable code) before it leaves the visitor's browser, so only your website can unscramble it at the other end.
The padlock icon simply tells your visitor that this encryption is in place and that they are connected to your real website, not a fake copy.
What is an SSL certificate?
HTTPS is made possible by something called an SSL certificate (Secure Sockets Layer, a technology that creates a secure connection). This is a small digital file that lives on your web server (the computer that hosts your website) and proves two things: that your website is who it claims to be, and that data passing between the site and the visitor is encrypted.
Your hosting provider (the company you pay to keep your website live) usually installs this certificate. Many providers include one for free these days, so there is a good chance you already have the option available without any extra cost.
Note: Having an SSL certificate installed does not automatically mean your whole website is running on HTTPS. Some sites have the certificate but still serve certain pages over the old, unencrypted connection. Check every page, not just your homepage.
Why your small business website needs it
Your visitors expect it
Browsers like Google Chrome and Firefox actively warn visitors when a site does not have HTTPS. Instead of a padlock, they show a "Not Secure" warning in the address bar. For a bakery, a plumber, or an online shop, that warning is the digital equivalent of a cracked window and a broken front door. Even if a visitor is not quite sure what it means, it makes them uneasy.
Research consistently shows that visitors leave sites with security warnings rather than risk entering their details. Those are potential customers walking away before they have even read your menu or looked at your prices.
Google takes it seriously
Google has confirmed that HTTPS is a ranking signal, meaning a factor that influences how high your website appears in search results. If your site does not have HTTPS and a competitor's site does, that competitor has an advantage in Google searches, all else being equal.
It is not the biggest ranking factor going, but for a small local business where every edge counts, it is a straightforward win that costs very little to sort out.
It protects your customers and your reputation
If your website has a contact form, a booking form, or anywhere customers type in personal details, you have a responsibility to handle that information safely. HTTPS is a basic part of meeting it.
Under UK data protection law (GDPR, the General Data Protection Regulation, which sets rules on how businesses collect and handle personal data), you are expected to take appropriate technical measures to protect personal data. Running a contact form over an unencrypted connection is the kind of thing that could raise eyebrows if something went wrong and you were ever asked to account for your practices.
Warning: If you take any payments directly on your website, HTTPS is not optional. It is an absolute requirement. Any reputable payment provider will refuse to operate on a non-HTTPS site, and rightly so.
How to check whether your site has HTTPS
The quickest way is to type your web address into a browser and look at the very start of the address. If it begins with https:// and shows a padlock icon, you are in good shape. If it begins with http:// (no S) or shows a warning, you have work to do.
Check a few pages beyond your homepage too. Look at your contact page, your about page, and any page with a form on it. Some sites have a mixed setup where the homepage is secure but other pages are not.
While you are at it, take a look at your security headers as well. They are another layer of protection that most small business sites are missing entirely.
How to get HTTPS set up
For most small business websites, this is neither expensive nor particularly complicated. Here is what to do depending on your setup.
:::card WordPress (hosted with a provider like SiteGround, Kinsta, or similar)
Log into your hosting account's control panel. Look for an option called SSL or Let's Encrypt (a free SSL provider). Enable it. Then install a free plugin called Really Simple SSL, which automatically redirects all your pages to the secure version. Done.
:::
:::card Squarespace
Squarespace handles SSL automatically for all sites on paid plans. Go to Settings, then Domains, and make sure the HTTPS option is switched on. If your domain is connected but not showing HTTPS, check that your domain is fully verified in the Domains panel.
:::
:::card Wix
Wix enables SSL automatically for all sites. If for any reason yours is not showing the padlock, go to your Wix dashboard, click Settings, then SSL, and toggle it on. If the option is greyed out, contact Wix support directly.
:::
:::card Shopify
Shopify includes SSL for all stores by default. If your custom domain is not showing HTTPS, the issue is usually with how the domain is connected. Check your domain settings in the Online Store section and follow Shopify's domain setup instructions for your domain registrar (the company where you bought your web address).
:::
:::card Custom or bespoke website
Contact your web developer or hosting provider and ask them to install an SSL certificate and redirect all HTTP traffic to HTTPS. If they use cPanel (a common hosting control panel), they can often do this in minutes using a free Let's Encrypt certificate. If they want to charge you a large fee for this, it is worth getting a second opinion.
:::
Note: After switching to HTTPS, check that old HTTP addresses automatically redirect to the new HTTPS versions. If both versions of your site are accessible at once, this can cause problems with how Google indexes (lists and ranks) your pages.
One more thing worth knowing
HTTPS protects the connection between your site and your visitors. It does not make your website invincible. It is one layer of protection, not the whole picture. Phishing sites (fake websites designed to trick people) can have HTTPS too, so the padlock means the connection is secure, not necessarily that the site itself is trustworthy.
Other security measures are worth having alongside HTTPS. If you use email with your business domain, for example, look into DMARC, which helps prevent criminals from sending emails that appear to come from your address.
Security is not a single thing you fix once and forget. It is a set of sensible habits and basic protections. HTTPS is simply where the list starts.
Check your own site for free
If you are not sure whether your site has HTTPS set up correctly, or you want to see what else might need attention, run a free check at website.auditmy.co.uk. It takes about thirty seconds and gives you a plain-English summary of what is working and what is not, with no technical knowledge required to understand the results.
Tip: While you are looking at your site's security, check your security headers too. Most small business sites score zero on their first check, and fixing them is often simpler than you might expect.
The short version
HTTPS encrypts the information that passes between your website and your visitors. It shows as a padlock in the browser. Without it, visitors see a "Not Secure" warning, Google gives you a slight disadvantage in search results, and you are not handling your customers' data properly. For most websites, it is free to set up and takes less than an hour. There is really no good reason to leave it switched off.
Top comments (0)