Site traffic affected by having SSL automatically turned on

[JJ100]

According to my host (who I initially blamed for this), SSL was automatically turned on by cPanel updates. This is a HORRIBLE practice and it should default to off not on. For months I was unaware that SSL had been turned on automatically by cPanel, therefore I couldn't respond in time to the SEO damage it has already caused my site. Not everyone wants/needs SSL, or has sensitive data on their site to protect.

This has done irreversible damage to my site's traffic (and lost ad revenue) now that -- since their algorithm is thinking we are an HTTPS compatible site -- Google has started indexing the wrong page version (https instead of http). So now my site is fragmented into 2 parts -- http and https, getting "trying to load dangerous scripts" errors, etc etc. This has even caused important scripts to stop working on my post popular page. And of course this just HAD to happen during the absolute busiest time of the year for my site, when I was about to take my site to the next level as far as amount of traffic (I was getting 40,000/day, now it's down to 20k and sinking). Again, thanks cpanel!!

Thank you cPanel for the the huge headache I didn't need, when I'm already backed up spending many hours redesigning my site and features, and the financial damage this dumb setting has created. How 'bout next time you let us choose our settings instead of assuming everyone needs https enabled.

 

[rpvw]

Back in 2001 I think it was, many search engines started to talk about an intended shift towards preferring SSL sites, and potentially penalising search positioning for non SSL sites.

Apparently, cPanel started planning it's own project at that time, and the AutoSSL feature was introduced in v58, that I believe was issued around July 2016. See the following cPanel Blog post and make a note of the date! cPanel & WHM's AutoSSL | cPanel Blog

Website owners have had YEARS to plan and prepare their sites for migrating over to SSL, and whilst the AutoSSL facility was made available to cPanel users, and the control of the certificates and what parts of the domain they covered, were refined over a number of versions, and I don't believe that there was ever/is a WHM/cPanel defined default setting to force a site to use SSL.

To force a search robot or viewer to use SSL, one would normally have to make an entry into the site .htaccess – so either you did this, your deployed CMS software did it during an update, or your web host did it for you. It is also possible that your web host has configured the whole of their hosting environment to only use SSL, but this would have been their choice, not as a result of any cPanel update or upgrade. (And if your web host had configured the hosting environment to force SSL, I am sure their intention was to help, and protect their clients, possibly from themselves, and not just to make your life difficult)

The fact that you are now being supplied – FREE of charge – with a usable SSL certificate from your web host should be cause for celebration that you can now comply with the search engine requirements at no further expense, not winging about it on this forum !

For months I was unaware that SSL had been turned on

Given that you claim that search position is of such paramount importance to your web-site generated revenue, I have trouble reconciling your accusations to any care and attention on your part for the changing trends and standards of the industry.

Perhaps if you had paid more attention to your website statistics, and the new features and utilities that cPanel updates provides to make YOUR life easier, you would have seen the introduction of the AutoSSL over a year ago, and not have to make posts that try to shift your negligence onto cPanel, or your web host, or indeed, anyone else.

Whilst I am often guilty of criticizing cPanel if I feel it is deserved, your post blaming cPanel is both grossly unfair and unjustified.

The bottom line is; if you don't have the time, or can't look after your own web site, pay someone that can !

I must go, its snowing again.

 

[JJ100]

Thanks for the not much help, assumptions, and wannabe lecture.

I don't believe that there was ever/is a WHM/cPanel defined default setting to force a site to use SSL.

Well seeing as how this was the entire basis of my "whining", don't you think you'd reference this a little more? Either it's auto-enabled, or my host is lying. I didn't enable it or any software, and when I blamed my host, they said it was cPanel.

Given that you claim that search position is of such paramount importance to your web-site generated revenue, I have trouble reconciling your accusations to any care and attention on your part for the changing trends and standards of the industry.

Perhaps if you had paid more attention to your website statistics, and the new features and utilities that cPanel updates provides to make YOUR life easier, you would have seen the introduction of the AutoSSL over a year ago, and not have to make posts that try to shift your negligence onto cPanel, or your web host, or indeed, anyone else.

Whilst I am often guilty of criticizing cPanel if I feel it is deserved, your post blaming cPanel is both grossly unfair and unjustified.

The bottom line is; if you don't have the time, or can't look after your own web site, pay someone that can !

SSL was never a mandate. cPanel just gave me a fat unneeded headache, not "make my life easier". Not considering the user and not considering potential SEO risks is THEIR negligence. Since my site doesn't have sensitive data, I was willing to live without SSL for the time being, or implement it at MY OWN choosing and timing that makes sense, not cPanel's. Lol that's hilarious you're trying to blame my "negligence" when somehow my site was doing JUST FINE traffic wise and monetarily without 3rd party INTERFERENCE. If cPanel wasn't enabled, I wouldn't have this problem. Period. Who is cPanel to assume that everyone wants/needs SSL enabled? It needs to be changed or they'll see more complaints from other website owners.

 

[Infopro]

Either it's auto-enabled, or my host is lying.

Your Hosting Provider enables, or doesn't, AutoSSL for accounts on his server.

 

[cPanelLauren]

Hello,

Can you clarify what you mean by "defaulted SSL to ON". We have always allowed you to have SSL VirtualHosts so long as you had an SSL certificate (valid or self-signed). The behavior is now and should have always been if you didn't want https traffic you need to implement a redirect to force traffic from https -> http or disallow connections over 443 the first being really the only recommended course of action (while disabling SSL is not at all recommended)

If the issue is that you were issued a free certificate from a valid CA while I apologize to you for the inconvenience we did announce that we would be introducing AutoSSL long before it was released as noted by @rpvw. This can be managed by your provider and in newer releases you can manage this as well in cPanel>>Security>>SSL/TLS Status where you can exclude domains from receiving certificates if you would like.


Thank you.

 

[JJ100]

Hello,

Can you clarify what you mean by "defaulted SSL to ON". We have always allowed you to have SSL VirtualHosts so long as you had an SSL certificate (valid or self-signed). The behavior is now and should have always been if you didn't want https traffic you need to implement a redirect to force traffic from https -> http or disallow connections over 443 the first being really the only recommended course of action (while disabling SSL is not at all recommended)

If the issue is that you were issued a free certificate from a valid CA while I apologize to you for the inconvenience we did announce that we would be introducing AutoSSL long before it was released as noted by @rpvw. This can be managed by your provider and in newer releases you can manage this as well in cPanel>>Security>>SSL/TLS Status where you can exclude domains from receiving certificates if you would like.


Thank you.

I don't know all the details of this, I haven't researched enough about servers, I do more of the front end stuff. All I know is HTTPS pages started popping up in Google these last few weeks and started competing with my HTTP pages, hurting SEO. This has never happened and I've had this website for years. So... what changed? Google wouldn't have indexxed the HTTPS pages if they didn't get some type of go ahead that HTTPS was functional.

Also I would love to do a HTTPS > HTTP redirect but I've researched this and it's not a good idea because users would still get that warning.

What I need to know is under "Manage Installed SSL Websites", is this auto-installed to connect to the websites and does cPanel control this and enable it as the default or does the host configure that?

 

[cPanelLauren]

What I need to know is under "Manage Installed SSL Websites", is this auto-installed to connect to the websites and does cPanel control this and enable it as the default or does the host configure that?

All of this is configurable by the hosting provider. cPanel does not modify the settings in this respect. New installations of cPanel do default to AutoSSL being enabled but the setting is not changed on existing.

 

[JJ100]

All of this is configurable by the hosting provider. cPanel does not modify the settings in this respect. New installations of cPanel do default to AutoSSL being enabled but the setting is not changed on existing.

Ok well I just upgraded to a new server so that makes sense. But I think it's terrible practice by both cpanel to auto-enable it and also by hosts to keep it configured as enabled. Give the clients the control, because not enough technical decisions are factoring in potential SEO issues. SSL is something that should be chosen/requested by the client as an add-on, not a auto-enabled default. This completely messed up my traffic + messed with a future move to SSL and a new domain.

 

[cPanelLauren]

Hi @JJ100

But I think it's terrible practice by both cpanel to auto-enable it and also by hosts to keep it configured as enabled.

Please feel free to open a feature request using the link in my signature to suggest having this behavior modified if you believe that it should be changed.

Give the clients the control, because not enough technical decisions are factoring in potential SEO issues. SSL is something that should be chosen/requested by the client as an add-on, not a auto-enabled default.

While I do understand that you experienced an issue because you were unaware you had an SSL added to your site, I will say that not only do you have control over the settings in your cPanel but we do announce these things far in advance. I would suggest keeping informed with our blog as well as our release notes/change logs:

cPanel Blog | From the Inside
Change Logs - Change Logs - cPanel Documentation

 

[Anupam SG]

FWIW, for Google(or Bing for that matter) to display the HTTPS version of your site in search results, requires someone to:

1. Log-into Webmaster tools and manually submit a sitemap for the HTTPS version.
2. Set it as the preferred-version of the site over the HTTP version manually in the Webmasters tools.

Note these are two separate actions which had to be done manually & independent of each other.

Ergo, blaming CPanel for any dip in traffic, or for any iteration of AutoSSL changes, is completely unjustified.

 

[JJ100]

FWIW, for Google(or Bing for that matter) to display the HTTPS version of your site in search results, requires someone to:

1. Log-into Webmaster tools and manually submit a sitemap for the HTTPS version.
2. Set it as the preferred-version of the site over the HTTP version manually in the Webmasters tools.

Note these are two separate actions which had to be done manually & independent of each other.

Ergo, blaming CPanel for any dip in traffic, or for any iteration of AutoSSL changes, is completely unjustified.

Wrong. a) I don't even have a site map b) never did #1 or #2 and yet HTTPS showed up in google, because google probably prefers HTTPS.

Your opinion it's unjustified. SSL should be OPTIONAL, not force-fed.

 

[JJ100]

Hi @JJ100



Please feel free to open a feature request using the link in my signature to suggest having this behavior modified if you believe that it should be changed.



While I do understand that you experienced an issue because you were unaware you had an SSL added to your site, I will say that not only do you have control over the settings in your cPanel but we do announce these things far in advance. I would suggest keeping informed with our blog as well as our release notes/change logs:

cPanel Blog | From the Inside
Change Logs - Change Logs - cPanel Documentation

The damage is already done, so great I was the guinea pig. I seriously should get compensation for this. I've lost ad revenue from this. I guarantee I won't be last one who gets screwed over by this setting. And it's impractical for users to have be caught up cpanel's blog to prevent something that should've been common sense.

What client wants something out of their control or force-fed? SSL is not one of those must-have default features. SSL has always been considered (or should've been considered) an add-on and at the discretion of the user.

 

[cPanelLauren]

Hi @JJ100

The thread here:Problem with automatically generated self-signed SSL certificates

goes over in-depth some of the reasons we implemented this configuration. I believe that your concerns are also highlighted in some responses in this thread as well. While this is involving automatically generated self-signed certificates it does tie into the issue that you're experiencing and may help to address some of the concerns you're having.

With that being said this is optional - if you do not have access to WHM your hosting provider is ultimately responsible for maintaining this. As I've said before I really am sorry that this has been a disadvantage to you and we do greatly appreciate your feedback from your experience I do need to stress that this is completely configurable by the user. We offer extensive documentation in the event you're unsure how to use the product for both the cPanel user as well as for Administrators. We make every effort possible to communicate changes through our blog, release/changelogs, documentation, the feature showcase in WHM.

Thanks!

 

[rpvw]

Thank you for pointing out to Google and Firefox and Microsoft and Apple and Plesk and cPanel and....well....everyone else that does business in the world of the web hosting industry; that the decision to bias search indexing towards sites that ran properly configured SSL was entirely the wrong thing to do !

It is incredulous to consider your insistence that somehow, the incentive to offer free SSL certificates to end users; who could then choose to implement them, or not, was wrong, or immoral, or violated your rights by forcing it on you by some undetermined method.

Perhaps you should be writing to Google to complain that they should never have decided to prefer sites that run securely under SSL, instead of wasting our time here. And while your at it, inform the governments of the world that have implemented requirements and legislation like the GDPR and other security and privacy measures; that they got it all wrong as well.

I could have posted any number of links that would support the justification for SSL, and what a extraordinarily good incentive it was for cPanel, and others, to start offering SSL certificates free of charge, and without having to run on a dedicated IP as well, and how running a site under SSL would actually improve its SEO and ranking - but I don't anticipate any expectation of being able to engage further in a reasonable, and rational, exchange of ideas and information.

I wish you the very best of luck with your endeavours.

 

[JJ100]

Thank you for pointing out to Google and Firefox and Microsoft and Apple and Plesk and cPanel and....well....everyone else that does business in the world of the web hosting industry; that the decision to bias search indexing towards sites that ran properly configured SSL was entirely the wrong thing to do !

It is incredulous to consider your insistence that somehow, the incentive to offer free SSL certificates to end users; who could then choose to implement them, or not, was wrong, or immoral, or violated your rights by forcing it on you by some undetermined method.

Perhaps you should be writing to Google to complain that they should never have decided to prefer sites that run securely under SSL, instead of wasting our time here. And while your at it, inform the governments of the world that have implemented requirements and legislation like the GDPR and other security and privacy measures; that they got it all wrong as well.

I could have posted any number of links that would support the justification for SSL, and what a extraordinarily good incentive it was for cPanel, and others, to start offering SSL certificates free of charge, and without having to run on a dedicated IP as well, and how running a site under SSL would actually improve its SEO and ranking - but I don't anticipate any expectation of being able to engage further in a reasonable, and rational, exchange of ideas and information.

I wish you the very best of luck with your endeavours.

Apparently you didn't even read my complaint...

Of course SSL is great. I was planning on installing it when I moved to a new domain. That's not the issue.

The issue is it's AUTO-installed by cpanel by default. Because of potential SEO conflicts between http vs https, this is something that the USER should configure, aka MANUALLY install. It shouldn't be some default if you upgraded to a new server. I guess you guys like having video ads auto-play too when you visit a website? Or the default is you have to constantly "opt-out" to prevent things? Or maybe you like having things force-fed? Maybe it's just me...

It seems that cpanel wants to blame my host, and my host wants to blame cpanel. Either my host installed it when they configured the new server (something I never asked for), or cpanel auto-installed it. Which is it?? Due to history, my understanding when I upgraded my server is that SSL was MANUALLY installed. I've upgraded many times from the same host, but this was the ONLY time SSL was auto-installed - which I'm guessing is due to cpanel's NEW defaults. Basically if I upgrade to a new server (not new domain) on any host, I shouldn't have to worry about something being installed if I didn't ask for it. SSL has always been an ADD-ON. Having this control is especially important due to how QUICK "https" can show up in Google. And once it's there, you're screwed because then you have your http pages competing with your https.

 

[JJ100]

Hi @JJ100

The thread here:Problem with automatically generated self-signed SSL certificates

goes over in-depth some of the reasons we implemented this configuration. I believe that your concerns are also highlighted in some responses in this thread as well. While this is involving automatically generated self-signed certificates it does tie into the issue that you're experiencing and may help to address some of the concerns you're having.

With that being said this is optional - if you do not have access to WHM your hosting provider is ultimately responsible for maintaining this. As I've said before I really am sorry that this has been a disadvantage to you and we do greatly appreciate your feedback from your experience I do need to stress that this is completely configurable by the user. We offer extensive documentation in the event you're unsure how to use the product for both the cPanel user as well as for Administrators. We make every effort possible to communicate changes through our blog, release/changelogs, documentation, the feature showcase in WHM.

Thanks!

I'm either not understanding you correctly or you keep contradicting yourself. You say it's "optional" and it's "up to the user" or "up to my host", yet you point to another old thread that has plenty of people who've had a problem with the "lack of options" and "auto-install" cpanel setting. I think it's completely irresponsible and over-reach by cPanel to auto-install these SSL's and let the consumer figure out the rest and clean up the SEO damage that was brought about by a 3rd party. SEO is super important to traffic and site growth, and this undeniably damaging setting (which apparently will CONTINUE) has messed with people's websites.

 

[rpvw]

Lets be perfectly clear:

cPanel did NOT force you to use the SSL certificate they started supplying everyone FREE of charge.

So what changed?

1. cPanel stated providing FREE certificates to your domain (provided that your web host had enabled it in their administrative control panel)
2. The use of the certificate was entirely up to you to control from your cPanel, provided your web host had configured your account to have access to these features, and you could have deleted it and chosen to exclude some/all of your domains from the AutoSSL process of fetching a valid SSL certificate for you to use (If you had bothered to configure this, you would have been back to the pre-AutoSSL state where any call to port 443 would have returned an error that no valid certificate could be found)

If search engines started to index SSL pages, it is because they were already polling them, and getting SSL errors about bad or missing certificates from those pages, prior to cPanel making the FREE SSL certificate available and the pages subsequently becoming accessible.

If you had been bothering to take an interest in what cPanel was doing to offer new and improved features to it's users, and if you had bothered to have looked at your stats more frequently instead of waiting 'For Months', you could have set up an htaccess file to ensure all traffic was pointed at your port 80, or managed the AutoSSL as detailed above.

I am tired of your whining, and persistently trying to blame someone else - I shan't be bothering to try and help you any further.

Good luck for the future with your attitude.

 

[Anupam SG]

I'm either not understanding you correctly or you keep contradicting yourself. You say it's "optional" and it's "up to the user" or "up to my host", yet you point to another old thread that has plenty of people who've had a problem with the "lack of options" and "auto-install" cpanel setting. I think it's completely irresponsible and over-reach by cPanel to auto-install these SSL's and let the consumer figure out the rest and clean up the SEO damage that was brought about by a 3rd party. SEO is super important to traffic and site growth, and this undeniably damaging setting (which apparently will CONTINUE) has messed with people's websites.

You seem particularly very concerned with SEO, for someone who doesn't even have a sitemap.
That's like saying you're worried about the mileage of the car, when your car doesn't even have an odometer installed.

It took you "months" to be made aware of this "SEO" damage, when you couldn't even be bothered to log into Webmaster tools to submit a sitemap, or set the http version as a default, both of which take no more than a few clicks?

Set your preferred domain (www or non-www) - Search Console Help
Build and submit a sitemap - Search Console Help

Yet you somehow complain and blame cPanel for your negligence.

What sort of CMS were you running that continued to function despite the port being changed to 443 from 80, without you making any adjusting entries? All major ones require a config entry in some way - through config.php etc. - to continue to function properly when hosting changes from HTTP to HTTPS.

So did that configuration happen automatically or did you do it?

If you did it, then you came to knew about the change when it happened. If you didn't, then, your site didn't function at all, For Months. In either case, it would suggest you are lying about the entire matter.

 

[JJ100]

Lets be perfectly clear:

cPanel did NOT force you to use the SSL certificate they started supplying everyone FREE of charge.

So what changed?

1. cPanel stated providing FREE certificates to your domain (provided that your web host had enabled it in their administrative control panel)
2. The use of the certificate was entirely up to you to control from your cPanel, provided your web host had configured your account to have access to these features, and you could have deleted it and chosen to exclude some/all of your domains from the AutoSSL process of fetching a valid SSL certificate for you to use (If you had bothered to configure this, you would have been back to the pre-AutoSSL state where any call to port 443 would have returned an error that no valid certificate could be found)

Wrong.

1) Idk why you keep capitalizing "FREE" like it matters, or like anyone's acting entitled, or like a $60 SSL certificate is a fortune, or that it's even the issue at hand. You're just coming across as a cPanel apologist.

2) The INITIAL (which is significant - people don't even have time to react to the configuration for how fast Google indexing happens) use and CONTROL of the certificate obviously was NOT up to me if it's being AUTO-installed by cpanel by default as soon as the server is set up. It's ridiculous to put the onus on every person who owns a website (many of which who don't even handle the technical side of things) that they should've just "opted-out" or that that is a good policy to have. I didn't even REALIZE SSL was being installed. I got 10,000 other things to worry about on the front end of things. Why would I and why would anyone for something that SHOULD be 100% OPT-IN. That's the entire point. It should've NEVER been enabled to begin with.

3) I would've LOVED To be at the pre-AutoSSL state 'cause you know what that means? It means Google would've rejected those pages in their indexing and I wouldn't have this problem.

If search engines started to index SSL pages, it is because they were already polling them, and getting SSL errors about bad or missing certificates from those pages, prior to cPanel making the FREE SSL certificate available and the pages subsequently becoming accessible.

If you had been bothering to take an interest in what cPanel was doing to offer new and improved features to it's users, and if you had bothered to have looked at your stats more frequently instead of waiting 'For Months', you could have set up an htaccess file to ensure all traffic was pointed at your port 80, or managed the AutoSSL as detailed above.

I am tired of your whining, and persistently trying to blame someone else - I shan't be bothering to try and help you any further.

Good luck for the future with your attitude.

Let's be clear. You're not helping, you have no interest in helping (just your wannabe know-it-all lectures), and you're the typical "IT" type of person that most normal people despise. All you are is a cPanel apologist, or "it's always user error". You're flat out wrong. I am a one man machine for my website. I do it all and wear many hats. So you know nothing. I've built my website from scratch to 40,000/day users that cPanel has threatened. You know why? 'Cause I'm not like YOU who only sees one angle. I look at a website through multiple angles, not just the technical angle. I handle the business, marketing, UI, UX, coding, programming, SEO, visual design, content, and plenty more. So keep trying to insinuate with your condescending little - Removed - attitude to say it's just "laziness", "incompetence", "user error", etc. That's what all you IT types always do 'cause you're narrow minded. It can never just be BAD POLICY. You're wrong. This is a horrible policy to have something be AUTO-installed on default on any server. And if you looked at past threads that have been linked to in this thread, you'll see countless others who agree with me on this. Clients shouldn't be force-fed anything, BY DEFAULT, where they need to "opt-out", period. Especially for something so potentially damaging towards something so significant as SEO. You can't escape that this is just bad policy that causes more harm than good. SSL should always be opt-in.

Good luck with your future having the narrow-minded "typical IT guy" annoying attitude.

 

[Infopro]

Seems to me that this thread has run its course and so it’s now closed.

Thanks for the feedback everyone.