TL;DR
Websites with non-https login pages are not secure. Data sent to these sites (usernames, passwords) can be intercepted and read by attackers. Always use HTTPS for all logins and ideally, the entire website.
Why Non-HTTPS Logins Are Dangerous
When you connect to a website using HTTP (without the ‘S’), your communication isn’t encrypted. This means anyone monitoring the network can see what you’re sending – including your login details. HTTPS encrypts this data, making it unreadable to eavesdroppers.
How to Check if Your Login Page is Using HTTPS
- Look at the Address Bar: Does the website address start with
https://? A padlock icon usually appears next to the address. - Browser Developer Tools: Most browsers have developer tools you can use.
- In Chrome, press F12 (or right-click and select ‘Inspect’). Go to the ‘Network’ tab.
- Reload your login page.
- Look at the requests for your login form submission. If they show
https://in the ‘Name’ column, you’re using HTTPS. If it showshttp://, you are not.
How to Fix a Non-HTTPS Login Page
The solution is to enable HTTPS for your website. Here’s how:
- Get an SSL/TLS Certificate: This verifies your website’s identity and enables encryption.
- Many web hosting providers offer free Let’s Encrypt certificates.
- Commercial certificates are also available from certificate authorities (e.g., DigiCert, Sectigo).
- Install the Certificate: Your hosting provider will usually have instructions for installing the certificate.
- This often involves uploading files to your server or using a control panel interface.
- Redirect HTTP to HTTPS: Force all traffic to use the secure HTTPS version of your site.
- Using .htaccess (Apache): Add these lines to your
.htaccessfile in the root directory:RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] - Using Nginx: Add these lines to your server block configuration file:
server { listen 80; ... other config ... return 301 https://$host$request_uri; }
- Using .htaccess (Apache): Add these lines to your
- Update Internal Links: Change any internal links on your website to use HTTPS.
- You can use a search and replace tool in your content management system (CMS) or a site-wide link checker.
- Test Thoroughly: Ensure all pages, including the login page, are accessible via HTTPS without any errors.
- Check for mixed content warnings (where some resources load over HTTP on an HTTPS page). Fix these by updating URLs to use HTTPS.
Further Security Considerations
HTTPS is essential, but it’s not the only thing you need for cyber security.
- Strong Passwords: Enforce strong password policies.
- Two-Factor Authentication (2FA): Add an extra layer of security.
- Regular Updates: Keep your CMS, plugins, and server software up to date.
- Web Application Firewall (WAF): Protect against common web attacks.