Setting up HTTPS is one of the least important things you can do to secure your site. The S in HTTPS, doesn’t really mean secure, it only means that the data is encrypted in “transit”.
Unfortunately, HTTPS is the most popular security “upsell” sold to web site owners, generally misleading them into thinking that HTTPS alone will secure/protect their sites. What is even worse is that non-technical people do think that the browser padlock relates to a secure site.
I know this is nothing new to security people, but after years working in a company that does website remediation (and incident response), it is clear to me that this is not common knownledge. “I am using HTTPS, how did I get hacked?”
Adding HTTPS to your site will not make it more secure, will not “save the web” and will not protect you or your users against most of the attacks that we see live. You will be protecting it against “0.1%” of the threats, while ignoring the rest. If you ever heard about premature optmization, that’s exactly it, but applied to security.
If you think HTTPS will protect your site against the NSA or any government snooping into your data or users, you are wrong as well. Do not believe for a second that it will make a difference there.
Should I use https?
You should only use https if you are already taking the basic security measures to protect your site. Do you have the proper access control in place? Do you monitor your logs? Are you keeping your server, site and all plugins updated? Do you have an intrusion detection in place? Did anyone reviewe the code on your site? Are you using only well-tested and maintained CMS’s? Do you store your passwords securely?
If you are taking security seriously, and your site handles personal/login information, than yes. Use HTTPS. And when you do, make sure to implement it correctly.
If you have not taken the steps above yet, do not use HTTPS. And do not, please, store or handle any personal or login information.