HTTPS in 2026: 16% of Sites Still Skip SSL Encryption

By Bitverzo Research Team · July 6, 2026 · 8 min read · Based on analysis of 760,000+ websites

I'll admit, I expected this number to be smaller. When we pulled HTTPS adoption data from our database of 760,000+ websites, I figured we'd be looking at maybe 5% of sites still running plain HTTP. The actual number? 16%. One in six websites still doesn't encrypt the connection between your browser and their server.

It's 2026. Free SSL certificates have been available through Let's Encrypt since 2015. Most hosting providers include them automatically. Google has been penalizing HTTP sites in search rankings for years. And yet, over 120,000 sites in our database are still sending data in plain text.

So we dug into the data. Who are these holdouts? Where are they? And does it actually matter as much as security people say it does?

84% HTTPS · 16% HTTP

SSL encryption adoption across 760,000+ analyzed domains in 2026

The Trust Score Gap Is Enormous

Before we get into the "who" and "why," here's the headline that should matter to every site owner: sites with HTTPS have an average trust score of 67. Sites without it average just 41.

That's a 26-point gap on our 0-100 scale. And it's not just because we weight HTTPS heavily in our scoring algorithm (though we do — because it matters). Sites without HTTPS also tend to be missing other security basics. They're less likely to have security headers. They're less likely to have SPF and DMARC records. They're less likely to use a CDN. The absence of HTTPS is usually a symptom of broader neglect.

You can see this for yourself. Pick any major site — Google, GitHub, Shopify — they all use HTTPS and score well above 70. Now check a random HTTP-only site and watch the trust score plummet.

Who's Still on HTTP?

We categorized the 16% of sites still running without HTTPS, and some clear patterns emerged:

Abandoned sites (estimated 40% of HTTP holdouts) — These are sites nobody's maintaining anymore. They were set up years ago, the owner lost interest or the business closed, and the site just... sits there. No updates, no SSL, no security headers. Many are running ancient versions of WordPress or other CMS platforms. They're digital ghosts.

Small business sites (estimated 25%) — Local restaurants, plumbers, small retailers. Many of these were built by freelancers who didn't set up SSL, and the business owner doesn't know enough about web tech to notice or fix it. The site "works" from their perspective — it shows their phone number and address — so they don't touch it.

Parked domains (estimated 20%) — Domains that have been registered but aren't hosting real content. They show generic parking pages or redirect to ad networks. The domain holders don't bother with SSL because there's no real site to protect.

Intentionally sketchy sites (estimated 15%) — Sites that don't want the accountability that comes with obtaining a certificate. Some certificate authorities do basic verification, and sites involved in phishing, scams, or copyright infringement sometimes avoid the process entirely. This is less common now that free, automated certificates exist, but it's still a pattern we see.

HTTPS by Country

We broke down SSL adoption by hosting country and found some meaningful differences:

The pattern is fairly clear: countries with stronger data protection laws and more modern hosting infrastructure have higher HTTPS rates. For a deeper analysis of security differences between countries, see our web security by country breakdown.

The Real Risks of HTTP in 2026

Some people argue that HTTPS doesn't matter for "simple" sites that don't handle passwords or credit cards. I've heard it from small business owners: "My site just shows my menu and hours. Who cares if it's encrypted?"

Here's who cares:

Your visitors' ISPs can inject content. Without encryption, internet service providers can (and do) insert ads, tracking scripts, and modified content into HTTP pages. Your clean business site might be showing gambling ads to visitors on certain networks, and you'd never know.

Public Wi-Fi makes HTTP dangerous. Anyone on the same coffee shop network can see exactly what pages your visitors are viewing. If your site has a contact form — even one that doesn't ask for sensitive information — that form data travels in plain text. Names, email addresses, messages. All visible to anyone with Wireshark and five minutes of patience.

Google actively penalizes HTTP sites. Chrome shows a "Not Secure" warning for HTTP sites. Google Search ranks HTTPS sites higher. Your HTTP site is fighting with one hand tied behind its back.

It signals carelessness. When we analyze sites that raise caution flags — the 21% that fall into our "Caution" category — missing HTTPS is one of the strongest individual predictors. It tells us (and your visitors) that nobody's paying attention.

🚩 HTTP + No Security Headers = Red Flag

Sites running HTTP without HTTPS that also lack security headers have an average trust score of just 31/100. Only 1% of sites in this category score above 50. If you encounter a site matching this profile, proceed with extreme caution.

HTTPS and Email Security: A Connected Problem

Here's a correlation that caught our attention. Sites without HTTPS are also far less likely to have email authentication set up. Among HTTPS sites, 59% have SPF records and 38% have DMARC. Among HTTP-only sites, those numbers drop to 31% and 12% respectively.

This makes sense. If a site owner hasn't bothered with the most visible, most basic security measure (SSL), they almost certainly haven't configured DNS-based email authentication either. We've written extensively about this in our email security analysis — the short version is that 66% of all websites fail basic email authentication, and the problem is even worse among the HTTP holdouts.

The Security Header Situation

Even among the 84% of sites that do use HTTPS, many are missing the security headers that make HTTPS truly effective.

80% of all sites lack Content-Security-Policy. CSP prevents cross-site scripting attacks by controlling which resources the browser is allowed to load. Without it, HTTPS encrypts the connection but doesn't protect against injected malicious scripts.

72% don't enforce HSTS. HTTP Strict Transport Security tells browsers to always use HTTPS, preventing downgrade attacks. Without HSTS, even a site with a valid SSL certificate might serve some visitors over HTTP if they type the URL without "https://" or follow an old HTTP link.

So the real story isn't just "16% of sites lack HTTPS." It's more like: 16% have no encryption at all, another 50-60% have HTTPS but with significant gaps in their security configuration, and only about 20-25% of websites have a genuinely robust security setup.

80% missing CSP · 72% missing HSTS

Even among HTTPS sites, most are missing critical security headers

How to Check Any Site's HTTPS Configuration

Looking at whether a site uses HTTPS is easy — check for the padlock in your browser. But checking whether the SSL certificate is valid, whether security headers are configured, and whether the site is vulnerable to downgrade attacks requires a deeper look.

Bitverzo checks all of this automatically when you analyze any domain. You'll see the SSL certificate details, expiration date, issuing authority, and whether the certificate chain is properly configured. You'll also see every security header that's present or missing.

We've found that a surprising number of sites have HTTPS enabled but with expired certificates, misconfigured certificate chains, or mixed content warnings. These sites show a padlock in some browsers but not others, creating a confusing experience for visitors. It's worth checking even if you think your HTTPS is "fine."

Fixing the Problem

If your site is still on HTTP, here's the path forward:

  1. Check if your host offers free SSL. Most do. Bluehost, SiteGround, Cloudflare, Netlify, Vercel — they all provide free SSL certificates.
  2. Enable HTTPS and set up redirects. Make sure all HTTP URLs redirect to their HTTPS equivalents. This is usually a single checkbox in your hosting control panel.
  3. Add HSTS. Once you've confirmed everything works over HTTPS, add the Strict-Transport-Security header to prevent any future HTTP connections.
  4. Fix mixed content. Make sure all images, scripts, and stylesheets are loaded over HTTPS too. Mixed content warnings undermine the whole point of SSL.
  5. Add CSP and other security headers. While you're at it, configure Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.

The whole process takes less than an hour for most sites. If you're on WordPress, a security plugin like Really Simple SSL can handle steps 1-4 automatically. For the security headers, check our WordPress security guide.

✅ Free SSL in 2026

Let's Encrypt issues free, automated SSL certificates. Cloudflare's free tier includes SSL. Most hosting providers include SSL at no extra cost. There is genuinely no financial barrier to HTTPS anymore. If someone tells you SSL costs money, they're either misinformed or trying to sell you something.

What Comes After HTTPS

SSL is the floor, not the ceiling. Once you have HTTPS working properly, the next steps are configuring security headers, setting up email authentication (SPF and DMARC), and considering a CDN like Cloudflare for additional protection.

Our data shows that sites implementing all of these measures score an average of 78 on our trust scale — well into the "Likely Safe" territory. Sites with just HTTPS and nothing else average about 58. The certificate is the starting point, not the finish line.

We'll continue tracking HTTPS adoption in our database and publishing updates. If you want to see where any specific site stands, run it through Bitverzo for a free, instant analysis.

Check Any Site's SSL Status — Free

Get instant SSL analysis, security header checks, trust score, and technology detection for any domain.

Analyze a Website →

Frequently Asked Questions

What percentage of websites use HTTPS in 2026?

Based on Bitverzo's analysis of 760,000+ domains, 84% of websites use HTTPS in 2026. That means 16% — roughly 1 in 6 sites — still operate without basic SSL encryption, putting visitors' data at risk.

Why do some websites still not use HTTPS?

The most common reasons are abandoned sites that nobody maintains, small businesses unaware that free SSL exists, parked domains with no real content, and in some cases, intentionally sketchy operations avoiding certificate accountability. Free certificates from Let's Encrypt have eliminated the cost barrier, so most non-HTTPS sites are simply neglected.

Does HTTPS affect a website's trust score?

Yes, significantly. In our database, sites with HTTPS average a trust score of 67/100, while sites without HTTPS average just 41/100. That's a 26-point gap. HTTPS is one of the most heavily weighted factors because it's a fundamental security requirement for any website handling user data.

Data in this article is based on Bitverzo's analysis of 760,000+ domains as of July 2026. HTTPS detection is based on active scanning of SSL certificates and server responses. View technology trends or see the top-rated websites.