Your host must use a wildcard SSL certificate that works for your site if Google crawled your site and found it supports HTTPS to index it.

Either that or you are mistaken.

I am not mistaken at all. I double checked within my WordPress admin and in General > Settings, everything is the same as it always was (HTTP). You know in WordPress, if you did not change the URL path there, and yet enabled SSL, it won't work. And if you force it without specifying the HTTPS there, you get locked out.

I have changed nothing with the site with regards to encryption. I have about 20 sites, and this is NOT one of those sites where I have converted to HTTPS so far. It is an authority site in Google though, and I have good rankings for it. That's why I know I never changed anything with it, because I didn't want to "rock the boat" until the new year.

I have asked my webhost about this, let's see. They are taking their time to respond (normally very quick).... It is really weird, because none of my other sites have this "phenomenon".

So when you find this site in Google SERP listed as HTTPS and you click on it using a web browser, what happens?

So when you find this site in Google SERP listed as HTTPS and you click on it using a web browser, what happens?

Hmmm, I think cPanel recently applied free HTTPS for all sites according to my webhost (they replied). When I click those links that Google listed as HTTPS for this one site, it goes to a HTTPS version of my page and when I click the lock icon for more info, it says - Verified by cPanel.

I've not heard of this before....cPanel is self-signing SSL certs, whether you want it or not.

Only this authority site has been indexed partially as HTTPS by Google, out of all the rest, comprising many hundreds of pages across many sites. So it looks like selective indexing by Google....but at least, I think the mystery is solved. So now, we have to "force"/301 the SSL across the entire domain?

site has been indexed partially as HTTPS by Google

Well now's the time to get all your pages optimized for HTTPS. Google will finish indexing them soon. Glad you solved the mystery :)

I think cPanel recently applied free HTTPS for all sites according to my webhost

That's the problem, then. If a site is accessible by https, then that is the way Google (and possibly other search engines) will index it.

Lesson: Any time you see any search engine claiming to know about an https version of a site that you thought was only http, immediately check what happens when you try to follow that https link.

cPanel is self-signing SSL certs, whether you want it or not.

Well, that's one way to get the internet secure :)

You can disable it via Cpanel.

I actually appreciate them doing this, but would have been better to get better notifications via Cpanel than finding it out on Google as a surprise.

cPanel itself can introduce dupe content/ canonicalization problems which are better handled by a canonicalization redirect. See this thread, which doesn't specifically correspond to your problem, but which does bring up the cPanel issues and discusses ways of dealing with them....

Add-on Domain Indexed As Subdomain of the Main Domain - How to fix it?
May 2014
https://www.webmasterworld.com/google/4674394.htm [webmasterworld.com]

It's been my experience that http/https confusion, once the confusion is out in the wild, is best handled by a canonicalization redirect, and that anything else is going to end up like a game of whack-a-mole. In the above thread, phranque suggests the redirect several times...

you need to add a hostname canonicalization redirect to your server configuration or to your application script....

now that secure connections are enabled, you must decide if you are staying http: or changing to https:.
either way you should design your hostname canonicalization redirect to handle both protocol and host.
if you are doing this in the root .htaccess scope of a typical apache server, the basic http-to-https redirect for www.example.com would look something like:

RewriteCond {HTTP_HOST} !^(www\.example\.com)?$ [OR]
RewriteCond %{HTTPS} !on
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

the correct solution for your application could be more complicated.

It's a WordPress site

I think cPanel recently applied free HTTPS for all sites according to my webhost (they replied...
cPanel is self-signing SSL certs, whether you want it or not....

This seems suspicious to me. How could the people behind cPanel get authorization to do this without your permission? And without telling you? I suspect that your hosting company is really behind it.

Also, I believe that some hosting companies are using older versions of cPanel than other companies. So maybe the newest version of cPanel has this as an option. But even it does, the default should be non-https.

Also, all of my sites are on servers with cPanel, and I couldn't find an option for this for them

I suspect that your hosting company is really behind it.

Yes, that's what he said.

cPanel recently applied free HTTPS for all sites according to my webhost (they replied).

[documentation.cpanel.net...]

frankleeceo -- I looked at that link you provided. Does it mean that the hosting company decides whether to activate the "auto SSL" for their hosted domains? Because some companies are trying to sell SSL as an addon. So why would they give it away for free?

Also, how can they implement autoSSL without telling their customers? Especially since this could cause problems with search engine indexing that the customer wouldn't be aware of.

Also, as I said, I think thaqt some companies are using older versions of cPanel that don't include this feature.

So it seems to me that there are still some things that need to be explained here.

... some companies are trying to sell SSL as an addon. So why would they give it away for free?

To compete. All the hosting companies, including my own, I do worrk at offer HTTPS for free, and so far they all have some type of free SSL cert as well.

keyplyr -- That doesn't explain why a hosting company would implement Auto-SSL without telling their customers

Immediately upon signing into WHM on my dedicated server a few weeks ago this option was available...

"AutoSSL - The AutoSSL feature provides free SSL certificates for your users' domains. The system will periodically inspect users' installed certificates and replace those that are about to expire or that are insufficient to provide a baseline level of security."

With a radio button option to blanket allow/disallow.

Though I haven't allowed it (I use paid SSL certificates) I presume the OP's host has.

@aristotle

No5needinput is right. I think that option was pushed through via WHM panel after it was upgraded to a certain version a few months back. I might have been to clicky happy or sleepy to clicked enable without thinking. Now that he mentioned I vaguely remember seeing it.

Yes the implication of this is pretty high since it automatically creates SSL versions of sites without any "real" server side work. This can create some issues with indexing as duplicate content and such.

Yes many companies sell this as add on, but CPanel is ahead of the game to make it free and almost effortless from a server point of view, as long as people want to approach it and change their site.

I personally appreciate what Cpanel has done, it really evens out the playing field between more technical savy webdevs versus more general content creators (me).

At this point I do not think Google prefer paid or free certificates now, but rather the implementation of SSL connection. Maybe that'll change later as most websites convert to SSL down the line.

Thought: People posting here--or reading WebmasterWorld in general--are not representative of the totality of people who have WordPress sites on shared hosting (whether with cpanel or roll-your-own). So actions taken by hosts don't necessarily have anything to do with your own site's needs or behaviors; it's all those other sites.

:: quick detour to verify that my own sites haven't picked up an HTTPS version when I wasn't looking ::

keyplyr -- That doesn't explain why a hosting company would implement Auto-SSL without telling their customers

@aristotle - It doesn't justify lack of notification, but competition with other hosts is the likely reason why cpanel was upgraded to include SSL.

I use WHM/Cpanel myself and what you are describing is not what happened. You would have needed to enable a new feature called 'autossl' which adds free DV (domain validated) certs to your sites. This would have not been turned on automatically. For me, when I logged into WHM the first thing it showed me was a little notification of this new feature and gave me the option of turning it on and/or keeping it off.

So, I'm guessing you turned this option on without fully knowing what it did or did not realize you turned it on. If I were you I would be checking my site(s) to make sure everything it compatible with https and then go ahead and add your redirect code into your htaccess file to force https on all pages with a 301 redirect. Someone mentioned a version of this code earlier.

There are other things to do as well like adding the https version into Google Search Console, Bing Webmaster Tools, and so on. Update the links in your sites pages to the https version if they are linked in full anywhere. Change links in any automated emails to the https version. The list goes on. You think this is a quick and easy task when you switch to https and in reality it is, but there are lots of little things to change to make sure everything is fully switched.