Google has been steadily ramping up the pressure on website owners and administrators who are not utilizing HTTPS to make the change. They announced that HTTPS was being included as one of their 200+ ranking signals. Although no evidence has ever been presented showing it having a positive impact on rankings, many companies quickly made the change after Google’s announcement.
I have resisted making the change for my own sites or those of my clients, but a more recent announcement from Google has altered my view on whether or not you should change to HTTPS. You absolutely must make the change to HTTPS if you have not already.
Hyper Text Transfer Protocol Secure (HTTPS) is the “secure” version of Hyper Text Transfer Protocol (HTTP). HTTP is the protocol over which data is transferred between the website you are connecting to and your web browser. In the HTTPS version, all communication between your browser and the website is encrypted. It is most commonly used to protect confidential online transactions such as accessing your online banking or submitting credit card information to make an online purchase.
Communications sent over regular HTTP connections are basically just in plain text that can be read by any hacker with the skills to access the connection between your browser and the website. If the communication is an order form with credit card, checking account details, or other personal and financial details, it presents an obvious danger and can lead to falling victim to fraud.
With HTTPS, all communications are securely encrypted. Even if a hacker breaks into your connection, they would not be able to decrypt the data passed between you and the website.
HTTPS pages typically use SSL (Secure Socket Layer) to encrypt communications. SSL uses an asymmetric Public Key Infrastructure (PKI) system. A PKI makes use of two ‘keys’ to encrypt communications, a public and a private key. Information encrypted with the public key can only be decrypted by the private key and vice-versa.
The private key is kept on the web server. The public key is provided to anyone that needs to be able to decrypt information that was encrypted by the private key.
When you request an HTTPS connection to a page, the website first sends its SSL certificate to your browser. The certificate contains the public key needed to begin the secure session. Your browser and the website you are accessing initiate what is referred to as an SSL handshake. All information passed between your browser and the website are is now encrypted.
Many people believe that changing to HTTPS protects their website from hacking. This is not true. If you migrate your website to HTTPS, it is no more secure from hacking than it was before the migration. HTTPS is just securing the connections between a website and its visitors.
As I said in the beginning, I was not an advocate for websites migrating to HTTPS. Of course, if they were accepting orders or transmitting personal or financial information, they should have been using HTTPS already. For everyone else, there was no benefit to changing.
Despite Google saying that they were using it as a ranking signal, nobody has been able to run a test where they saw an increase in rankings or organic search traffic. In fact, many people who made the switch, actually saw a drop in traffic. It is not a matter of just installing an SSL certificate. There are several things you must do to migrate properly and avoid losing traffic.
Until recently, SSL certificates were an added expense, and sometimes quite costly. If you were not transferring sensitive data, why incur the extra cost of an SSL certificate?
To me, the risk of something going wrong in the migration to HTTPS causing a drop in traffic along with the extra cost made the process not worthwhile.
So what changed? Why am I now telling you the change to HTTPS is a must?
On February 8th, 2018 Google posted this article to their Security Blog: A secure web is here to stay. In the post, it was shared that beginning in July of 2018 with the release of Chrome 68, Chrome will begin marking ALL sites using HTTP as “not secure”. They shared this image detailing how Chrome displays HTTP URLs now and how they will display them starting in July:
I would expect Firefox to follow suit. In fact, they may even rush to make a similar change before July to beat Google to the punch. Both Chrome and Firefox currently display warnings if you try to sign in to a website that is not using HTTPS. Here is an example:
With Google’s push for HTTPS, I will not be surprised if their “Not secure” notification in Chrome becomes more pronounced than what you see in the image above. I could see them making the text red and perhaps even having a popup warning display.
Whether you are running a local business, a national brand, or a small affiliate website, take a moment to think about the average visitor to your website. Are they as technologically savvy as you? Do they keep up to date with internet protocols and Google updates? For most of us, the answers to those questions are going to be a resounding no.
Now, think about what people see and hear in the news constantly about identity theft, stolen financial information, viruses, etc. and how they must be careful and vigilant when visiting websites on the internet. When they visit your website and see a message that says Not secure, are they going to know the message simply is referring to data transferred between their browser and your website or are they going to worry that it means data could be stolen from their computer or they could get a computer virus or malware?
How much of your traffic could be scared away because of the Not secure warnings their browser is giving them? Could it be 5%? 10%? 20%? More? Is it even worth the risk?
There are a few steps you are going to want to follow to migrate from HTTP to HTTPS. I’m listing the main ones here, but based on your website’s unique situation there might be additional steps you need to consider. For the majority of website owners, these steps will be enough to get you through the migration in one piece.
You might have a website with only a few pages or a site with hundreds or thousands of pages. Either way, you are going to want to know what you are starting with and have something to compare the end result to. You also are going to want to make note of any independent sections of your website that might need additional attention or cease working when you migrate such as payment gateways, external scripts, membership scripts, downloads, etc.
You will never know every search phrase your site ranks for, but you are going to want to have a solid list providing a general overview of where your rankings are and have them broken down by category. You are likely to see some ranking fluctuations as you make the change. That is unavoidable. Tracking your rankings may help you to identify issues that were not resolved during the migration.
If rankings recover except for keywords in one category, that can help you to know where to start looking for a potential problem. Without the rank tracking, you are just looking at a drop in traffic and no idea where to start looking.
The next step is to obtain and configure an SSL certificate on your server. There are plenty of solid providers, and your web host might sell them or have recommendations for you.
Once you obtain it, follow the instructions they provide for deploying it on your server. Again, a web host will normally help with this if you ask.
For a really simple option, I recommend Let’s Encrypt. Let’s Encrypt offers free SSL certificates, and many web hosts support them directly through cPanel. It literally only takes a few button clicks to obtain a deploy your certificate on the server. I made a quick video in which I migrated this website using Let’s Encrypt in less than 10 minutes to show how easy it is to use.
If your web host does not support Let’s Encrypt, I would seriously consider switching web hosts. Let’s Encrypt certificates can be installed manually like any other SSL certificate without the cPanel integration, but the cPanel integration makes it mind numbingly easy to do.
Once your SSL certificate is installed on the server, it is time to officially make the change on your site and migrate to HTTPS. You will want to set server-side 301 redirects to the HTTPS version of your URLs. It depends on your server, but for most websites, this will be handled through your .htaccess file. If you are on a Windows server, the method is a little different. You can find tutorials online for both.
In addition to redirecting to HTTPS, you will want to make sure that your site is maintaining its preferred WWW or non-WWW version as well through the redirects.
When you are finished, visitors to your site should not be able to access any HTTP versions of your URLs. If both versions are accessible, this can confuse the search engines, create duplicate content issues, and cause your HTTPS pages to not rank in search engines.
The 301 redirects are not only making your HTTP pages unreachable, they are also telling search engines to credit any authority, relevance, and link power to the HTTPS version of the pages. If you want those to rank, the 301 redirects are vital.
After completing the switch to HTTPS, there are a few common problems you are going to want to look for and fix where appropriate.
What is mixed content? Mixed content occurs when you load an HTTPS page but there is an image, script, or some other type of content featured on the page being called through HTTP. Any unencrypted resource potentially gives hackers a way to break into the data being transferred between your website and its visitors. It happens most often with images, and can easily be fixed by adjusting the URL the image is being called from.
The most common sources of mixed content are internal media (images, videos, audio, including those called inside of JS and CSS files), Iframes, JS and CSS files inside HTML code, web fonts, and internal links.
Next, you want to re-crawl the website to make sure all HTTPS versions of your URLs are present and returning the proper status code.
Double check that all systems are working correctly, especially those you identified before the migration that might need some additional attention (payment gateways, membership scripts, downloads, etc.).
Now you need to let Google know that you have moved. You will need to set up the HTTPS version of your site in Search Console. Google treats these as separate properties. If you are using a Disavow File, do not forget to migrate it to the new property.
That’s it. You are done. That wasn’t so bad, right?
Just be sure to continue testing the site and looking for any issues.