Posted in Web Development on October 3, 2017
Migrating your website to HTTPS can seem like a daunting task at first glance. This guide will help you through the process while keeping your existing SEO efforts in-tact - plus improve your future rankings!
Google has been pushing for increased security across all websites for some time. This campaign has become a topic you can't afford to skip over.
At first glance, all this security talk can sound very complex and overwhelming. Once you understand the concepts laid out in this article, making a migration will be just a matter of putting in the work.
I am going to provide full context around why you should secure your website, walk you through the transition steps - all while preserving (and improving) your existing SEO efforts.
Why Switch to HTTPS?
The benefit of a secure web is all about protecting the user - and what is good for the user, is often a good SEO practice. Here are some of the main points on why you need to make the switch:
Improved Website Security
Data sent between your browser and a web server over HTTP is insecure. By switching to HTTPS you are enabling data transfer using the Transport Layer Security (TLS) protocol (previously the Secure Socket Layer or SSL).
Data transferred through TLS provides 3 layers of protection:
- Encryption - An encrypted data transfer protects communication on a public network (the internet). This keeps the data confidential and prevents a 3rd party from intercepting or monitoring the communication between a website and a user.
- Data Integrity - Over an insecure transaction, data can be manipulated between the web server and browser. This can result in modifications to the resulting website. This could result in changing images, advertisements, or other website content. A secure connection ensures that the website that a visitor requested is provided in an unaltered state.
- Authentication - The process of attaining an SSL certificate requires a website owner to provide identifiable information. To the end user this means that when they visit a website, they can trust that the site they intended to visit is truly the site they end up on. This protects from man-in-the-middle attacks.
Altogether, these security measures ensure that a website visitor sees the web page they requested in an unaltered form, and their interactions with that website are protected.
For a very detailed article that dives into HTTPS, I highly recommend checking out Vladislav Denishev's article via Smashing Magazine.
Positive Impact on Search Rankings
In August of 2014, Google caught the attention of SEO's when they announced that HTTPS was 'very lightweight signal' and 'over time, we may decide to strengthen it'. This announcement didn't result in a rush to update, though a small percentage of sites did.
Since that time, Google has kept their promises and only pushed harder for webmasters to secure their websites through increased consequences for non-secure sites.
Many reports across the net confirm noticeable ranking increases. Though we can't measure the actual impact on rankings, one thing is for sure - NOT switching to HTTPS is going to hurt in the long run.
Improved SERP & Browser Display
As more and more sites switch to HTTPS, the changes are seen directly on the search result pages. Secure sites display a leading 'https://' on their results, letting the user know they are heading to a secure page. This has a positive impact on CTR.
Once you click through to the site, you'll be greeted with a secure status bar indicator. The display varies from device to device and browser to browser. One thing is for sure - users are looking for that lock that indicates their session is secure.
The latest announcement from the company is that their Chrome browser will begin showing 'Not Secure' warnings more aggressively. Two new cases were announced:
- When users enter data on an HTTP page.
- On all HTTP pages visited in Incognito mode.
image: Chromium Blog
As mass adoption continues, missing these trust signals will hurt your site more and more.
Join a Growing Crowd
The first couple years of the 'secure by default' campaign were slow to see sites transition to HTTPS everywhere.
Over the last year, however, adoption has quickly accelerated. Many major sites have gone to fully site-wide secure. At the time of writing, roughly 33% of the top million sites (as reported by Builtwith) are secure by default.
If you haven't installed an SSL/TLS certificate on your site - NOW is the time to make it happen.
How to Transition From HTTP to HTTPS
The following checklist will cover all the important steps you need to consider during a migration. I've tried to make the list work for the widest range of sites possible. If you have specific questions for your project - use the comment section on this page.
If you have a staging server available, I suggest testing as much of this there before moving to production.
- Backup Everything - Ensure that you take a full backup of your production and staging environments before you get started.
- Grab a Current Sitemap - You'll want to get a snapshot of the scope of your current site before you make a move. Download a pre-move version of your sitemap or crawling everything site-wide and keep it as a reference point.
- Consider Your CDN Setup - Read up on your specific content delivery network setup before you get started. Make sure you understand the steps you need to take to make the transition.
- Get a Security Certificate & Install - You can purchase a TLS (also referred to as an SSL) certificate from a provider like GoDaddy or get a free one from a service like Lets Encrypt. After you get your certificate, install it on your web server. This entire process is very well documented for all server types.
- Preview the HTTPS Version - After you install your certificate, you'll be able to view the secure version of your site by adding the https:// protocol to the front of your site URL. Visit the major page types on your site and preview the display. You'll be able to confirm that you have a valid certificate and a secure connection by using the inspector in Chrome and visiting the 'Security' tab.
- Take Inventory of Mixed Content - You confirmed your certificate is installed correctly in the step above. Now it's time to look around for mixed content. This issue arises when a user requests an HTTPS page, but some resources (images, scripts, etc) are loaded over HTTP. When this happens, your page will be marked as non-secure even when you visit over HTTPS. To find mixed content issues, browse your site over HTTPS with the inspector in Chrome open to the 'Security' tab. At the bottom, it will display any mixed content issues. Take inventory of these issues across your major page types. This will guide you as you fix mixed content through the following steps below.
On-Site Move Items
Optional On-Site Move Items
Off-Site Move Items
- Add the HTTPS Version of Your Site to Search Console - Do this for both Google and Bing. In Google, this will add a new property to your search console account. Submit your https:// sitemap to this new entry. Do a fetch, render, and request a deep index of the homepage over HTTPS to help the indexing process along.
- Update Search Console Settings - If you had URL parameter settings or a disavow file, you'll need to re-add these configurations to the new search console entry for HTTPS.
- Update Analytics - Change the site URL to use the HTTPS protocol. Ensure that all your goals and event tracking aren't based on http:// protocol entries. If they are, you'll need to update the rules.
- Change Paid Advertising URLs - If you're running paid ads via Google, Bing, social or otherwise, make sure and update the URLs in your ads to the new secure versions.
- Update External Services - Anything else you're using to track users, run A/B testing, SaaS services, or similar - check them and ensure they are still functioning. You might also need to update rank tracking software (like ahrefs) to show results from the secure version of your site.
Monitoring After the Switch
After you finish all the steps above, it's time to sit back and congratulate yourself on a job well done. Your work is not over though.
From here on out it is important that you closely monitor the transition and test, test, test. Here are a few common places to look:
- Test Conversion Round Trips - Ensure that your website still functions all the way through a conversion - whatever that is in your case. If you're hosting lead forms, make sure all the entries pass through appropriately. If you're hosting an eCommerce site, ensure that your orders make it all the way through the process.
- Search Indexing and Rankings - Be sure to monitor your rank tracking closely (daily) until you observe a successful re-indexing of your HTTPS site version. After doing several migrations, I have not seen drops in search traffic. If done correctly, the transition is seamless. You will notice that impressions drop in the HTTP Search Console entry and rise in the HTTPS version. This is normal.
Comparison of the HTTP vs HTTPS Clicks via Google Search Console after a migration.
- Services & Analytics Tracking - Be on the lookout for service that 'stop working' or tracking that drops or flatlines. Often these are configuration errors that need to be investigated.
I hope that this guide helps you make a smooth transition to HTTPS. Your users will thank you, and you'll enjoy the positive SEO impact from the switch. If you have any questions or comments, leave them below.