HTTP to HTTPS Migration Guide | Do SSL Certificates Affect SEO?
Google has recently released version 68 of the Chrome Web Browser. In this version, websites that don’t run on HTTPS will be marked as Not Secure. This might lead to the following question: does Google value websites with SSL certificates more? Will they rank better? Is it worth to make the switch?
In this article you’ll find out whether SSL certificates matter for SEO or not. You’ll also learn exactly how to migrate your website from HTTP to HTTPS without suffering any ranking drops. Yes, you heard that right. If you’re not careful, you can mess up your rankings!
Warning: Switching a website from HTTP to HTTPS the wrong way can heavily mess up your search rankings! There are many things that must be taken into consideration. The guide at the end of the article will help, but if you’re not sure what you’re doing, please contact an SEO professional who can assist you with the migration. We can not be held responsible if things go wrong!
- SSL Certificates, HTTPS & Their Importance
- How Does HTTPS Affect SEO?
- How to Switch from HTTP to HTTPS
SSL Certificates, HTTPS & Their Importance
I’ll try to keep it short. Cryptography isn’t something easy to digest, but without having a general idea of how it works and what problems it solves, we can’t really understand its importance. If you have any specific questions, ask them in the comments section and I’ll do my best to reply.
HTTP stands for Hyper Text Transfer Protocol. What you need to know is that it’s a protocol that web servers, data centers and browsers use to transfer information across the web.
The S at the ending of HTTPS just stands for Secure.
The security comes through the use of SSL (Secure Sockets Layer). Sometimes, it might also be referred to as TLS (Transport Layer Security). It’s a method of securing the data which need to be transported.
The method through which the data are secured is called Cryptography. By encrypting a message, only the ones that know the decryption key will be able to read it. For example, if we both decided upfront that A = 1, B = 2, C =3 and so on, I could send you the message 8 5 12 12 15 and you would read it as Hello. This is called symmetric cryptography.
The issue with symmetric cryptography is the fact that both parties must know the encryption / decryption key upfront in order to properly communicate, so at least one secret meeting must be arranged prior to messaging. Pretty difficult to do when you want to chat with someone across the Globe.
So, to overcome this issue, we can use asymmetric cryptography. This type of cryptography uses 2 keys. A private one and a public one. They can both decipher each other. This means that any message encrypted with the public key can be read using the private key and vice versa.
What are SSL Certificates?
Well, SSL certificates are only used to confirm the identity of a website. These certificates are emitted and signed by certificate authorities with their private keys. Before getting a certificate from them, you must somehow confirm your identity and prove you are the organization and website owner.
There are different types of Secure Sockets Layer Certificates, but the most common ones are Domain Verified Certificates. These certificates can even be obtained for free these days (keep reading and I’ll tell you how). The verification process is pretty simple and very similar to the Google Search Console one. There are also other types of certificates, such as Organization Validated (OV) or Extended Validation (EV) certificates. They are more expensive, but require further verification, which involves company documents and IDs.
Web Browsers come packed up with a bunch of public keys from certificate authorities. They check if the certificates have been signed with the proper private keys, therefore confirming that their identity has been verified by a trusted authority and not by some random certificate generator. If the certificate is expired or not valid, a red warning will show up.
This will definitely turn the user down, so make sure that if you run through HTTPS, your certificate is valid and working properly!
It’s better to run through HTTP than to run through HTTPS with an expired SSL certificate!
After the identity of the website has been confirmed by the browser, the web server and the client then establish a secure communication channel. Asymmetric cryptography is used to send a symmetric key which only the server and the client know. Then, the communication channel is secure and any attempt to read the information which is passed between the server and client will require the decryption key.
So why is this so important? Why are people so crazy about HTTPS?
Well, when your users browse your website, they often send information, through contact forms for example. Without encryption, that information can be intercepted by what people call “Man in the middle.” Although contact forms only contain names and e-mails, things get worse when we’re talking credit card information or bank accounts and passwords.
By using an SSL Certificate, webmasters can improve the security of their websites and better protect their users’ information.
How Does HTTPS Affect SEO?
Now that we better understand what HTTP is, we can take a glimpse at its importance. There are multiple ways in which SSL Certificates and HTTPS can impact search engine optimization and rankings. Some of them are strictly algorithmic, while others can be less direct, but very meaningful as well. Let’s start with what we know for sure:
HTTPS as a ranking factor
First, you have to know that, theoretically, SSL Certificates do affect SEO. This is actually an official Google statement from 2014. They are considered a ranking factor, out wide in the open.
Why? Well, there are many reasons, but the main one is definitely security. If Google provides its users with better security, it provides better value and the users will be pleased. The fact that internet credit card fraud is on the rise definitely pushed Google into this direction.
Google has tested its results with HTTPS as a ranking signal and has seen positive results. This could also mean that webmasters that take security seriously might generally present better websites. They care about the users.
Although this impact is fairly small, affecting less than 1% of websites, many webmasters have adopted HTTPS. Not long ago, less than 10% of websites were secured with an SSL certificate. Now, more than half of all websites are probably secure.
Why didn’t Google do this earlier? Well, to be honest, I think it’s because it would’ve been a little bit unfair. Back in the day, SSL Certificates were not so easy to obtain and some of them were quite expensive. Today, however, almost anyone can secure their website with a free one. This means that money won’t really have a say in this.
Quick Tip: Basic SSL Certificates can be obtained for free. If you’re just starting out, don’t spend unnecessary money.
Another way in which SSL Certificates could affect SEO is related to the user experience. Some users might have no clue what’s happening, but others prefer to browse websites that are secure. This is where an Extended Validation SSL might come in handy. Here’s the difference between a regular, Domain Validated SSL Certificate and a more expensive Extended Validation SSL Certificate.
Starting with Chrome Version 68 (24th July 2018), the browser now shows the warning Not Secure when you access a website through HTTP. Users will now definitely ask themselves more questions when seeing that message instead of just the Information icon.
Who knows, in the future you’ll probably going to see a red warning, just like the one with invalid SSL certificates.
As of May 25th 2018, GDPR has also had a huge impact on websites. GDPR specifies that any personal data should be handled securely. This forces webmasters that have even the slightest contact form to switch their website from HTTP to HTTPS to ensure the security of their users’ personal data.
So, not only can it benefit your rankings if you switch to HTTPS, but it might also get you a fat fine if you don’t. Although usually you will see some ranking boosts, if you mess up your redirects and don’t implement HTTPS correctly, your entire site can drop from the rankings. Make sure you know what you’re doing before you start.
How to Switch from HTTP to HTTPS
Switching from HTTP to HTTPS can be a hassle, especially if you’re not running on a popular CMS, like WordPress. However, you can take a look at the following guide to make sure you don’t make some of the biggest mistakes.
Acquire & Install an SSL Certificate
The first step is to acquire an SSL Certificate and install it. You might already have one, even if your website isn’t already running on it. Some hosting providers also offer free SSL Certificates. To find out, just go to https://yourdomain.com instead of the regular HTTP. If you see a red warning, you probably don’t have one (or it has expired). Then, just click the Information icon:
If the popup says Certificate: Valid then you have an SSL Certificate. Click it to see more details about it, such as for how long it is valid. If you don’t see the word Certificate there, then you probably don’t have one.
You can get an SSL Certificate anywhere. Just search Google for SSL Certificate and you’ll find plenty of providers. Search for the best deal and also look at user reviews. However, if you want to get a free one, you can try Comodo or Let’s Encrypt via Zero SSL.
You’ll have to provide some sort of verification, usually by uploading a file on your web servers (just like with Google Analytics or Google Search Console). They usually provide step by step guides on how to verify your identity. There’s more than one method, so pick the one that’s easiest for you.
Once you get the certificates, you’ll have to install them in your cPanel in the SSL Certificates section (Generate, view, upload, or delete SSL certificates). The process is pretty simple. Just scroll down and add the certificate. You should also be able to purchase certificates directly via the cPanel, if you’re looking for an EV Certificate, for instance.
Add HTTPS Version to Search Console
The next step is to go to your Google Search Console and add the HTTPS version of your website. You can also set the preferred version, but I highly recommend that you let Google choose for now and only do this after you’ve successfully implemented the HTTPS.
You should also make sure that the Google Analytics or any other web analytics software you’re using are also able to track HTTPS from now on.
Set up 301 redirects
This is the crucial step. If you don’t redirect properly, your rankings will drop! Why? Because Google will have to deindex the old HTTP site and index the HTTPS one, without having any idea that they’re actually connected. Also, users that land on HTTP versions (from old backlinks for example) will never get to see the HTTPS version.
To redirect from HTTP to HTTPS, you can either use a plugin or do it via the server. If you’re running on Apache Web Server, you can set the redirects via the .htaccess file. However, it’s a little technical and, depending on other functionalities, conflicts may occur.
If you’re running on WordPress, you’re lucky! You can use the Really Simple SSL plugin and it will do everything for you (set up 301s, change main domain to HTTPS and change all the links from the database to HTTPS).
So make sure that all HTTP versions will properly redirect to their HTTPS counterparts. Take into account www, non-www, slashed vs non-slashed and parameters.
Here you should also change the main URL of your website to HTTPS. This is usually done in some sort of configuration file. In WordPress, it can be changed in the General Settings area. The Really Simple SSL plugin will do this for you, anyway.
Change All Internal Links
Even if you change your main URL to HTTPS, some static content might stay unsecured. You have to make sure you fix this, otherwise some issues may occur.
Internal links: If don’t change the links from HTTP to HTTPS, you’ll get a mixed content warning; for instance, if you add one image on your homepage with HTTP (http://yoursite.com/image.jpg) but try to run the homepage through HTTPS (https://yourdomain.com). The mixed content warning shows the Information Bubble in the browser.
If you have mixed content, the green lock and secure message won’t appear, even if you have a valid SSL certificate installed.
The Really Simple SSL plugin should fix this on WordPress. However, if you ever added custom HTML into your site via a PHP file or HTML template, the links there won’t change. The plugin only changes the links that are found via the Database. You’ll have to search your website for internal HTTP URLs and Images and edit all those files to replace the HTTP with HTTPS.
Canonical Tags: Canonical tags are often forgotten. If you’re running through HTTPS and your canonical tag points to the HTTP version, Google will think that it has to index HTTP. The problem is that if HTTP 301 redirects to HTTPS then Google will get into a loop and it won’t be very pleased.
To find out if your canonical tags are properly set up to HTTPS, press CTRL + U while on your website in Google Chrome to view the site’s source, then search for canonical with CTRL + F.
Hreflang: Same thing as with canonical tags, the hreflang tags should point to the correct HTTPS counterpart, even though 301 redirects are in place. Make sure you check that in the source of the site.
Most of the times, this won’t happen when you’re using a popular Content Management System, but it can often happen on custom platforms and the effects can be devastating. Make sure everything is in order.
Other things that should be taken into account are XML sitemaps, external tools and e-mail systems (that might’ve run through unsecured channels).
Make Sure Everything Works Properly
Switching to HTTPS can often cause issues with plugins, APIs and other functions within the website. Make sure you browse your website properly for a couple of hours and test every segment of it. Access every page to see if it loads and test if the contact forms, online orders and filtering/search features are working properly.
You can also now set HTTP as your preferred version in Google Search Console. WWW vs. non-WWW is irrelevant, but non-WWW tends to be shorter, so there will be more space for the URL when it shows up in Google. However, if you’ve been running on WWW so far, it’s a good idea to keep the WWW even with HTTPS.
Resubmit Disavow File & Change Your Backlinks
Many forget that they have to resubmit the disavow files. If you have ever suffered from a negative SEO attack you must download the disavow file from the HTTP version in Google Search Console and upload it into the HTTPS version. Although the 301 redirects are in place, it’s really important not to forget this step!
A final step would be to change as many of your old backlinks as possible from HTTP to HTTPS. Even with the 301 redirects in place, a small percentage of the link equity might be lost. Start with your social media profiles and backlinks you know you can change for sure in very little time.
It’s not worth it to spend countless hours and e-mail everyone to switch your URL from HTTP to HTTPS, but if you have some way of managing it faster, it’s worth a shot.
Merging from HTTP to HTTPS can definitely help you improve your search rankings. Even if it doesn’t work right away, you’ll definitely see an improvement over time thanks to a better user experience. To be honest, the only downside of implementing HTTPS on your website is the fact that it’s a little bit of a tricky process. However, once you get over it and implement it correctly, nothing bad can happen.
What’s your experience with HTTPS? Have you encountered problems when merging your domain? Have your rankings increased/decreased? I’m curious. Let’s talk about it in the comments section!