The difference between HTTP and HTTPS is much more than just one letter. It’s an essential move website owners must take, to make the internet a safer place for all.
HTTPS is a secure, encrypted version of the Hypertext Transfer Protocol used to send data between your browser and the website you are connecting to. Website owners have been slowly moving their sites over to HTTPS, but naturally, there’s resistance.
According to a study by DeepCrawl, an astonishing 78% of websites have not yet made the switch to HTTPS. And on Outbrain’s native advertising network, the stats are only slightly better – only 34% of content served is HTTPS.
I truly think it’s time to WAKE UP AND SMELL the SSL!
Many site owners are too busy and hassled to bother, not realizing how important the move is to their site’s security. Others are concerned that the migration will affect their traffic, slow down their site or complicate third party links. These fears abound, even though it is well-known that Google’s search algorithm actually favors HTTPS over HTTP, which means that migrating to HTTPS may even slightly improve site traffic in the long run.
Most site owners are dragging their feet, and Google knows it. So the search giant has come up with an effective solution. Slap on a strict deadline! Google recently announced that in July 2018, Chrome will start notifying users about insecure websites. If you don’t migrate your site before then, this is how your URL will look in the address bar to all your site visitors using Chrome. And it’s not a pretty sight:
SSL is one of those things that site owners simply must address, and the sooner they start planning their action items – the better.
How can you migrate to secure SSL?
There are tons of useful guides, but I recommend first finding out everything you can about SSL. Then take a look at this great checklist by the amazing Aleyda Solis, and adapt a copy for your own use. I’d also recommend reading some migration fail stories, so you can avoid making common mistakes.
And finally, to help make your migration truly successful, we’ve gathered some top experts and asked them to share their best tips for a smooth SSL migration:
Sam Warren, Director of Marketing at RankPay.com
“My one tip for webmasters who haven’t yet made the switch is to stop procrastinating. Seriously. Google is ramping up the ways in which they’ll highlight ‘non-secure’ websites in Chrome, and we’ve known for years that having an SSL is indeed a ranking factor in the Google algorithm.
If you don’t feel like you have the technical skills to properly install the certificate, you can always hire an outside expert or agency to handle the transition for you. But I’d strongly urge any and all webmasters to jump on the bandwagon ASAP.”
Olga Andrienko, Head of Media at SEMrush
“The best tip for those who haven’t yet adopted the HTTPs protocol is – Just Do It! Google recently announced that (on Chrome so far) all the pages in the near future that are not HTTPs-friendly will appear with a ‘not secure’ mark. And that is really the end of your optimization. No one wants to open a website with that tag.
So, once you’ve decided to migrate your site to HTTPs, try to avoid the most common mistakes.. At SEMrush, since we have an HTTPs-check within our toolkit, we conducted a research on the frequency of HTTPs Implementation mistakes (we analyzed over 100,000 websites). So here are the biggest pitfalls:
- 9% of analyzed websites still have insecure pages with a password input.
- 50% of websites have mixed content. This is when your page is loading over secure HTTPs connections but contains elements (such as images, links, IFrames, scripts, etc.) that are not secured with HTTPs.
- 50% of the websites we analyzed don’t make sure their internal website links, images, and scripts point to an HTTPs version.
- On 8% of the websites we analyzed (excluding ones supporting HSTS) HTTP home page does not correspond to the HTTPs version. And we are just talking about home pages here – can you imagine how many pages on the rest of these websites have not been properly redirected?
- 5.5% of websites have included the HTTP page in their sitemap or hreflang entries rather than the HTTPs version.
- 2% of the analyzed websites have expired SSL certificates.
- 6% of the analyzed websites registered SSL certificate to an incorrect domain name.
- 86% of analyzed websites don’t support HSTS.
- 3.6% of the analyzed websites have an outdated version of a security protocol, which makes it very easy for rogues to steal your data.”
Jesse Matz ROI Lead Strategist at No to the Quo
“One of the common things I see when switching a website over from HTTP to HTTPS is mixed content. This literally means packets being sent over through both secured and non-secured channels. Typically, the culprit is images. Static images to be precise. They typically don’t update in the content from the migration. One tip for late people getting in Google and other search engines are now making SSL a standard practice for Search Engine Optimization (SEO). This was already known back in 2014, but we as marketers are just starting to see correlation and minor ranking boost to keywords for websites that have migrated over to SSL. Effective July 2018, the Chrome browser will mark non-HTTPS as “Not secure”. This could be a potentially huge determent to existing traffic coming to your website from that browser. And with over 40% of users on a Chrome browser, it could be a big hit to non-secured websites.”
Steven Macdonald, Digital Marketing Manager at Superoffice
“In 2017, I moved the SuperOffice websites (8 in total) from HTTP to HTTPS. The first website we migrated to HTTPS was the site that received the lowest traffic, so it gave us a chance to see how quickly we would lose or gain traffic.
Like most webmasters, I was worried that the new sites wouldn’t get indexed quickly after the launch, so I created a migration checklist of things to do once a website went live. This included the usual steps of implementing redirects, canonicalizing the HTTPS URL, adding the new site to Google Search Console, etc. But one thing I tried that I haven’t seen on any other HTTPS migration checklist is to share the new HTTPS website in Google Plus once the site is live.
I’ve seen new content get indexed by Google in minutes once shared on Google Plus, so as a test, I shared the home page of the new HTTPS website and +1’d it for good measure.
Now, the new HTTPS site wasn’t indexed within minutes, but it didn’t take long before it was (a day or two), helping us minimize traffic loss that usually comes with HTTPS site migrations.
If you’re thinking of switching to HTTPS, then I recommend sharing the site on Google Plus after the move. There’s no risk, and you have a lot to gain by trying!”
Gavin Duff, Head of Digital Performance at FridayAgency
“Step one is to crawl your current website. Tools like Xenu Link Sleuth, Integrity and Screaming Frog can help here. You need to document every page as well as their SSL status.
Step two is to benchmark your analytics data and performance in both Google Analytics and Google Search Console so that you can compare to past performance after migrating to HTTPS.
Step three is to ensure that you have a custom 404 page in place – otherwise, it will be difficult to report on errors after implementation.
Once this is done, you are ready to implement your SSL certificate but proceed with a checklist in mind for post-implementation:
- Re-crawl the website using more than one tool and identify any URLs that are still not displaying as HTTPS (secure).
- Update any references to non-HTTPS URLs in pages, content or templates. Pay particular attention to your navigation – you don’t want unnecessary internal redirects, which is non-HTTPS redirecting to HTTPS after you’ve implemented this.
- Update your canonical tags so that they also refer to HTTPS web pages.
- Look at all website plugins or modules, for example, contact forms, and ensure that these are also secure.
- By making the switch to HTTPS, you are also essentially creating redirects from third party websites that link to you – so reach out to those you feel can change your link to the HTTPS version. And if you own other websites yourself that link to you then ensure that these links are amended too.
- Review all of your social profiles and ensure that your links are changed to the secure version.
- Review internally used e-mail signatures to ensure that links within these are also changed to reflect the move for consistency.
- Submit the new HTTPS version of your website to Google Search Console and Bing Webmaster Tools so that you can monitor its performance and visibility.
- And lastly, do NOT forget to change your URLs in Google AdWords and any other media platforms for which you are currently assigning a budget.
As an agency, we have never seen a drop in traffic as a result of HTTPS migration, and this is a direct result of following the steps above. For those who are concerned about making this move, engage with someone who has been through the process before and follow the above advice.”
Bradley, SEO Expert Brad Inc.
During the last few months, the most common call I have received is from people who moved to HTTPS and noticed a significant drop in organic traffic. Most of the time, the fixes are simple, but not always.
A lot can go wrong, especially with a more substantial website. I always start with backing up the entire website. Then I create a visual sitemap, as well as download the URL structure in a spreadsheet.
http://yoursite.com and https://yoursite.com are viewed as separate entities by Google. After the move to HTTPS, go to the Google search console and create a new property for the HTTPS version, then submit your new sitemap. This will let Google know you have made a move to HTTPS and reduce duplicate pages appearing in the search results.
If your canonicals are still pointing to HTTP, you are confusing Google. Make sure each page has the appropriate canonical.
Third-party applications or plugins frequently create issues after migration. They each need to be checked.
From my experience, if a migration is done correctly, a slight dip in traffic may happen in the short term, but long-term rankings may even see a small bump.
When it comes to migrating to HTTPS, it’s not a matter of ‘if’, but ‘when’. Apart from being important to your site’s security, SSL is also critical for your brand image. No visitor to your site will feel at ease seeing the words ‘NOT SECURE’ emblazoned alongside your URL. And Google’s move to impose the July deadline for migration means that the clock is ticking. If you’re a site owner, and you’re too busy or overwhelmed to handle it yourself, hire a professional to do it for you. But if you want to roll up your sleeves and dive in, then follow the expert HTTPS migration advice outlined above. You’ll be well on your way to making your site secure – and search-friendly.