This post is part one of a two part series on HTTPs and HTTP/2 migrations. To learn more about migrating to HTTP/2, click here.
On September 8th 2016, Google announced that in 2017, they will “mark HTTP pages that collect passwords or credit cards as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.” Simply put, Google is moving closer to a secure web by including warnings in the Chrome browser for sites that are not secure.
2017 is right around the corner, but it’s not too late to learn how to migrate your website to HTTPs. In this blog post, you’ll learn about why this change happened, what it means for your website, and how you can get your HTTPs migration up and running.
How did we get here?
Since the 2014 I/O Conference, Google has made security one of their top priorities both for their own properties as well as the web as a whole. In 2014, Google indicated that websites served over HTTPs would receive a rankings boost going forward. This came as big news to many in the SEO industry, but the ROI associated with a migration of this magnitude remained unclear.
Conventional wisdom indicated that the move to HTTPs, especially for large, enterprise sites, incurred more risk than reward. HTTPs migrations aren’t without complications, and many companies have actually experienced a drop in SEO visibility when they migrated to HTTPs (Wired.com’s migration is a good example).
So what has changed? Simply put, we are reaching critical mass. When Google announced the initiative to reward secure websites, only about 7% of all page 1 Google search results were secure websites. Now, that number is closer to 30% and is growing rapidly.
Numerous sites have already taken the plunge into HTTPs, and the number continues to increase. According to BuiltWith, of the top million sites, 9% are currently SSL by default. This is up from 2.7% in September 2015.
Top Million Sites with SSL by Default — BuiltWith.com
Clearly, the scales have started to tip in favor of those with secure sites. But despite the difficulties of migration, there are measurable benefits.
Site security affects your brand, for better or worse
If the small rankings boost wasn’t motivation enough, the website shaming imminent in 2017 greatly increases the risk of negative brand associations. Having your site flagged by Chrome as insecure will certainly have an adverse impact on your brand. But, the converse is true for secure sites.
Having an HTTPs site not only provides an added level of security, but also builds customer trust. According to a study by GlobalSign, over 9 out of 10 customers are more likely to trust a site, leave personal information, or make a purchase when they know their data is sent over a secure connection.
Even more astounding? 55% of users are worried about identity theft online. 77% of users are concerned about their data being misused online. And a whopping 84% would abandon a purchase if data was sent over an insecure connection. Unsurprisingly, users look for security indicators before taking action online:
Clearly, HTTPs is important not just for your search rankings, but also for maintaining positive branding and achieving maximum ROI.
HTTPs improves your analytics data
When an HTTPs (secure) site links to an HTTP (non-secure) site, this can cause the header information to be blocked. This means that if your site is not secure, and a secure site (like Google) links to you, any header information from that domain is missing and the sessions are categorized as “Direct” in Google Analytics. Simply put, not having a secure site makes header information—such as referral source—more likely to be incorrect.
There are two solutions to this problem:
- Completely migrate the whole site to HTTPs.
- Add the HTML5 tag
<meta name="referrer" content="always" />to the head of the HTML document.
Because the HTML5 tag is currently supported on limited browsers, it’s wise to fully migrate to HTTPs to prevent data confusion in your analytics platform. Here’s how you do it.
How to Migrate to HTTPs
First things first: obtain an SSL certificate
Before you start migrating to HTTPs, you need to make sure you obtain an SSL certificate from a provider and install the certificate on your server. This certificate enables an encrypted connection to the website and provides security for online communications.
There are three types of certificates:
- Single certificate — for single site (e.g. www.site.com).
- Multi-domain certificate — for multiple well-known sites (e.g. www.site.com, m.site.com, site.co.uk).
- Wildcard certificate — for a site with many dynamic subdomains (e.g. x.site.com, y.site.com).
Google recommends that your certificate be 2048 bits, and the authority issuing the certificate will need to verify that the web address belongs to your organization.
Google also recommends that webmasters use a web server that supports HTTP Strict Transport Security (HSTS) and that it is enabled. HSTS tells the browser to request pages using HTTPs automatically even if the user enters “http” in the browser. HSTS also indicates to Google to serve secure URLs in search results.
The SSL certificate should also be installed on your Content Delivery Network (CDN). Additionally, your origin URL should be updated on your CDN to point to HTTPs rather than HTTP. During this process, Search Discovery recommends enabling HTTP/2 simultaneously. But more on that in part 2.
Requirements Checklist for Analytics, Organic, & Paid
In order to successfully migrate to HTTPs, make sure you do all of the following:
- Update all links (hard coded and dynamic) to point to HTTPs
- Update canonical tags, alternate tags and rel=prev/next tags to point to HTTPs
- Add server-side 301 redirects from HTTP to HTTPs
- Update legacy 301 redirects to point to their new HTTPs target
- Ensure that HTTPs is not blocked in the site’s robots.txt file
- Update all external plugins to ensure that they are HTTPs compliant
- Update ad code and pixels to support HTTPs
- Ensure that analytics is configured to track HTTPs
- Update social sharing counts (if applicable) to count both HTTP and HTTPs or chooses one based on cut-off date
- Also update social media links to point to HTTPs
- Develop and submit new HTTPs sitemaps
- Verify HTTPs site(s) with Google Search Console and Bing Webmaster Tools
- Update any paid search campaigns to avoid redirects
Possible Impact on Organic Search
As with any significant site change, there is a strong likelihood of incurring rank fluctuations while search engines re-crawl and re-index your site. This fluctuation can take several weeks to settle, but engaging a partner to help provide guidelines, governance and migration assistance can greatly minimize visibility fluctuations and/or traffic loss.
As a general rule, a medium-sized website can take a few weeks for most pages to move in our index; larger sites can take longer. The speed at which Googlebot and our systems discover and process moved URLs largely depends on the number of URLs and your server speed. Submitting a sitemap can help make the discovery process quicker, and it’s fine to move your site in sections. ‑Google
While securing your website may lead to some increased rankings in Google, securing your customer’s data is simply the right thing to do for your brand. Customers trust websites that are secure, and HTTPs will build that trust while also increasing conversions. Plus, you’ll be making the web a more secure place for everyone in the process.
Now, for part two: HTTP/2 migrations! Read on to learn more about how the site speed improvements with HTTP/2 can have a major impact on your site traffic and revenue.
Got more questions? Need some help getting your HTTPs migration up and running? Our SEO team has a proven record of seamlessly migrating sites without sacrificing search rankings. Contact us for more information!