HTTP to HTTPS | What Is An SSL?
Stephen McCance April 7, 2017
If you’re wondering how to transfer your HTTP website across to the HTTPS version, take advantage of this handy guide. Here we take you through what an SSL is and break down the concept for those of you who are completely confused by the whole thing.
It has been 3 year since Google kindly announced that making your website more secure would not only be a trend but a benefit to its performance. Despite the announcement and the brief spike of people switching their website, we are now several years on and we are still finding that hundreds of business owners are still yet to make the move, more to the point, they are still unaware of what it is and the benefit it has.
What Exactly Did Google Say?
All the way back in 2014, Matt Cutts posted a tweet on the 7th of August which stated that Google had published some clear guidelines on what they want to see from websites using HTTPS. It was also confirmed that because of the well-received response, they’ve made this a positive signal for ranking websites. The signal, however – as they went on to mention – is a very “light-weight signal” and will only affect less than 1% of global search queries. The secure signal will apparently carry less weight than other signals such as a website containing high-quality content but may become a stronger signal in the future. So if you’re reading this article and you’re at a loss about what a HTTPS is, let us give you some context. HTTPS – or hypertext transport protocol secure – is the protocol used for secure data transfer (Opposed to HTTP – the non-secured variant). With HTTP websites (not HTTPS), all data that is transferred can potentially be read or changed by hackers, and as a user, you can never be certain about whether your information on things like debit or credit cards, have been sent to the intended vendor and not a hacker. Simply put HTTPS, or SSL, encrypts the HTTP data and verifies the authenticity of whatever request it is. This whole process is carried out by using an SSL certificate, which is explained below.
So What Is an SSL?
An SSL, which stands for Secure Socket Layer, is a technique for encrypting and authenticating data securely from a person’s browser to a web server. As mentioned above, it is ultimately used to prevent hackers from getting a hold of the data users leave on a website (so in areas such as checkout pages or registration/contact forms). This is especially useful when it comes to e-commerce websites where confidential and sensitive information is unavoidably transferred when carrying out transactions. So when you land on any website the secured transfer would be through a standard SSL certificate – noticeable for users when they see that the website’s URL in the address bar is marked with ‘https://’. The opposed non-variant – mentioned above – can be seen as ‘http://’ which represents a standard protocol on websites – this way does not use SSL. When a person visits a https:// page, therefore, their communications, data and transactions are classified as safe from a potential information or identity theft. To give you an idea of the different types of sensitive data that should be protected with SSL encryption, we’ve listed some examples below:
- Registration data: names, addresses, e-mail addresses, telephone numbers
- Login data: e-mail addresses and passwords
- Payment information: credit card numbers, bank details
- Customer documents
- Data entry forms
5 Reasons To Make The Migration?
- More Security – As you’ll have gathered from the above, the switch helps towards making your website more secure, protecting your website from third party attacks.
- Trust – When you add an SSL certificate, a green padlock appears in your search bar instantly conveying trust and credibility to a user. It’s a little pointer for your customers that their information will be secure and protected!
- Data Integrity – Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Improved Referral Data Accuracy – Another reason to make the jump is because of the fact that when it comes to referral data, when going from HTTPS to HTTP it gets blocked in Google Analytics. To give you an example – if your site is still using HTTP – maybe you perform some clever and creative marketing that happened to go viral or gain masses amount of traffic from a site such as Reddit or YouTube etc. Both of these sites are running over HTTPS. Therefore, your referral data will be completely lost in Analytics and the hard work you’ve put into gaining that traffic could end up under direct traffic which is not very helpful. By getting the HTTPS, for those going from HTTPS to HTTPS the referral data will be passed meaning you get more accurate data to analyse.
- Slight Rankings Improvement – As described above, however slight, by investing in HTTPS, your site could receive a small boost in rankings due to it being a lightweight ranking signal.
Making The Switch
There are essentially two ways you can go about this. For starters, if you’re in the field or you’re somewhat of a tech expert then there is a handy guide from Search Engine Land that breaks down the various elements of the switch, quoted below:
- “Start with a test server. This is important because it lets you get everything right and test without screwing it up in real time. Even if you are doing the switch without a test server, there’s almost nothing you can do that you can’t recover from, but it’s still best practice to have a plan and have everything tested ahead of time.
- Crawl the current website so that you know the current state of the website and for comparison purposes.
- Read any documentation regarding your server or CDN for HTTPS. I run into lots of fun CDN issues, but it can also be straightforward.
- Get a security certificate and install on the server. This will vary depending on your hosting environment and server setup too much for me to go into details, but the process is usually well-documented.
- Update references in content. This can usually be done with a search-and-replace in the database. You’ll want to update all references to internal links to use HTTPS or relative paths.
- Update references in templates. Again, depending on how you deploy, this might be done with Git or simply Notepad++, but you’ll want to make sure references to scripts, images, links and so on are either using HTTPS or relative paths.
- Update canonical tags. Most CMS systems will take care of this for you when you make the switch, but double-check, because that’s not always the case.
- Update hreflang tags if your website uses them, or any other tags such as OG tags for that matter. Again, most CMS systems will take care of this, but it’s best to QA it just in case.
- Update any plugins/modules/add-ons to make sure nothing breaks and that nothing contains insecure content. I commonly see internal site search and forms missed.
- CMS-specific settings may need to be changed. For major CMS systems, these are usually well-documented in migration guides.
- Crawl the site to make sure you didn’t miss any links and nothing is broken. You can export any insecure content in one of the Screaming Frog reports if this is the crawler you are using.
- Make sure any external scripts that are called support HTTPS.
- Force HTTPS with redirects. This will depend on your server and configuration but is well-documented for Apache, Nginx and IIS.
- Update old redirects currently in place (and while you’re at it, take back your lost links from redirects that haven’t been done over the years). I mentioned during the Q&A portion of the Technical SEO Panel at SMX West that I’ve never had a site drop in rankings or traffic when switching to HTTPS, and a lot of people questioned me on this. Due diligence on redirects and redirect chains is likely the difference, as this is what I see messed up the most when troubleshooting migrations.
- Crawl the old URLs for any broken redirects or any redirect chains, which you can find in a report with Screaming Frog.
- Update sitemaps to use HTTPS versions of the URLs.
- Update your robots.txt file to include your new sitemap.
- Enable HSTS. This tells the browser to always use HTTPS, which eliminates a server-side check and makes your website load faster. This can also cause confusion at times, since the redirect will show as 307. It could have a 301 or a 302 behind it, though, and you may need to clear your browser cache to see which.
- Enable OCSP stapling. This enables a server to check if a security certificate is revoked instead of a browser, which keeps the browser from having to download or cross-reference with the issuing certificate authority.
- Add HTTP/2 support.
- Add the HTTPS version of your site to all the search engine versions of webmaster tools that you use and load the new sitemap with HTTPS to them. This is important, as I’ve seen traffic drops misdiagnosed because they saw the traffic in the HTTP profile drop, when the traffic in reality moved to the HTTPS profile. Another note for this is that you do not need to use the Change of Address Tool when switching from HTTP to HTTPS.
- Update your disavow file if you had one for the HTTPS version.
- Update your URL parameter settings if you had these configured.
- Go live!
- In your analytics platform, make sure you update the default URL if one is required to ensure that you are tracking HTTPS properly, and add notes about the change so that you know when it occurred for future reference.
- Update your social share counts. There’s a lot of gotchas to this, in that some of the networks will transfer the counts through their APIs, while others will not. There are already guides for this around if you are interested in keeping your share counts.
- Update any paid media, email or marketing automation campaigns to use the HTTPS versions of the URLs.
- Update any other tools such as A/B testing software, heatmaps and keyword tracking to use the HTTPS versions of the URLs.
- Monitor everything during the migration and check, double-check and triple-check to make sure everything is going smoothly. There are so many places where things can go wrong, and it seems like there are usually several issues that come up in any switch to HTTPS.”
If however, all of that has gone over your head and you just want someone to handle this for you then you’ll be pleased to hear that your hosting company can take care of this for you. This is often the case when it comes to small business owners as first of all they don’t have the time, nor do they have the technical knowledge. Many hosting companies offer different packages where they take care of the SSL certificate purchase, they make the installation and they take care of things such as the 301 redirects (from your HTTP to HTTPS site). Despite its cost, you will make this back on the amount of time and frustration you’ll save yourself. It will make more sense so that no errors occur either, which will more than makeup for the fee. As someone else will be handling the technical side, it is always important that you still understand the process even on a basic level so reading the above as a checklist is worth the time. You may also want to check the following:
- Continuously contact your web hosting company to make sure you understand exactly what’s included and get them to re-explain any elements that you’re unsure about.
- There are different types of SSL certificates so make sure you get clarification on the one you’ll need for your site.
- You can also either use an SSL certificate which is given to you by your hosting company or you alternatively can choose to get a certificate which has been bought from a different vendor. *Please note this may change the price of your package depending on your provider.
And Finally… The Possible Mistakes
After experiencing several of these migrations, there a few common problems that you’ll need to look out for in order to ensure it has been done correctly. With all website changes, errors can occur so don’t panic, they can be sorted!
- Check that the redirect from the HTTP to the HTTPS (the resolve if you like) works across all of your pages. This is the most common problem. You can find that past redirects or coding rules override the new changes so you need to ensure it is functioning correctly. If they don’t then you will find that you have duplicate content issues as both versions will show.
- The change prevents Google from crawling the HTTP version of the site, or alternatively, it stops site crawls in general (usually due to not updating the test server to allow bots).
- There could be different versions of the HTTP and HTTPS showing.
- Check that the re-directs not only work but also that they work for your internal links too. Failure to do so could lead to duplication/page errors. Furthermore, your external links could be affected if the redirect is not in place correctly – so check these too!
- Remember to update your XML Sitemaps. It will need to be updated and recorded in Search Console.
- Finally, remember to convert your Search Console and Google Analytics. Despite their being redirects, in theory, the HTTP and the HTTPS versions are technically two different websites, which is why the new HTTPS version will also need to be registered in Search Console or Webmaster Tools is you’re still going off the old name!
If you’re interested in updating your website to HTTPS, please get in touch with us today as we would be more than happy to assist you if you have any questions or if you’re interested in carrying out a service with us!
Article by our SEO Manager Stephen Darwin.