Do you know that 68% of internet users believe that current laws for protecting their rights are not good enough?
No wonder Google has taken a strict stance to ensure that it protects the privacy of their consumers. Security, they say, has always been “a top priority” for them.
So, in order to implement an advanced secure connection for users, in 2014 the search engine giant announced HTTPS as a ranking signal.
And, ever since Google made this announcement…
Marketers around the world have gone into a frenzy. They want to know, is SSL good for SEO? If so, which type of SSL certificate will bolster their search engine optimization efforts? Does it enhance the user experience?
There is a lot of chatter around moving your website to HTTPS.
Yet, most webmasters are still confused whether it’s worth the effort to implement an encrypted certificate. How do I know, they ask?
Just 1.9% of the top 1 million websites redirect users to a default HTTPS/SSL version. Even when you look at the Quantcast top 10,000 websites – a measly 4.2% have made the shift to this secure version. Overall, less than .1% of the websites on the internet are secure.
Further, a majority of webmasters didn’t even plan to switch to the secure HTTPS version. Here are the results of a 2014 poll, conducted by Moz.
On the surface, this makes sense, because only 1% of global searches take HTTPS into account as a ranking signal.
But, the mystery remains…
I am sure that you would like to explore, with concrete data, whether switching to secure HTTPS will improve your rankings with search engines and thus your business results. That’s what you’ll read in this article.
But, before we dive into data around the subject, I am sure many of the non-technical people here don’t understand what HTTPS is all about, let alone the challenges that websites face in switching from HTTP. So, first, let me briefly address this.
The benefits of switching your website to HTTPS and the potential challenges associated with it
The main benefit of Hypertext Transfer Protocol Secure (HTTPS) is that it provides a secure connection to users on the pages where they share personal data with you. It’s great to have on your entire website. But, when a user shares precious info, like credit card details, HTTPS adds extra layers of protection.
You’ll need to install a Secure Socket Layer certificate (the protocol that HTTPS uses) to ensure that data between your web server and browser remains private and secure. When an SSL certificate is installed on a web server, it operates as a padlock and acts as a secure connection between the web server and browser. An SSL certificate binds together your domain name (or server or hostname), company name and location. While how an SSL certificate works goes into more details–involving a public key and a private key–what you need to know here is this: Even if a hacker manages to intercept your data, he won’t have the private key to decrypt it.
So, HTTPS and SSL prevent man-in-the-middle attacks.
If you’ve installed an SSL certificate and configured it on your web server, Chrome and Firefox will show the green light – the second icon in the screenshot below. Visitors might even get warnings on certain pages of your website that may prompt them to drop off your website. In other words? An SSL certificate is essential for some businesses.
Another benefit of switching to HTTPS is that your referrer data remains intact.
What do I mean?
Well, when you move from a secured HTTPS to an unsecured HTTP, referral data is lost. And, it appears as ‘Direct’ in your analytics report contributing to what we call the ‘dark’ traffic on the internet.
Finally, Google has stated that if all other factors are equal, HTTPS can act as a tiebreaker in the search engine results. Cloudtec witnessed almost double the number of top 10 search engine rankings, after switching to HTTPS.
Their overall page visibility also improved.
Now that we’re aware of the benefits, let me address 3 common challenges that might prevent you from making the switch to HTTPS.
1. Google has resorted to preferentially indexing HTTPS versions of pages over their duplicate HTTP version. Does this mean there will there be a loss of link juice, as the links pointing to the HTTP version of the page are not getting counted?
Nope.
John Mueller clarified that Google will count collective signals from inbound links pointing to both the HTTP and HTTPS versions of a page.
2. Although you can get an SSL certificate for free, the costs can shoot up to $1,499/year if you opt for an SSL certificate from a provider like Symantec. And, if your website is huge, then the costs associated with encrypting the transferred data can add up to a significant amount.
Such high costs for an SSL certificate aren’t justifiable for small business owners with limited budgets.
3. If you don’t get it right, then you might end up with duplicate content issues, with both HTTP and HTTPS versions of your page getting indexed. Different versions of the same page might also show up in search engine results, confuse your visitors and lead to a negative user experience.
Now that we’ve had a glance at the benefits and challenges associated with HTTPS, let’s look at the data.
Are HTTPS websites getting special treatment from the search engine giant in SERPs? Here’s what the data says…
Brian Dean teamed up with SEMrush, Ahrefs, SimilarWeb and MarketMuse to analyze 1 million Google search results.
He found that HTTPS is moderately correlated with higher search rankings on the search engine giant’s first page.
He emphasized following a couple of pointers based on his analysis:
- Don’t make the switch to HTTPS solely for SEO purposes. It’s a resource intensive process and there isn’t a strong correlation between the two.
- If you’re starting a new website, then it’s a good practice to have HTTPS in place from day 1.
Next, let’s look at Moz’s 2015 search engine ranking factors, based on their analysis of 17,600 keyword search results from Google.com (US).
Again, Moz only found a slight positive correlation between the https URL and rankings. But, it’s so low that other page-level keyword agnostic features, like using ‘Google Analytics on the page,’ beat it. They flagged it as merely a “tie-breaker” – which Google had already indicated.
Last, let’s look at the analysis, by Linkspy, of how HTTPS settings affect the SEO of 10k domains.
Their major findings are summed up in the infographic below.
As you can see, less than 1 in 10 websites actually have a flawless HTTPS set up. And, more than 60% of the websites have no HTTPS set up at all. If we take the SSL errors into account, the number rises to 65%.
So, where do the above 3 studies leave us?
HTTPS isn’t a huge ranking factor for search engines right now, although it might have a huge impact later.
Google has incentivized moving to HTTPS. And, Chrome browsers will soon start shaming your unencrypted website for serving an unsecured HTTP version to the users.
But, make the HTTPS switch only if it makes economic sense for your business.
- If you’re a blog owner that only asks for email info from your visitors, you’re better off spending your limited budget somewhere else. Bing has publicly announced that it has no plans to give websites with HTTPS a ranking push.
- You can also selectively switch to HTTPS versions on the payment pages of your website and wherever you ask for sensitive info from your customers that calls for a secure connection.
If you’ve decided to implement HTTPS, then I’ll show you the process, step-by-step, in the next section.
How to take the HTTPS leap in 4 simple steps?
On August 8, 2014, Buffer was among the early adopters of HTTPS and they saw 90% of their organic traffic drop soon after they made the switch.
They, however, recovered their traffic in about 20 days, after getting in touch with John Mueller from Google and finding it was an issue the search engine giant didn’t expect.
Moz has also conversed privately with webmasters that have seen their traffic and conversions drop after implementing the secured HTTPS protocol.
Since the switching involves changing your fundamental URL structure, you need to take special care. Here are the four simple steps that you need to follow.
1. Buy a relevant SSL certificate (preferably from your hosting provider)
There are 3 basic kinds of SSL certificates that you can buy and install on your site. Hosting Advice has compiled a nice table with the features and suitability of each SSL certificate.
If you’re a really big website that’s primarily focused on commerce, then I recommend the extended variation. They come with a green address bar that breeds trust on the internet and improves the user experience.
The Domain Validation certificate is cheap and can be issued almost immediately.
If you choose to buy the organization validation certificate, then the search engine giant recommends that you to buy 2048-bit encryption certificates.
I highly recommend buying the SSL certificate from your web host, because that way you get them to install it on your server for free. Otherwise, you’ll need to perform the steps manually or by hiring a contractor.
2. Crawl your current website, update all of the links and set up 301 redirects
Were you considering any changes to your content hierarchy or site structure?
Then, now is a good time to implement them.
But, first…
You need to compile a URL map, listing all the pages on your website in a spreadsheet.
If you haven’t been using relative URLs while hyperlinking, you’ll need to update every URL manually in your database and site. You can’t skip any URL or metadata fields. I recommend that you use a tool for running these update queries.
On WordPress, you can use the free search/replace database script InterconnectIT tool.
Ensure that you run all of the website formats that you’ve used over the years.
- https://yourdomain.com to https://yourdomain.com
- https://www.yourdomain.com to https://www.yourdomain.com
Note: Run these update queries on a test server, first. If you don’t or can’t, at least take a backup of your database to remain safe. The tool I mentioned above provides a ‘dry run’ option – so you can see the results before you perform the ‘live run.’
You should also update the custom scripts and third party hosted scripts to their HTTPS versions. Otherwise, you might get content warnings, like ManageWP below.
You can even test your website for non-secure content, with this free tool by Jitbit. Since the tool started overloading Jitbit servers, they ask you to tweet about it to gain access.
Next, set up domain-wide 301 redirects from the http to the https version of your website, by adding the following code to the .htaccess file.
Note that this code is valid for websites hosted on Apache servers.
“
1 RewriteEngine On
2 RewriteCond %{SERVER_PORT} 80
3 RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
”
If your current URL structure doesn’t contain a “www”, then eliminate it from the third line above, as well.
The redirects are an extremely important part of this migration. If you mess up this step (for example, by doing a temporary 301 redirect), then you might end up hurting your rankings with search engines.
Also, don’t perform a bulk migration with a plugin. These hundreds of simultaneous URL changes are better performed at the server level. The process for setting up server redirects is well-documented for Apache, Nginx and IIS (just search for them).
3. Update the HTTPS version of your website in your robots.txt, CDN, Webmaster tools and Google Analytics
If you’ve set up any blocking guidelines in the robots.txt file, then you need to update the HTTP directories to their HTTPS versions.
Next, you need to install your SSL certificate on your CDN – for which, you need to first ensure that your CDN supports HTTPS (Cloudflare does).
Most CDNs offer 3 options – custom SSL, shared SSL and Let’s Encrypt integration. Here are the differences between them to help you choose.
All of the files (including the images on your website) must point to their HTTPS locations on your CDN. You might need to contact the support team from your CDN to properly enable HTTPS support on them.
Once all of the links have been updated (including updating the hard-coded links to HTTPS), it’s time to update your website address, inside Google tools.
You’ll need to create a new search console profile for your HTTPS website.
And, I recommend that you resubmit your sitemap for this new listing.
Inside Google Analytics, you can update to the HTTPS version of your website from the profile settings.
You’ll also need to update your canonical tags, social media links, email marketing software links and also migrate your social share counters.
4. Perform a quick test and ensure that everything works well
Key your website into the Qualys Lab tool.
It will scan your website, checking if your SSL certificate is installed properly and give you an overall grade.
Even after performing all the aforementioned steps, if you experience a drop in rankings:
Then, either retry the above steps, get in touch with your host for help or hire a search engine optimization consultant.
Conclusion
HTTPS have a minor effect on search rankings right now, but it might have a huge impact later. If your business has the budget for shifting to the protocol, then you can perform the migration in the four simple steps I outlined in this article.
Keep in mind that there may be other factors and options to consider. A wildcard cert, for example, will secure your domain name and any unlimited number of subdomains, acting like a regular SSL certificate.
Ultimately, if your budget allows for it, a security certificate will bring you a measure of comfort while also building trust and enhancing the user experience.
Have you made a shift to HTTPS? What are the major challenges you encountered?
Comments (139)