It shouldn’t come as a shock that Google, other browsers, and users in general want the web to be more secure.
Therefore, the time is now upon us to get websites moved from HTTP to a more secure version that is HTTPS.
As the latest in a long list in ranking factors, the process – and the process of doing it right – is confusing a lot of people. We therefore thought we’d take moment to discuss HTTPS and what you should be doing.
What is HTTPS?
HTTP stands for Hypertext Transfer Protocol Secure. A combination of HTTP with the Secure Socket Layer (SSL) it is an authentication and security protocol widely implemented to secure data between machine (be it laptop, mobile, or tablet) and your web server. Effectively it protects your user’s connection, thereby increasing their trust in your business.
When data is transferred via HTTPS it uses what is known as a Transport Layer Security protocol (TLS) that offers three key layers of protection:
Encryption – This keeps data secure and stops someone from “listening” in or tracking your site users activities.
Data Integrity – Keeps your data safe from corruption or modification and any attempts made to do so will be detected.
Authentication – This proves to a user they are passing and receiving data only from a verified site.
A More Secure Web
As of January 2017 Google Chrome will highlight webpages that collect passwords & credit card numbers or hold other forms that are not HTTPS as “non-secure”. This could see websites that don’t move to the more secure version losing a lot of converting traffic where users are put off for fear that their security could be potentially compromised.
For more information have a read of the Google Security Blog.
Google’s overall plan is to eventually highlight whole websites as non-secure if they are not using HTTPs; not just specific web pages regardless of forms on them or not. It is envisaged that their warning on Chrome will look like the example to your right.
Highlighting pages as insecure is designed to put your website users off; so it will pay to get HTTPS up and running on your website properly now.
What do You Need to do?
Moving from HTTP to HTTPS will take a lot of careful planning to ensure that your site is successfully migrated. To start, you’ll firstly need to purchase an SSL certificate, typically from your current web hosts or a Certificate Authority to make your site HTTPS. There are a three certificate types you can choose from:
Single Certificate – For single use on a domain and the one most small business will want to adopt. For example www.domain.co.uk
Multi-Domain Certificate – For larger websites which have multiple and well known secure sub domains.
Wild Card Certificate – This is unlikely needed for SME’s, but it is one for dynamic sub domains – ones that regularly change.
Once you’ve chosen your relevant certificate you’ll have to go through a process to verify that you and you website are who you say you are in a bid to prevent “man-in-the-middle” attacks. We’d recommend that before you complete your purchase, make sure you are buying a SSL certificate with a 2048 bit key and not a 1024 one.
Finally, you’ll want to check your web server can also run HTTP Strict Transport Security which instructs browsers to only request HTTPS pages, even if the user taps in HTTP into their browser. You also get the added benefit that it tells Google to ONLY list your HTTPS pages in its listing.
So You’ve Got HTTPS Set Up, Now What?
You have got HTTPS but the process doesn’t just stop there.
In fact, there are a number of steps you need to check off your list to ensure that you successfully migrate your website from HTTP to HTTPS.
- Test your HTTPS certificate here – you shouldn’t accept anything less than an “A”.
- Ask your web developers (or those with root access to your web files which is not always your SEO) to place all pages, posts, files, images, PDFs, and other assets into the HTTPS section on your hosting.
Bear in mind that it can be quite common for developers to mix elements on a page from HTTP and HTTPS. Typically images are left behind in the HTTP version of the site and when these are called in a HTTPS page the users browser will give out a warning (which could put users off from using your site) so check everything is in the HTTPS section correctly.
Also note that WordPress posts can be a culprit where images are loaded in the backend editor so keep a close eye on these and update image paths as necessary.
- Check that your txt file is set to block bots from crawling your HTTPS files. Once complete remove that reference to ensure bots can still reach your site. We also recommend you avoid the use of robots no-index tag in your pages.
- You’ll need to set up 301 redirects from the HTTP to the HTTPS version on a page by page basis. Google treats migration from HTTP to HTTPS as a “site move” so you’ll need their bots to crawl your content on the HTTPS side.
- Make sure you developers update all internal links. We have seen instances where links inside a HTTPS site are all okay apart from one subsection of the site that links back to HTTP pages. Once you’ve made your site secure periodically check all internal links are sending users the correct HTTPS versions.
- Update your XML sitemap to reference HTTPS files and not HTTP. Don’t forget to update the canonical tags in your pages to HTTPS too.
- Remember to head over to Google Search Console and add and verify both the non www. (https://domain) and the www. (https://www) version of your domain. Then set the preferred domain you want and by all means use Fetch as Google to encourage Google bots to crawl the HTTPS pages.
Beyond the Migration
The process of switching to HTTPS doesn’t just stop at the overall migration, you need to set your diary to remind you to renew the Security Certificate as they tend to expire every 2 or 3 years. So make sure you don’t lose it.
Then, finally, just monitor your rankings daily and regularly crawl your website to spot any technical SEO issues that might need fixing. Any migration if done incorrectly can have as serious negative impact on your rankings so it is crucial that this step is not missed.
If you’re not sure how to manage this task then leave it to a good SEO who can keep an eye on things for you. If you don’t have a good SEO or still need help with moving from HTTP to HTTPs then contact our team today on 01793 766040.