In January 2017, Google Chrome 56 started showing a warning for unencrypted sites that collect passwords or credit card information, labelling them as “not secure”. And from July 2018, Chrome 68 will soon flag every HTTP site as ‘not secure’.
“A web with ubiquitous HTTPS is not the distant future. It’s happening now, with secure browsing becoming standard for users of Chrome,” say Chrome’s security team.
While people ignore security alerts 87% of the time, it’s unlikely they’ll be able to ignore an alert like this one:
That’s how Google Chrome is planning to label HTTP pages.
Why is Google doing this? Because despite the many benefits of switching to HTTPS, many site owners haven’t done so.
For a while now, Google and other search engines have been on a mission to make the web more secure. Google has already taken action in this direction by announcing HTTPS as a ranking signal and indexing secure pages over unsecured pages. They’ve even published a guide on securing your website with HTTPS, which we encourage everyone to read.
Yet with all this push towards a more secure web, stats don’t lie – less than 0.1% of websites are secure.
On the other hand, HTTPS dominates Chrome browsing. Figures from Google’s Transparency Report show that worldwide the percentage of pages loaded over HTTPS on Chrome on all platforms has surpassed 50%, up from 40% in mid-2015. On Chrome OS the figure is 68%.
So there’s more work to be done, which explains Chrome’s action to get non-secure sites to migrate to HTTPS.
If you’re feeling intimidated by the prospect of switching to HTTPS, in this post we’ll share as much information and advice to ensure everything goes smoothly.
If you’re working with sensitive customer information, whether that’s credit card info or login credentials, HTTPS is a good way to reassure people that your site is secure. But apart from being more secure, which is becoming vital when trying to build trust and credibility online, there are some additional reasons why you should consider moving to HTTPS.
Because HTTPS allows the adoption of HTTP/2, HTTPS can be faster than HTTP .Check out the HTTP vs HTTPS Test, that loads 360 non-cached images on both HTTP and HTTPS connections. So if page speed is a concern, you have one more reason to adopt the new protocol.
HTTPS to HTTP referral data is blocked in Google Analytics. What’s more, referral traffic coming from HTTPS to HTTP is reported as Direct traffic. But with more sites migrating to HTTPS, you won’t have to worry about losing or not being able to access referral traffic.
Key things to consider when migrating from HTTP to HTTPS
There’s one key thing you should be aware of: Google treats HTTPS migrations as a site move and, as you probably know, a site move can come with some rankings issues. This means that:
Find the SSL that best suits your website. At DMK I.T. Services, we offer three types of SSL Certificates:
Whichever certificate you choose, make sure to consider Google’s recommendations when selecting an SSL:
Put together a list with all your current website URLs, both from your main site and any other existing subdomains. This will come in handy for when you need to check to ensure all URLs redirect correctly to HTTPS after the move.
Use a crawler to get all your URLs. We’d also suggest exporting all your URLs from Google Analytics just in case you have pages that the crawler isn’t able to find.
Before you start the process of moving to HTTPS, we recommend you do all updates on a dev area. This allows you to double-check everything before going live with HTTPS. At the same time, you’ll be able to minimise and perhaps even eliminate the impact of the HTTPS migration.
First, you’ll need to check and see if your web server supports HTTP Strict Transport Security (HSTS) and make sure that’s enabled. HSTS tells the browser to request pages using HTTPS automatically, even if a user enters HTTP into the browser. This also tells Google to serve secure URLs in the search results. Using HSTS is important because it minimises the risk of serving unsecured content to your users.
When you’ve decided on the SSL certificate and provider you’re going to use, next you’ll need to use OpenSSL to generate a certificate signing request (CSR) and private key. OpenSSL is usually installed under /usr/local/ssl/bin. If you have a custom install, you will need to adjust these instructions appropriately.
Run the following command at the prompt:
openssl req -newkey rsa:2048 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
You will now be asked for your information, which will be included in your certificate request. It’s critical that the Common Name field matches the name that you want to use your certificate with. Also make sure that all of the other fields accurately reflect your business details.
This will generate a
.csr file. The
.key file is your private key so make sure you keep it safe. You’ll need to send the
.csr file to your SSL Certificate provider when you request your SSL certificate.
You will need to copy and paste your CSR when submitting your certificate request to your certificate provider.
Now you are ready to buy and install your SSL certificate:
If you want to check and make sure you’ve installed everything properly, you can try these tools:
You can further optimise your website’s speed by adopting HTTP/2 which only works with HTTPS.
HTTP/2 is the latest update to the Hypertext Transfer Protocol and it’s based on Google’s SPDY protocol, which was developed to improve the speed and performance of browsing on the web. It works by making one connection to the server, then “multiplexes” multiple requests over that connection to receive multiple responses at the same time. This way the data is interwoven more efficiently on that single connection.
Based on the CMS you’re using, there are different options:
Make sure all canonical and hreflang URLs also point to the new HTTPS location.
Find all subdomains that use your main domain as well, and ensure they’re served through HTTPS too. You can’t link to the subdomains if they’re left on HTTP as you will still have unsecure URLs on your website.
It’s better to replace http with https URLs even if you do a server-side redirect. You don’t want to load all those redirects in your pages as that will slow down your pages’ loading time.
Have a look at any plug-ins or modules that might need updated HTTPS URLs as well based on your website’s configuration.
All your images, scripts and CSS files should also be retrieved from HTTPS locations. Ideally even external scripts and resources should be pulled from secure URLs.
You can use a tool like SSL Check to check and ensure you haven’t missed anything. However, the most reliable approach would be a full crawl of your website. We recommend combining crawlers such as Screaming Frog and Xenu so you don’t miss anything.
To make sure you haven’t missed a thing, it’s better to do 301 redirects from your server’s htaccess or config file. You don’t have to create a redirect for each URL but rather use a rule that forces HTTPS. This guide from Geekflareexplains how to do HTTP to HTTPS redirects on various platforms.
You should also minimise redirect chains. For example, if an old page (A) redirected to a new page (B) and the new page now redirects to https (C), you can get this redirect chain A-B-C. You can update the old page (A) to redirect to https directly (C), skipping the new http middle redirect. This way you get these redirect pairs A-C and B-C.
This one should be fairly obvious, but can be overlooked. When doing your 301 redirects, make sure that anything in your robots.txt that has an http is switched to https.
We also recommend doing a fetch and crawling all URLs to help Google discover your URLs faster. Now, if you’ve previously submitted a disavow file for your HTTP website, make sure to submit a copy of it in your HTTPS profile as well.
If you have Google Analytics, you’ll need to make sure that you’ve put in https as your default URL.
Make sure you replace PPC landing pages with the HTTPs version URLs so it doesn’t affect the landing page score.
To migrate social shares to the new URLs you’ll need to:
This post from Search Engine Watch explains how you can maintain social shares after a site migration, and which tools to use.
Ideally you should contact websites linking to you to let them know your URL is now HTTPs. This can also save them from loading a redirect on their pages and point to your new URLs. If this doesn’t work, you should at least update the incoming links you do have access to.
If you’re using a content delivery network to speed up your page loading time, such as BootstrapCDN or CloudFlare, make sure that the files you pull in are also from https connections rather than http.
After going live with HTTPS, monitor everything to ensure all traffic levels are unaffected (GA), your CTR is in limits (GSC), your social accounts still work as expected and users can still like, tweet and share.
Here are the most common mistakes that happen during a HTTPS migration:
If you avoid making these mistakes and follow the recommendations in this post, your migration should be smooth with no noticeable impact on traffic or ranks. However, if you think you’ve done everything correctly but still notice issues, Moz has a great article on recovering your organic search traffic and tracking down mistakes done during a search migration.
So, are you ready to move to HTTPS?
Powered by WP Robot
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.