If you haven’t already done something about it, now is the time to migrate your site to HTTPS. As of July, visitors who access your site via Google Chrome – which has held the biggest browser usage share since 2013, according to StatCounter – will see a ‘not secure’ warning on your site if it uses an HTTP (Hypertext Transfer Protocol) encryption.
Google is now strongly encouraging businesses to adopt HTTPS (the extra ‘S’ fittingly stands for ‘Secure’) encryption for their site – this is imperative if you want to protect your users and your business from data hijacking and other suspicious activities, but it is not as cut and dry as simply adding a certificate.
In the latest instalment of his T-Time web series, Tillison Consulting MD Mark Tillison breaks down the procedure step by step so you that you can migrate your site to HTTPS, avoiding the common pitfalls along the way.
Topics covered in this video:
- What is HTTPS / SSL and why it is important
- How to add HTTPS to a website
- Moving the web to HTTPS
- SSL certificate and implementation
- HTTP to HTTPS 301 redirects
- Updating internal links to HTTPS
- Updating scripts to HTTPS
- Updating Google Shopping data to HTTPS
- Updating Search Console to HTTPS
- Updating Google Analytics to HTTPS
- Updating PPC Ads to HTTPS
- Updating Social Profiles to HTTPS
- Updating External Links to HTTPS
What is HTTPS?
(01:39) The background to Google’s warning that you need to migrate your site to HTTPS is that HTTP is essentially an insecure protocol. That doesn’t necessarily mean that everyone can automatically see what you’re transmitting from your computer across the internet, but there is still a risk of ‘unwanted intruders’ – as Google refers to them – interpreting your data.
As a secure connection between your browser and the server you’re connecting to, HTTPS addresses this issue and has long been popular among sites which involve elements such as payment gateways or online banking. In the last year, there has been a gradual push by Google and other parties to generally make the internet more secure by migrating most, if not all, other sites and their pages to HTTPS.
With Chrome now displaying ‘not secure’ messages next to the URLs of sites who only use HTTP, users are taking notice of this red flag and leaving sites quickly, causing a decrease to conversion rates. Although this is a very subtle warning, it remains to be seen how Google will be taking action to create a solely HTTPS experience in the near future.
Purchasing and Implementing Your SSL Certificate
(05:56) The first thing you need in order to migrate your site to HTTPS is a SSL (Secure Sockets Layer) certificate for your domain. Contact your webmaster – whether that’s a website host, web developer or domain registrar – for this, at which point you’ll pay a license fee for the certificate. It’s best to shop around as licence fees tend to vary, but it’s best to get either a developer or SEO agency to purchase the certificate on your behalf so that it is implemented properly.
Once you have your SSL certificate, get your webmaster to implement it on your server. Once this is done, the pages on your website are licensed to serve as HTTPS pages. While you can serve them as HTTPS pages without implementing the SSL certificate, it is not advised as Google will flash up a big warning about your site’s security.
(07:26) This is where you may encounter your first problem when migrating your site to HTTPS – even after your SSL certificate has been implemented and your pages are served with HTTPS encryption, a user can still visit your site and see all of your pages in HTTP form.
If, for example, you are an eCommerce store and you’re now serving 10,000 HTTPS pages, you will also still be serving your original 10,000 HTTP pages. Both sets of pages will continue to be crawled by Google and this runs the risk of your site being penalised for duplicate content, which will in turn affect your organic search engine rankings. To prevent this, you’ll need to edit the configuration settings in your content management system so that your site will serve HTTPS pages by default and no longer serve them on HTTP.
HTTP to HTTPS 301 Redirects
(08:41) Once your site is serving only HTTPS pages, you will need to inform Google and any other search engine or source which has links to your site that the HTTP pages have moved. To do this, you need to put a single redirect instruction called a blanket 301 redirect in your .htacess file. Implementing a blanket 301 redirect will mean that Google’s bots are directed by your server to exactly the same URL, but with a HTTPS encryption rather than HTTP.
Even if the HTTP links remain in Google’s index, or users have bookmarked them, the blanket 301 will redirect any requests to the page that now lives in HTTPS so your website to work and people still find it. Any external links that you have will still carry some equity and you will still get the value of those links.
Updating Internal Links to HTTPS
(11:24) One of the little but important steps that people often miss at this point is updating all internal links in your site to HTTPS pages. This does mean crawling your entire site and updating all of your links manually. Any internal links to an HTTP page will still work as your server is now redirecting all traffic to its HTTPS equivalent, so keeping the internal links as they are won’t necessarily break your site, but it’s still worth updating your links.
Another practice which you might find more efficient when updating your internal links is to remove the domain part of the link entirely. Although the link won’t have the domain, it will still be recognised within the context of the domain and the link will still work just as well. For example:
Old URL: http://website.co.uk/section/page
New URL: /section/page
If you already have a contextual internal linking structure in place, all links will have been automatically updated, so that’s one less thing for you to worry about when you migrate your site to HTTPS.
Updating Scripts to HTTPS
(13:58) There are some instances where a user will access your HTTPS site and Google will alert them that there is ‘insecure content blocked’, despite the fact that it no longer uses HTTP and your domain has the ‘Secure’ icon next to it. The reason users are getting this alert is because your site is still trying to run scripts from unauthenticated sources, meaning your HTML code still contains some HTTP content trying to serve within a HTTPS page.
To resolve this, you need to either test your website and try to detect this badge, or ask your web developer to find any references to HTTP scripts and codes within your website. This could be related to something as simple as an external font or social sharing icon which you’ve still got the legacy version of the script for and, as a result, your migration to HTTPS is not yet complete.
(15:38) Another circumstance in which users may receive the insecure content alert is that Chrome just doesn’t run the insecure script anymore. This could stop elements of your website from working at all for certain users, so it’s important to crawl your website and check for these outdated scripts. Most of these scripts should have an HTTPS version which you can use, but be prepared to replace them with other scripts entirely.
(16:31) Another thing to think about when you migrate your site to HTTPS is, although you have one domain and what looks like one website, you may have content which is being served through two content management systems – a good example of this is an eCommerce store which simultaneously has WordPress serving a blog within the site. If you are serving content through two CMS platforms, you need to run through both of these to ensure that their respective configurations match up.
Updating Google Shopping Data to HTTPS
(17:21) If your site is an eCommerce store, you may have a feed for your Google Shopping ads which is outputting an XML feed with links to your products and images. We would strongly recommend checking that feed to make sure that all of the data is now being output with HTTPS in place. Again, all of your HTTP content is now automatically redirecting so they are not going to break your website, but this redirect is essentially adding an unnecessary step to your sales funnel.
It’s best to take the ‘belt and braces’ approach to tidying up your Google Shopping feed and making the experience as efficient as possible for both your user and search engine bots. If you’re using a third-party payment processor, you need to make sure that it has the correct configuration.
If you are using Google Shopping and your inventory is being managed within a Google Sheet, you will need to update all of your HTTP links for products and images to HTTPS. Similarly, you will need to go into Google Merchant Centre and update your domain name, terms and conditions and all of your standard links.
Updating Search Console to HTTPS
(19:29) Search Console – also known as Webmaster Tools – is Google’s tool that tells you everything you need to know about your domain. When you migrate your site to HTTPS, there is still a risk of having as many as four different profiles serving content:
This means that as part of your SEO efforts, you need to validate and authorise your access to the HTTPS version of your site. In Search Console, add a new website with the HTTPS version of your domain, go through the validation process and update your HTML tag. It’s also important to remember to frequently check for any crawl errors and any other broken elements for both the HTTP and HTTPS versions of your site, just in case there are any errors which the migration process overlooks as a result of not being implemented properly.
Updating Google Analytics to HTTPS
(21:15) If you are using Google Analytics, the next step when you migrate your site to HTTPS is to update the configuration in Analytics – this is as simple as changing the Default URL in your Property Settings, which you can find and edit in the Admin section.
Updating PPC Ads to HTTPS
(21:48) This may seem like an arduous process, but if you want to properly migrate your site to HTTPS, you need to update of the URLs you are sending out in pay per click ads. If you are paying for clicks, you don’t want to slow down users’ access to your website with another redirect.
If you are using the offline Google Ads Editor, updating your URLs is very straightforward – just highlight all of the ads using links which start with ‘http://’ and bulk replace them with ‘https://’. You can repeat this for any ad platform you are using – Bing Ads, Facebook Ads, LinkedIn Ads and so on – but the only pitfall is that you are technically creating new ads and replacing the old ones, so bear in mind that you will lose all of your performance data for that ad.
Updating Social Profiles to HTTPS
(24:33) Although you’ve set up the HTTP to HTTPS redirects, it’s best to do a quick check of all of your business’ and staff’s social media profiles, whether that’s on Twitter, Facebook, LinkedIn, Pinterest, Instagram, YouTube and so on. It’s also worth checking your email footers, and any content you’re distributing through email marketing (i.e. MailChimp) and social scheduling (i.e. Buffer or Hootsuite) software so that the connection to your server is considerably quicker.
Updating External Links to HTTPS
(25:53) Finally, the last step in successfully migrating your site to HTTPS is to update all links to your website from external sources. These external links are extremely valuable to your page and domain authority, so you don’t want these to be affected once you migrate your site. Ideally, if you can find all of the links that refer to the HTTP version of your site by using a reliable SEO tool such as Moz, try and contact each site which links to you and kindly ask them to update the link.
If you found this episode of T-Time useful, be sure to subscribe to Tillison Consulting’s YouTube channel for more tips and advice on how to improve your business and your SEO strategy through various keyword research tools and techniques.