Whenever you visit a website, information is passed between it and the web browser software on your computer or mobile device. The most common method for this exchange is Hyper Text Transfer Protocol, or HTTP. It’s a shared set of rules that standardizes this process. HTTPS, then, is the secure transfer of this information via encryption. It’s what makes otherwise sensitive data transactions, such as submitting passwords or payment information, possible.

HTTPS enhances your website’s security by providing three layers of protection:

Encrypted Data

Encrypted information can only be read by having a secret key, or password that allows you to decode it. Without the proper key, any intercepted information is meaningless. This adds protection and is the most effective way of transmitting information securely.

Integrity

This provides a secure platform ensuring an unwanted third party has not tampered with data that is transmitted. Information cannot be corrupted without being detected.

Authenticity

This verifies your users are only communicating with your website. No information is being intercepted. Secure Sockets Layer (SSL) provides authentication that keeps your user's information safe.

Back in 2014, Google announced that having your site on HTTPS would be a ranking signal, albeit a lighter one. Granted it’s just one of over 200 ranking signals, but with the release of the latest Chrome browser (which is used by about 57% of all internet users) websites are now being flagged if they’re not on HTTPS. 

At the same time as the announcement, Google also posted these basic tips to help website owners get started:

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • Use 2048-bit key certificates
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains
  • Check out our Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.

Google is pushing hard for a safer more secure websites, so it’s time for organizations to start looking at migrating to HTTPS.

Migrating to HTTPS

The process of migrating your website from HTTP to HTTPS is an involved one, but with proper preparation, implementation, and monitoring you can help to mitigate any potential risks. The following checklist, which you can also download here, will help you to navigate the process:

Preparation

  • Select an SSL certificate
  • Crawl your existing website to obtain a list of all URLs
    • Understand current state of your site
    • Crawl data will be used for comparison
  • Obtain access with sufficient privileges to all applicable accounts
    • Website Access
    • Google Analytics
    • Search Console
    • AdWords
    • Facebook
    • Twitter
    • Instagram
    • Pinterest
    • Google My Business
    •  YouTube
  • Download a list of all 301 redirects currently in place
    • Update the 301 map with new HTTPS URLs to have ready to go upon launch
  • Download and update disavow file
  • Download any URL removal requests
  • If using a test server, you can update all absolute links to HTTPS prior to going live

Launch

  • Install SSL Certificate
  • Update .htaccess file to force https (be sure to specify 301)
  • Replace all absolute links
    • Pages
    • Images
    • Stylesheets
    • Scripts
    • CDNs
    • Canonicals
    • Hreflang
    • Plugins

Post-Launch

  • Import updated 301 redirects
  • Search Console:
    • Verify HTTPS versions of the website (www & non-www)
    • Submit new sitemap with HTTPS URLs
    • Update robots to include HTTPS sitemap location
  • Ensure that robots is not blocking any HTTPS content
    • Verify and set preferred domain
    • Submit updated sitemap with HTTPS URLs
    • Associate Google Analytics with preferred domain
    • Annotate the switch
    • Fetch, render, and submit URLs for indexing
    • Resubmit disavow file (if applicable)
    • Resubmit URL removal requests (if applicable)
  • Update Google Analytics to HTTPS version
  • Update (if applicable):
    • Structured data markup
    • PPC
    • Email campaigns
    • Additional scripts
  • Update URLs on all Social Media accounts
  • Check RSS feed is working (if applicable)
  • Run an HTTPS Validation Check
  • Crawl HTTPS version of site
    • Make sure nothing is broken and all links are working
  • Crawl the list of old URLs
    • They should all be 301 redirecting
  • Monitor rankings, Search Console, and Analytics over the next several week

Wrapping Up

In addition to the benefits of securing your data, there are some additional SEO benefits for you as well. Google is including HTTPS as one of its ranking signals, which will give your website a small boost; as well, the referring domain of traffic that’s passed through to other websites will be preserved with HTTPS, which gives your website an additional SEO boost.

But most importantly, ensuring the security of any data that’s transferred between your website and your users will improve their overall user experience and increase the likelihood that your website will continue to be a trusted resource in the future.

Gavin Graham

Web Content Specialist