According to Mozcast, the number of websites appearing in the top positions of Google that are served on a https protocol is up from 25% in January (2016) to 40% (26/10/2016). Data from Builtwith has also shown than the number of websites using an SSL by default has more than doubled in the last 12 months.
Personally, I’m surprised that this number isn’t higher, especially since Google Chrome has started to warn users that their connection may not be secure (when connecting to a site served on http instead of https), and that Google confirmed in 2014 that adding a SSL certificate to your website actually gave it a slight ranking boost.
A slight ranking boost isn’t the only benefit to moving to https, Google have also made clear the benefits of encryption, data integrity and authentication.
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
Encryption. Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
Authentication. Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
It’s important to also remember that an SSL certificate does not protect your website, and you may still be vulnerable from DDoS attacks, Brute Force, Logjam, and other vulnerabilities.
So why haven’t more websites made the transition?
I think it’s because migrating a website from http to https is a lot more complex than just flicking a switch, and there is the potential for mistakes to happen, and if those mistakes aren’t picked up on, they could severely damage your website’s performance in organic search.
Essentially, all migrations start in the same place, with a crawl of your website. From there, there are a number of tasks that need to be completed, however in my experience here are some of the tasks most commonly overlooked:
- Update your .htaccess file ;
- Check the robots.txt file and that any URLs are not blocked and need changing to https protocol ;
- Update the XML Sitemap and make sure it doesn’t contain any URLs on the old http protocol ;
- Check the header response code and make sure that your site redirects from http to https with 301s ;
- Create new profiles in Google Analytics, Google Search Console and Bing Webmaster Tools for the new site.
Reasons against moving to https
Because moving a site from http to https could see a site have a temporary drop in rankings (as Google crawls the site and acknowledges the new URLs – even if the migration has been done right) the ranking benefits of switching to https have been described as ‘minimal‘.
Moving the https if you think that the website is currently under a penalty is also a bad idea (algorithmic or manual), as Google could see this as a sign that you’re trying to escape the penalty by moving domains. You may see some short term benefits from the switch, but the penalty will be transferred as well.
If you’re an SEO and you’re recommending against going HTTPS, you’re wrong and you should feel bad.
— Gary Illyes (@methode) August 18, 2015
Google’s intent is to make the web a safer and better place for users, look at a https migration from a rankings point of view in my opinion is a narrow minded view, and anything that you can do to better align a website with that intent, can’t be a bad thing.
It’s not commonplace for Google to announce specific ranking signals, so for them to post a number of times on the Webmaster Central blog and for Google Chrome to now start warning users about websites on unsecure protocols, this feels like it’s going to be bigger in the future than it is now.
Moving a site from http to https should be treat like a full domain/website migration as you are effectively changing all the URLs on a website. Once you have your website on HTTPS, it’s important you monitor your SSL certificate for expiry and other known issues.