It's rare that Google reveals any of its actual ranking factors, so it came as a big surprise when representatives announced they would reward sites using HTTPS encryption with a boost in search results.
HTTPS isn't like other ranking factors. Implementing it requires complexity, risks, and costs. Webmasters balance this out with benefits that include increased security, better referral data, and a possible boost in rankings.
Google's push for HTTPS adoption appears to be working. A recent Moz Poll found 24% of webmasters planning to make the switch.
SEO advantages of switching to HTTPS
In addition to the security offered by HTTPS (which we'll discuss below) there are additional SEO benefits for marketers to take advantage of.
1. More referrer data
Whenever traffic passes from a secure HTTPS site to a non-secure HTTP site, the referral data gets stripped away. This traffic shows up in your analytics report as 'Direct.' This is a problem because you don't know where the traffic actually comes from.
If you use HTTP, traffic from sites like Hacker News shows up as 'direct', because Hacker News uses HTTPS.
Fortunately, there's a simple solution: when traffic passes to an HTTPS site, the secure referral information is preserved. This holds true whether the original site uses HTTP or HTTPS.
As more and more sites make the switch, this becomes increasingly important.
2. HTTPS as a rankings boost
On one hand, Google has confirmed the ranking boost of HTTPS. On the other hand, with over 200 ranking, it's likely you'll find the effect of any ranking influence to remain quiet small.
In fact, a recent study by Search Metrics showed no detectable advantage to sites using HTTPS.
Like most ranking signals, it is very hard to isolate on its own.
In fact, don't expect HTTPS to act as a silver bullet. If rankings are your only concern, there are likely dozens of things you can do that will have a bigger impact. Here are several:
3. Security and privacy
Many people argue that HTTPS only provides an advantage if your site uses sensitive passwords. That's not exactly true. Even regular boring content websites can benefit from HTTPS / SSL encryption.
HTTPS adds security in several ways:
- HTTPS verifies that the website is the one the server it is supposed to be talking to,
- Because HTTPS prevents tampering by 3rd parties, it stops Man-in-the-middle attacks, making your site more secure for visitors.
- HTTPS encrypts all communication, including URLs, which protects things like browsing history and credit card numbers.
My advice is this: Make the switch to HTTPS if doing so is reasonable for your business. Security and trust add to the small ranking gains, making it worth the effort if you can.
Challenges to overcome with HTTPS
1. Mistakes happen
Moving your entire site to HTTPS requires many moving parts. It's easy to overlook important details.
- Did you block important URLs in robots.txt?
- Did you point your canonical tags at the wrong (HTTP) URL?
- Is your website causing browser bars to display warnings that frighten people away from your site? (Side note: That's the very first article I wrote for SEOmoz!)
While rare, these problems do happen. Moz has spoken privately with webmasters who have seen both rankings and conversions plummet after implementing HTTPS.
In most cases it's a simple fix, but beware the risk.
2. Speed issues
Because HTTPS requires extra communication "handshakes" between servers, it has the potential to slow down your website – especially on slower sites.
Add to this the fact that speed is itself a ranking factor, especially on mobile.
The good news is, if you follow best practices your site should be more than fast enough to handle HTTPS. New HTTPS friendly technologies like SPDY offer you the opportunity to speed up your website more than ever before.
3. Costs
Many webmasters pay between $100-200 a year for SSL certificates. That's a significant amount for small websites. It's also a barrier that most spammers won't bother with.
On the other hand, it's completely possible to switch to HTTPS for free.
4. Not everything is ready for HTTPS
Sometimes, things don't play well with HTTPS. Older web applications can have trouble with HTTPS URLs. (Fortunately, Moz updated Open Site Explorer just this year.)
If you run AdSense, you may see your earnings fall significantly, as Google will restrict your ads to those that are SSL-compliant.
Even Google's own Webmaster Tools doesn't yet support HTTPS migration. The world may be moving toward 100% SSL encryption, but in the meantime be prepared for growing pains.
Growing number of sites using HTTPS
Lots and lots of sites use HTTPS today, but most restrict usage to checkout and registration pages.
Very, very few sites use HTTPS sitewide.
According to the latest statistics from BuiltWith, only 4.2% of the top 10,000 websites redirect users to SSL/HTTPS by default. While that number appears small, the percentage drops to 1.9% for the top million sites.
This number is likely to increase in the very near future as more websites pursue adoption.
SEO and HTTPS best practices
This post talks about the SEO implications of switching to HTTPS. If you are looking for a technical guide, there are several we'd recommend:
- Moving Your Website to HTTPS / SSL
- Switch to HTTPS Now, For Free
- HTTPS for WordPress
- How to Deploy HTTPS Correctly
What type of SSL certificate works best?
Companies offer a myriad and confusing array of SSL certificates. The two primary ones to pay attention to are:
- Standard Validation SSL – Standard level of validation. Typically cost between $0-$100.
- Extended Validation SSL – Offers the highest level of validation and often costs between $100-500.
From a rankings point of view, it makes absolutely no difference what type of certificate you use. For now.
John Mueller of Google has stated that Google doesn't care what kind of SSL certificate your website uses, but that may change in the future.
From both a security and user experience point of view, the type of certificate you choose can have an impact. Consider how different certificates alter how your website appears in the web browser address bar.
The green bar associated with extended certificates communicates trust, while the warning symbols associated with errors can cause worry with visitors.
SEO checklist to preserve your rankings
- Make sure every element of your website uses HTTPS, including widgets, java script, CSS files, images and your content delivery network.
- Use 301 redirects to point all HTTP URLs to HTTPS. This is a no-brainer to most SEOs, but you'd be surprised how often a 302 (temporary) redirect finds its way to the homepage by accident
- Make sure all canonical tags point to the HTTPS version of the URL.
- Use relative URLs whenever possible.
- Rewrite hard-coded internal links (as many as is possible) to point to HTTPS. This is superior to pointing to the HTTP version and relying on 301 redirects.
- Register the HTTPS version in both Google and Bing Webmaster Tools.
- Use the Fetch and Render function in Webmaster Tools to ensure Google can properly crawl and render your site.
- Update your sitemaps to reflect the new URLs. Submit the new sitemaps to Webmaster Tools. Leave your old (HTTP) sitemaps in place for 30 days so search engines can crawl and "process" your 301 redirects.
- Update your robots.txt file. Add your new sitemaps to the file. Make sure your robots.txt doesn't block any important pages.
- If necessary, update your analytics tracking code. Most modern Google Analytics tracking snippets already handle HTTPS, but older code may need a second look.
- Implement HTTP Strict Transport Security (HSTS). This response header tells user agents to only access HTTPS pages even when directed to an HTTP page. This eliminates redirects, speeds up response time, and provides extra security.
- If you have a disavow file, be sure to transfer over any disavowed URLs into a duplicate file in your new Webmaster Tools profile.
Tips for FeedBurner and RSS
Many sites still use FeedBurner for RSS feeds. Unfortunately, Google stopped supporting it long ago and FeedBurner isn't compatible with HTTPS.
If you use FeedBurner, you'll need to migrate your RSS to an HTTPS-compatible service. If you're technically competent you can do this yourself, or FeedPress has a very inexpensive RSS migration solution.
Migrating social share counts
When migrating to HTTPS, you often want to preserve you social share counts. These are the numbers that display in social share buttons.
These counts don't impact your rankings (as far as we know) but they act as strong social proof, and it's frustrating to migrate a page with thousands of tweets and likes only to see them reset to zeros.
In fact, some social networks will transfer the social counts through their APIs, but it may take weeks or months for them to show up correctly. Here's a list of what does and doesn't eventually transfer over:
- Facebook: Yes
- Twitter: No
- Google +1s: Yes
- Google shares: No
- LinkedIn: Yes
- Pinterest: No
If you want instant karma, Mike King wrote an excellent tutorial on how to preserve your social share counts by altering the code of your social buttons. We used this method on Moz when we migrated from SEOmoz in order to preserve the counts on our content.
Example button codes to preserve social shares (edit for your site):
<div class="fb-like" data-href="https://moz.com/blog/10-tools-for-creating-infographics-visualizations" data-send="false" data-layout="box_count" </div>
<a href="https://twitter.com/share" class="twitter-share-button" data-counturl="https://moz.com/blog/10-tools-for-creating-infographics-visualizations" data-url="https://moz.com/blog/10-tools-for-creating-infographics-visualizations" data-count="vertical" data-via="moz">Tweet</a>
<div class="g-plusone" data-size="tall" data-href="https://moz.com/blog/10-tools-for-creating-infographics-visualizations"></div>
Keep in mind: This only displays social shares from the URL you dictate. Because of this, it doesn't update your counts with any new social shares. This works best with content like older blog posts that are likely not to get many new shares.
If you expect your content to continue to earn social activity, you may simply want to let the numbers update naturally over time.
Making the leap
Much of the web is now moving towards SSL encryption, and within a few years it may even become the default. SEOs, consultants and agencies that become experts know may be rewarded as the popularity of the protocol grows.
Will you make the switch to HTTPS?
No.
Here's a deal Google : remove the not provided for the websites which implement ssl.
If Security is the real reason behind not provided, 'unlocking' it for the SSL websites should be the next logical step :)
Cornel
Though it is obvious those keywords where narrowing our views, by focusing on those keywords in creating content and links. In my opinion "not provided" is just like penguin, Google's way of saying "don't be spammy, just create good content". And it works right?
And for some reason if you pay for Google ads there is no Not provided and you can gather all the information in the world :)
Hi Cyrus, Thanks For Sharing
Google’s head of search spam, did not say it is or it will be part of the ranking algorithm. But he did say that he personally would like to see it happen in 2014. for small websites it is very easy to switch but for really large sites, it would require a lot of reconfiguration and testing.
Really Good Points described here for who had question or Confusion about HTTPS, You cleared my many Queries because from many days I’m worried about HTTP and HTTPS. (You Improved my 60% of Knowledge about HTTPS Update)
I have one question which is very importance for me and all SEO’s, If We Switch HTTP to HTTPS then what you think Google Pass Same link Juice? And will not get any effect on Ranking? Because as my knowledge If we made any changes in URL then Google consider that URL as new.
If you have any Confusion with my Question Feel free tell me I will describe you with Example.
Thanks
Excellent question! In the past, folks believed any switch to HTTPS through 301 redirects would incur a loss of link equity, estimated around 15%. Because of this, many webmasters didn't want to switch.
Now, if you implement your HTTPS properly, Google implies you shouldn't see a rankings loss, and you may also see a small very small boost. To be fair, any rankings boost is likely very small.
For the record, Google has stated publically that 301's leak equity, but to my knowledge they have never stated that domain migrations automatically lead to a loss in rankings. Indeed, there are lots of examples of domain migrations that maintained rankings perfectly, so maybe there's an exception to the 301 case in instances of migrations. Just a guess.
Regardless, smart move on Google's part.
Really Nice Post and Good Point Out by Hardev, Actually i forget to think about this point and you guys given me Surprise and Good Tips. Thanks Hardev and Cyrus
Hi Cyrus, a great and timely post indeed!
Could you point it out though where you heard that Google will, specifically, waive the 301 redirect link equity loss, as I didn't notice that in their comms? Cheers.
Another great question. The 301 penalty for switching to HTTPS was implied only by webmasters, and never confirmed by Google. We actually don't know how Google treats 301s during a domain migration, HTTPS or otherwise. That said, they have discussed the HTTPS issue a few times:
- Matt Cutts first addressed this in 2011. His gave a vague answer: https://www.youtube.com/watch?v=xeFo4ytOk8M
- Matt Cutts again in a comment on Hacker News in 2012 https://news.ycombinator.com/item?id=4802344
- John Mueller says there's certainly "no penalty" for running your site on HTTPS, although he doesn't mention migration https://plus.google.com/+MichaelMahemoff/posts/ZZ...
We've talked with several webmasters who've made the switch without any loss in rankings. It's possible Google tries to treat all properly done domain migrations that way, though with the natural fluctuation in rankings most sites see, it would be nearly impossible to tell.
I understand Thomas you need proof and Cyrus Already Given you the answer and yes after this announcement Google take care who Switch his Website HTTP to HTTPS.
For more clarification as per SEO’s thinking, If you Want XYZ Page OR Any domain Link Juice on any New page Or Domain then what you will do? As My thinking you will use 301 Permanent Redirection. From 301 redirection website will pass Link juice of Backlinks, Interlinking, Page Rank and From many other places where you created OLD links.
NOTE: Google said that he would like to see it become a ranking factor but he does not have the final say on this matter. Google would like to see you make your site work over SSL as well. So much so that Matt Cutts said at SMX West that he would personally love to make it part of the ranking algorithm.
Thanks
Hardev, please be sure to make clear when you are quoting another source in your comment. Part of your comment appears to come from https://searchengineland.com/ranking-benefit-making-site-ssl-yet-googles-cutts-like-make-happen-186810.
Hardev, Matt Cutts (head of search spam at Google) is on leave right now. What Cyrus is referring to is the link at the beginning of his post at https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html where Google has explicitly stated that https is a ranking signal.
Thank You very much Keri for clarification. From now i will follow only Moz and Google Blogs because other not updating news fast. Thanks
Another point to add to the checklist Cyrus, is when you create a new version of the site in Google Webmaster Tools ensure that you move over the disavow file from the non-https version and re upload that to the new Google Webmaster Tools profile.
Excellent suggestion, James. I will add that to the list above.
James, Cyrus. Adding the disavow file to the newly created https version makes sense. My question is if to also keep updating it for the http version. My reasoning is that so far all links were pointing to the http version and most likely spammy new links will continue to link to http. So is it good enough to just have the file on https?
There is something interesting that most people miss noticing.
HTTP 2.0 is still a work in progress but it's based on SPDY. By default SPDY works on TLS and doesn't work anymore on plain TCP without encryption.
I believe that if you make the transition to HTTPS now you will be then ready for HTTP 2.0 where the signal will be much much stronger.
Excellent suggestion Peter. Exactly!
Nice article. A few comments to add
First is make sure that your site is patched against the Heartbleed bug (XKCD has an awesome non-technical explaination). This was a major vulnerability in OpenSSL, an open source software that just about everything uses to process SSL. While a lot of servers got patched, there are still vulnerable servers out there. It doesn't hurt to make sure yours isn't one of them.
Second, you might get asked if you want SHA1 or SHA2. You should pick SHA2, as SHA1 has a cryptographic weakness. The downside to SHA2 is that older machines won't verify it. Mostly this applies to Windows XP, prior to Service Pack 3 (as of right now, about 30% of all internet traffic is still from Windows XP). If someone tells you your shiny new SHA2 certificate is invalid, this is why.
Third, while referrers come back with HTTPS, don't expect keyword data to return. You can see this for yourself. Here's a Google Search. Find the Rusty Brick link (was #3 for me). You need to click the link to get the referrer and that page will show you your referrer data. You'll note there's no keyword data in the referrer.
Great suggestions Highland!
One small corner of the web where you may see keyword return in the future is Bing. Bing only recently started supporting HTTPS, although they don't force it (yet). That said, any keyword searches on Bing that do use HTTPS don't get passed, except for websites also on HTTPS.
If Bing ever starts forcing HTTPS, this will become very important very quickly!
Hi Cyrus
i see you have mentioned the point "Whenever traffic passes from a secure HTTPS site to a non-secure HTTP site, the referral data gets stripped away. This traffic shows up in your analytics report as 'Direct.' ". How true is it?
Facebook also uses SSL Certificate why does google analytics shows traffic under referral? instead of direct.
is it because facebook uses standard SSL ?
Facebook is sneaky!
They use javascript to rewrite external links through an HTTP subdomain. If you inspect any external link in Facebook, you'll find some code that actually sends you to something that looks like this:
https://l.facebook.com/l.php?u=http%3A%2F%2Fon.io9....
It's likely FB does this for tracking and better analytics.
So, while browsing on Facebook is secure, whenever you click on a link it passes that referral information through the header, and Google Analytics can tell the visit came from Facebook.
Thank u Cryus great explanation :)
Great post Cyrus. One thing I wanted to add about HTTPS costs, in addition to SSL certificate if the website is hosted on a shared hosting they will have to buy dedicated IP which is usually around $50/year on top of hosting cost and SSL certificate cost.
Lastly, about SSL types, you should mention wildcard SSL certificates in case they have sub-domains. Sure they'll buy SSL certificate for their main website, but what if they have blog.domain.com? Regular certificate won't work, and they will either need to buy another certificate or simply buy wildcard certificate to cover all sub-domains.
Thought I mention those 2 points. Thanks.
You only need one IP per certificate, not per domain. As long as the domains all share the same certificate, they can live on the same IP.
Wildcards cover *.domain.com while UCC covers a specific list of covered domains (does not have to be the same TLD). UCC is now available in a Extended Validation (green browser tag) format.
I think it is looking more of a case of when, not if HTTPS will be a default practice. As you mentioned there are many teething problems which indicate it could be some time before this happens. I advise clients to switch as soon as they can do so conveniently, especially e-commerce clients as a result of the obvious conversion benefits of having an extended validation SSL certificate.
Thanks for the post, Cyrus!
Hi Cyrus,
Informative post, thanks. Could you please shed some light on why HTTPS requires relative URL's? As with your post, I've seen this mentioned a few times, yet without explanation. I even asked in last weeks #SEOchat and someone replied "Imagine having a 5K page site with ab links, you change domains, imagine work needed."
So am I to assume this is just for "convenience" , so mass redirects aren't required? or is there a specific reason for using relative URLs? - I was always under the impression that 'absolute' URL's were better for SEO, so this seems like a backwards step. As I said, I've seen this mentioned a few times recently, and Google's webmaster info for migrations says "Use protocol relative URLs" (https://support.google.com/webmasters/answer/60735... ) Yet HTTP to HTTPS with absolute URL's is totally possible.. case in point Yoast.com who moved and still use absolute URL's https://yoast.com/move-website-https-ssl/ AND advise absolute URL's for SEO - https://yoast.com/relative-urls-issues/
Thoughts? Thanks
Great question, and I am probably guilty of adding to the confusion.
It's not that HTTPS requires relative URLs, it's simply that they work better through a migration. A relative URL will automatically navigate to HTTPS from an HTTPS page without going through a redirect or having to rewrite the link. This is especially helpful to spiders and robots.
There's also a 3rd category of URLs that are absolute in the HTML but relative in the database. When the HTML is generated, the URL is appended with the appropriate protocol. This is how most of Moz works and many CMS's do the same.
Should canonical tags be absolute? Absolutely! (bad play on words)
So the final answer depends on your website framework, but you are correct that absolute URLs in the HTML are often the way to go for SEO, and I wouldn't sweat it too much if you use absolute URLs in your migration as long as everything points to the right place.
Great! Thanks so much for making that clear. Cheers!
Hi Cyrus,
Thanks for a really good post regarding http to https redirection. One of my website improved keywords ranking in Google SERPs. I forgot to change the URL in XML sitemap, but after reading your post, have updated the same. Thanks.
Same here Mike. Thanks Cyrus for a valuable post on https redirection for ranking boost (Minor)!
Here's an interesting bit. Chrome actually ignores the HTTP 1.1 specs that mention "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." (source)
As such, referral data is available in Chrome even when traffic passes from a secure HTTPS site to a non-secure HTTP site.
On Hacker News for example:
Interestingly, Google uses the Facebook way of redirecting for Firefox users: HTTPS -> HTTP -> Website, whereas in Chrome the chain goes HTTPS -> HTTPS -> Website.
Here is a comparision: https://quimp.com/misc/ffvschrome.png
Needless to say, having different browsers follow different rules isn't ideal.
Wow. I think that pretty much covers all the possible questions around HTTPs-switching in a single succinct post. Thank you.
Thanks Andrew, I appreciate the kind words.
Great article, Cyrus. We created a cool little tool called SSL Switch which keeps track of the top 1000 sites/brands for HTTPS migration and then grades the strength of their security using world class analysis. The percentage of SSL enabled sites is currently at around 16%.
We recently found some interesting points:
Questions to ask ourselves from these two points:
Issues we see from a hosting provider's perspective:
1. Unique IP per certificate - Since SNI (allowing multiple certs per IP) is not yet fully supported by all browsers (yes, I know XP is dead, but not really), this isn't an option for many sites. IPv6 is not yet fully rolled out, and we're running out of IPv4 IPs, so this becomes a burden.
2. Content Delivery Networks - Many don't support SSL at all, those that do often charge a *lot* more for using SSL. And of those that support SSL, only a handful support SPDY. This is a major hurdle to overcome for many sites.
3. Using third party JS / images where SSL is not supported. Tough to make the whole site secure when not all calls are secure.
I applaud Google for trying to make the net a better, more secure place, but the infrastructure is not yet ready for 100% encryption in its current state. I get that Google is the 800 pound gorilla, and they have certainly raised awareness, but scaring webmasters about SSL is not the best tactic...
Good points. That said, I don't see Google as scaring webmasters at his point, merely encouraging.
Sometimes it takes an 800 pound Gorilla to get things moving :) With less than 2% of the top sites on the Internet using HTTPS, even a 50% bump to 3% would be a major accomplishment.
The CDN piece was the big hurdle on our end as well. But for those that aren't aware, there is an inexpensive approach for AWS that is detailed quite nicely here. We recently implemented this for our CDN for $15 and while it did take some technical knowledge, it was relatively painless.
Great post Cyrus!!! Thank you for including tips for those who are not making the HTTPS switch!!!
Hey Cyrus,
Those check list points where more quick on getting things to be counted on our side even after changing to HTTPS/SSL!!
I'm pretty much suprised to find so many things that I have to take into account in order to secure myself after switching to HTTPS!!
Well one thing I have never heard before is that implementing 'HTTP Strict Transport Security'; Well I would like to thank for totally sharing your stuffs with us.
I really like the image of all the things you can do that have a bigger impact than adding https. A lot of times we jump at the latest tip or rumor. Just because Google says it 'could' impact rankings doesn't mean it always impact rankings 'positively' when we implement their guidelines.
We're moving Moz to HTTPS soon, but we're not doing it because we expect a boost in rankings. If anything, our primary goal is to not mess anything up :)
I agree that https isn't key to SEO and there are so many other factors that are much more relevant, but that isn't really the main point of moving to an all (or more) encrypted web. It's about taking security and privacy seriously, and Google's move was a way to nudge us in that direction.
My personal strategy has been to encourage our clients who are launching new sites to go full https from the get-go (with HSTS and perfect forward secrecy (PFS) as well, if possible), and only suggest migration to https when it can be performed easily or there is the budget to do it correctly.
I appreciate the link to StartSSL, but man that's an exhaustive list and you still will pony up $30 as a commercial site. You need some IT chops to make it happen to. I think the $99 GoDaddy SSL is probably worth the time/headache for non-technical folks such as myself. Great read and list though!
Good point. I also think Cloudflare offers even better HTTPS options with minimal technical knowledge.
Hello!
Great post! Your article is a pretty cool comprehensive guide to SSL. What surprises me is the lack of fresh information on this on the internet.
If I may, I would like to ask a question, even if this post is becoming kinda old: I'm starting a new website. I thought about implementing SSL right away, since my website has just got launched and is tiny. That way, I wouldn't have to migrate later a larger website with all the difficulties involved.
But as I read previously, not everything is SSL ready, and I would limit Adsense revenues.
So, should I do it right now anyway, because I have a golden opportunity, or should I stick to HTTP to avoid losing revenues? Do you think that, after 4 months, Google did something to facilitate SLL-compliance for advertisers? I saw a lot of high-profile newspaper websites that are still on HTTP. My guest is that they can't afford the itch of lost revenues, altough they probably have other options than Adsense, but other banner types could face the same SLL-compliance problems.
I mention this because ad revenues are pretty important to websites such as the NYT, WSJ, etc. Part of their business plan is to offset their lost of printed ads revenues by internet ad revenues. With that in mind, I can only conclude they don't make the switch to HTTPS because clearly it is a major problem in terms of ad revenues.
One last question: do you know if there is a ''seniority'' imput into ranking when it comes to SLL? (if 2 websites are on a tie for ranking and are both HTTPS, the one that switched earlier would break the tie and rank higher?)
thanks!!!
Patrice
Hi Cyrus,
Thanks for this great post. You cleared a lot of doubts and one thing that was surprising for me was the referral data migration from HTTP to HTTPS sites. I was completely un-aware. Also the question put up by Hardev was something we always have as warning signal for every webmaster who opts for such migration. Well, If Google really cared for secure servers, it could have implemented it in its webmaster algorithm too which is still awaited. My question here is: Is it that Google is trying to steer the webmasters the way it wants with these changes or is it just a way to give better UX to ts users? Things would be interesting when someday big G will say: those using more of Google products such as AdWords and other platforms would be benefited in its interface SERPs.This is just a proposition for now!! Let me know your views Cyrus.
It’s very difficult to small business to use https. Its means only big business will take advantages of https.
I think small business can do it, but there are some cost and setup involved. In some ways it's harder for large sites to switch because of the technical complexity involved.
Nice Post Cyrus Shepard. Its been said that ranking will easy attainable with https instead of http But i never saw any major difference. If your strategy is right then ranking will come automatically. Some points are really helpful like SSL certificate and thanks for sharing helpful links in post no. 2.
I know this post is about a year old at this point, but I found it when deciding whether to switch some sites over to HTTPS. Does anyone know of more recent concrete data about migrating a site to https://? I really want to see how it could affect the sites but if there is a link juice loss on the 301, then that sounds like it might not be worth it. Wonder if anyone can suggest a very recent post on this subject.
Hi,
So, we combined ~15 subdomains under our primary domain of www.jax.org... we also cut fully over to HTTPS at the same time.
Since the change, Google refuses to acknowledge the 301 directive to the new sitemap, so it's ceased crawling the old index locations... it's very very slowly adding the new content from two sitemaps we've created.
My question is, since Google quit using the old index, it isn't picking up the 301 directives pointing from the old content to the new locations and new content.
There's a great deal of concern about SEO degradation all this, and how long this should take.
1. Is this going to cause it to take longer to get old links out of the system than if Google could hit our "robots.txt" file and resume using the old index for crawling comparisons?
2. Is this going to have a major impact on SEO and search integrity for us?
Thanks for any info you can provide!!!
Hi Tony!
Just a heads-up, you might have a better chance of getting help if you ask your question in the Moz Q&A forum. This is exactly the sort of thing out community of experts can help with. :)
Love this guide, I've been consistently referring to it over the past year. It's absolutely the definitive checklist to to HTTPS migration.
It should be noted that Moz actually lost a good chunk (~11%) of search traffic from their own HTTPS migration and so far it has taken ~3 months to fully recover.
Hey Moz,
Would really love to see a follow up to this fantastic article. It's been 1 year, what are we seeing on the move to all HTTPS? Is it worth the cost yet?
Thanks!
Thanks Cyrus for shairing this article, Everything was ok with me, but looking for my social counts when transfer to https. Your article solve my doubt, now I can easily transfer my site to https.
Hi Jitender - did you manage to keep the social likes and comments after transferring your site to HTTPS? Having 1000's of shares and 100's of comments on a thousand of my posts, I'm in desperate need for an answer. Appreciate your help! Elena
Migration to https is described as a good thing by Google. However, almost never speaks of his disadvantages, or at least negative points that need to be careful not to be disadvantaged.
Hey Cyrus,
Great Article. Do you recommend putting it on every page of a site?
I am not a seo expert but in a high competitive field (Locksmith ) we asked our Web guy to switch it to SSL and now any keyword you search for, we are ranking number one or two. Before that, you couldn't even find us on page 10. so i would say for a small business it is a big ranking factor.
Hello!!! my concerned is that the Https is not the ranking factor because most of the sites which are on the first page are only having http and not https!!
and by seeing the situation, one important question I want to ask this community is, whether the site ranking falls down, if we have the website with https?
Hi
Does anyone know the proper code to redirect the https:// to https:// in htacess fiel for wordpress - help please?
Thanks Jodi
Regarding the speed issues, I think the biggest issue (IMHO even bigger than the decryption overhead) is that some browsers do NOT cache secure pages by default.
I that necessary to register https version as a new website in webmaster, or submitting an updated sitemap is enough? should i do anything special to the https version, I am dealing with a gold trading website, what can i do to increase the traffic, website: https://www.heeraibg.com
Hi there! Those are great questions for our Q&A forum. :) The folks in there should be able to help.
Cyrus,
Don't know if anyone has touched on this, but here's my question.
Assuming we 301 a complete site to https.
If the site has 500 external links coming in, and these links still obviously point to the http version of the site, will this hurt? Will juice be lost along the way?
Clearly, the link coming in will 301 right over to https - but will this be OK or are we actually expected to go out and try to get all 500 inbound links changed to point to https ?
The recent changes to Google algorithm led to a rush for turning websites to HTTPS.
I'd like to add that superfast binary HTTP2, just as its predecessor spdy are only supported over HTTPS and any cost of initial negotiation is well made up for by speed optimisations such as multiplexing, pipelining, header compression etc. With HTTP2, designers don't need to bother spriting images, which makes CSS development much easier.
letsencrypt.org deserves a special place in the article in my view due to groundbreaking empowerment that it enables. Free automatically renewing SSL certificates. I don't even know how many times I had site errors due to expired cert.
Dear Cyrus, Can you make a tutorial from this please? Of what is about in 2016 :)
Hi Mozzers. Hope it's not too late to post this, but my colleague Nick Heer has figured out a way to preserve social shares. I hope you can apply this technique on your own site. - Randy
Thanks Cyrus - I need to implement some of your tips on a new domain I'm working on while not an eCommerce site it makes more sense long term to implement.
Great post as always Cyrus,
On some niches like ecommerce moving to HTTPS is a must these days.
We recently created an infographic with the exact steps to take which may add value to your guide.
You can find it here https://www.pickaweb.co.uk/blog/how-to-switch-your-website-to-https/
All the best.
I've just migrated a site over to HTTPS, and Google Webmaster is saying it can't reach/access my robots.txt file. Is there something specific I should do to my robots.txt file. At the moment, this is how the file looks. I must also add that the robots.txt file is connected to the HTTPS.....
User-Agent: *
Disallow:
Sitemap: https://www.example.com/page-sitemap.xml
What am i doing wrong here?
Hi there Montrium,
That's a great question. However, because this article is a few years old, it's not likely that your question will get much visibility. This would be an excellent thing to ask in the Q&A, though! Thanks!
Hi, this post was very useful for me during my site migration. However, the social share count part is not exact, and the article you reference is incomplete as well. A very important thing is left out.
The global 301 redirect causes Facebook's crawler to remove the HTTP version of the page completely after a few days, so the Like count will eventually become 0, even though the "hack" seems to work at first. The 301 redirect needs to exclude Facebook's crawler for the implementation to be successful.
I wrote a case study about what happened and how to fix it, here are the details:
https://www.theguitarlesson.com/guitar-lesson-blog...
I really hope Facebook gets around to joining the HTTP and HTTPS counts soon....
Hi,
I am running a website on WordPress. Is it good if i use cloudflare(free) ssl on website?
Just the article I needed. If changing from http to https sitewide, is it important to try to get links to my site changed to https ?
Very helpful post... thanks for the tips.
Does the "Migrating Social Share Counts" section apply to commenting, as well? We just recently went through the HTTPS transition and are wondering if our Facebook comments will eventually transfer over, or if there is a manual step we need to complete.
Hi kamiherbert - did you manage to keep the social likes and comments after transferring your site to HTTPS? Having 1000's of shares and 100's of comments on a thousand of my posts, I'm in desperate need for an answer. Appreciate your help! Elena
Hi Cyrus,
I switched my blog to HTTPS today which went very well. I would like to share some of my thoughts on this.
First of all, take a look at the result: https://wphostingblog.nl/
Code snippet for WordPress to add the HSTS header:
add_action( 'send_headers', 'child_add_strict_transport_security_header' );
/**
* Enables the HTTP Strict Transport Security (HSTS) header.
*
* @since 1.0.0
*/
function child_add_strict_transport_security_header() {
header( 'Strict-Transport-Security: max-age=10886400; includeSubDomains; preload' );
}
Good luck all switching your website to HTTPS!
Rick
One of the issues that I faced when switching over from HTTP to HTTPS is that images link break because they were originally HTTP. So they will be blocked if the server feels that are not secure.
Good article but is it worth the risk, we have spent so much time getting our man and van site onto the first page we cannot as a business afford to drop in positioning. Are there any guarantees?
[link removed by editor]
Quick warning to all those who think that if you follow the recommended steps, that you will be fine. We recently completely a migration for out site https://drugtestsinbulk.com/ and after about a week now, our rankings have tanked. I nearly had a heart attack this morning, but I understand (after reading many such pieces) that this is a normal process. You would think that if this is such a normal process, moving from http to https, especially for ecommerce sites, that Google would've have a process to alert them of this and ask them to withhold any drastic ranking changes until all these changes are picked up.
We are currently generating an up to date sitemap to cover that portion, but believe that we have hit pretty much every point on the above mentioned list
Aren't the following 2 bullet points contradictory? You're saying use relative URLs wherever possible but then use absolute links wherever possible. Care to clarify?
This article really helping. Meantime I discovered a Free SSL Certificate by Security Research Group (ISRG) founded by Josh Aas of Mozilla who serves as the group's executive director and board chair. The ISRG is a joint EFF-Mozilla-Linux Foundation project that has enabled anyone to obtain a Free SSL certificate in minutes and install and configure it so that visitors on their Websites will be shielded from surveillance and snooping activities
I was wondering if the referrer is stripped when your website is a mix of both http and https? Say someone browses your site (on http), adds a product and then goes to your cart (https), then goes back to another page on your website which is http. Will this strip the referrer? Any help would be great, thanks.
I want to run my site over https:// but want to keep run my old URL's as https:// is this will be harmful for my SEO rankings. How to do this?
I did a successful switch from http to https and here's the tutorial.
Really really a great and helpful post for me as a newbie.I am very thankful to you for this.Have a nice day. <3
Great article, I even read all the reviews to get a broader view. In my case, I am working in SEO Site https://www.postoavenda.com, but I see that in the future will need to hire a specialized team. This site operates in the gas stations selling segment. Despite the site being late, care in the creation of internal links already yielded excellent results. Also invest in Adwords and I have to disagree with some opinions, because in my case the site did not fall in the natural search results. I hope I have contributed.
Search engine algorithms are constantly changing, but it should all be good aspects to improve in!
Well, every thing (about 200 like Google said) influences rankings but Imo ssl ould make a little rise in serps. Much much more important is for example url construction (keywords inside, length, etc).
Ssl gives Google info that You care about visitors (security) and this (imo) is rather all.
Did somebody do tests how serps looks after ssl implemented?
Hi Cyrus,
Great Article,
Thank you for the great SEO tips for ranking higher in search engine. It will great tips for those who are still using HTTP.
It is for everyone's information one of my friend lost income (it became one third) after changing http to https. It has been more than 1 month now and the situation has not changed yet.
What about redirects? If You properly do it, serps will be replaced.
Good article oveall, but I do have one issue with one point you make. Yes SSL formerly caused issues in speed, and this was simply the overhead in the handshake. Modern servers and broadband, even on a 3g connection, the additional time for this is near zero given modern SSL ciphers and techniques. SSL adds one extra cycle during the handshake (in its most basic form) this wont slow the site down one little bit.
Thanks for the explanation Andy. Makes sense. Any idea how it works on speeds less than 3g? I only ask because we are most concerned with performance on the edges, and sites that are already poorly optimized.
Great article Cyrus. Very helpful. This might seem like a dumb question but we're about to take the plunge and switch over our main site [example.com] to https. Should I also switch over our mobile site [i.e. m.example.com]? p.s. We are in the process of changing our website to responsive but in the meantime the above question applies. Thanks!
Great question. I believe the answer is yes (although your regular domain should validate just fine without it) and you'll probably need to get a wildcard or separate certificate because it is a separate subdomain.
Cyrus,
Thanks for this awesome guide. Just a quick question,
If I have a normal static (Wordpress/HTML) site, should I need to migrate HTTPS? Technically, this kind of sites do not get involved with any kind of user interaction in terms of logging and other details.
Your thoughts?
Umar
Even on HTTP sites that don't require login, there are security issues at play.
For one, the connection is open to spying, so for example your boss could view your browsing history over the network. Much harder with HTTPS.
Secondly, HTTP sites are subject to Man-in-the-middle attracts. Think of an ISP injecting ads and popups into your site without your knowledge (this actually happens in some parts of the world)
Finally, HTTPS verifies to the server that it is actually talking to your website, and not an imitation, so spoofing is much harder.
That said, if you run a small site without securing sensitive user data, and these other issues aren't a big concern (as most will never be bothered by them) there may be no reason to switch.
Let's put it this way: Out of the dozen or sites I'm directly involved with on a daily basis, only one is on HTTPS and another (Moz) plans to switch soon. The others have no plans and that's totally fine given priorities, risks and rewards.
Switch if you can, but don't sweat if you can't right now.
This is what I need to know! Thank you so much for the detailed explanation!
Why is Google just now jumping on the SSL certificate bandwagon? Why wasn't this important 10 years ago? What changed?
The NSA :)
Great content Cyrus, but I'm not totally sure about this SEO factor. I use to think bad with Google... Is Google testing the "power" of his word to measure a change to HTTPs? First the Authorship Rank and now this... I'm not sure. What do you think, could Google be thinking in other plans?
Thanks!
Very well explained Cyrus. I wasn't knew that much about the relationship between https and http. Now I am pretty much clear with it. Well I don't really have any plan to move to https just to get higher rankings. The websites ranking on Google are still on http so I want to wait for more time to see the reward Google give to https websites.
Also what if after 2-3 years Google decide to take https out of its ranking factors? The same thing happen with authorship. It's stays as a ranking signal for a very small time and then its over Google announce not to take it as a ranking factor any more.
What do you thing how long it will stay as a ranking factor?
Unlike authorship, HTTPS has it's own advantages outside of Google. Plus, if you're switching purely for the rankings change, you might be disappointed and there's probably other higher ROI activities you could pursue to improve your rankings.
One question Cyrus!
After all, still, if I don't move my website from HTTP to HTTPS, then it is sure I'll lose my ranking in Google or it doesn't matter how good, how relevant and how useful site we have, website must be https to rank higher in Google?
What do you think?
No, if I understand the question, you shouldn't lose any significant rankings if you don't move to HTTPS. You should be just fine!
Let see what happen in couple of months if our competitors migrate to HTTPS.
BTW, Thanks Cyrus.
This is a great article. We've added an SSL to our SEO website already. I'm not sure if it's had an effect but we are at the top of many searches.
Hi Cyrus,
Thanks for the article. You state above, "On the other hand, with over 200 ranking, it's likely you'll find the effect of any ranking influence to remain quiet small." (Bold adjusted)
I think you have a sort of double entendre going on there. The HTTPS effect would be quiet compared to all the noise from the other 200 signals and so therefore the ranking influence of HTTP could remain quite small. ;)
Cheers,
Paul
PS - Great work as emcee at MozCon this year!
Hi Cyrus,
A little late to the game here, however, along with everyone else above, thanks for the post. We recently moved our site to https. There is a little confusion over here regarding updating our webmaster tools account and analytics. Just to clarify, are you suggesting that we add the https site to our domains in webmaster tools, then fetch the pages? Currently, they don't seem to support this in the change of address feature. We completed all the 301 redirects to https and now plan on adding it in webmaster tools. Just wanted to verify, as I have read google says just putting in place the 301s should suffice. Also, how is this handled in analytics?
Any further detail would be greatly appreciated. Thanks
Hi Cyrus,
My webmaster told me there would be no problem for this website chemise femme to go through https, I hope we will be able to get through without too many headaches, following your precious advices.
As a newbie too, I will try to keep you informed ;)
[link removed by editor]
Robert Mangiafico brings up some good points. I recently was looking at adding a CDN for a site that just had HTTPS added and was shocked to learn that to add a CDN to the site could cost in the range of $40-$200 a month. I need to dive into this issue further and explore the Cloudflare option but that cost figure was alarming.
Cyrus, great post. Has Moz weighed the options of going HTTPS on its whole site?
Hi Cyrus,
Thanks for this comprehensive post!
Question:
We have some old url's that we are 301ing to new ones. If we switch over to https then we will be forced to do a double-redirect for these url's. Will this have a negative SEO impact?
Great post Cyrus, insightful but I have a curve ball question. So we move a site from http to https using 301 redirects. I site im working on has recently moved to a new domain so the redirects are now going http > https > new web address. As the https thing is relatively new all the seo value is in the original http URLS. Does Google handle http redirects the same as it would any other redirect i.e. passing ~90% of seo value?
Great post Cyrus. I did experience a slight slowdown in pageload speed switching to HTTPS but I was able to make up for it using MaxCDN. Yoast's tutorial that you linked to is great as well.
I personally like this section "14 SEO activities more impactful than HTTPS", that's something awesome..!!
HTTPS are surely a good prospective for the websites as far as security is concerned and its good to have a secure site whether it be ranking signal or not.
Surely there are issues like loading issues if you have not hosted your website on a good server but there is always a fix for that. Try to get hosted on dedicated servers and if small websites, hardly matters as they might not have databases included. Otherwise its always good to get yourself secure whether its a big or small business website.
You have got a really nice point acknowledged through types of SSL. As such you can see the problems if howsoever, there will be any by using Ctrl + Shift + J, work on it and get it resolved asap.
Great tips - just changed over a few sites, and issues do pop up - thanks :-)
I wonder if Google has acquired a company that provides SSL yet? Wouldn't surprise me if they bought out someone like Versign and made this new "rankings" suggestion a money maker.
@cyrus Wow, amazing post (as always) thanks! was reading about https, but then I saw many more links & SEO tips, then I saw a few more links about migrating to https.. then i realized that this post deserves a full reading (including all the links in it ) :) so bookmarked, for further reading.. thanks!!!
Cyrus,
First of all thanks for the great post and very useful checklist. I recently made the switch to https for a site and we knew we would lose social share counts. I have used the method Mike suggests in the past however in this case I am fine with waiting for Google+ and Facebook to start showing the old counts. It has only been a few days and Google+ share count is already back. Do you know of a way to speed up the Facebook process? Does re-sharing the article or page help make the connection faster or only confuse the signals? I thought I might run a few brief promoted posts over the next few days as a part of sharing older content for new readers to test that theory however I thought you might have experience with the situation before starting.
Haven't tried that before, and in our experience we have always waited weeks or months for Facebook to catch up. Let us know how it goes.
Hi Jared - did you manage to keep the social likes and comments after transferring your site to HTTPS? Having 1000's of shares and 100's of comments on a thousand of my posts, I'm in desperate need for an answer. Appreciate your help! Elena
Nice article. This article is very helpful for the SEO learners and it means a lot for us.
It's Ironic that this post is not in HTTPS nor does moz.com use HTTP Strict Transport Security for my login. Learn more about HSTS at https://www.denverprophit.us/http-strict-transport-security-e-commerce/
Hey Denver, thanks for the comment! It's a fair criticism too, though I don't think that relieves us of the obligation of helping folks out.
We actually are planning to make the switch soon. It's a big old site and we have lots of moving parts to pay attention to.
thanks for sharing such a great knowledge, I appreciate it
https://freedownloadlab.blogspot.com/
Hi Cyrus,
Great stuff, especially with New HTTPS friendly technologies like SPDY information.I want to do this to my site www.myhoardings.com. Another Great SEO tip for ranking higher in search engine.Thank you so much for the update and advice!