How to Move From HTTP to HTTPS Plus 8 Common Pitfalls to Avoid!SSL certificates and encryption have been around, well, since long before online transactions. Many sites have been using it for bits and pieces that need protecting, like account settings. In recent years, malware, hijacking, hacking and cybercrime are all terms that the mainstream public have become familiar with. This is something the media has also cottoned on to, leading to a tendency to report on issues surrounding online security. And due to the increase in public awareness, as well as the willingness of search engines and software providers to call it out, some much needed changes have come about. This is why moving from http to https has become so much more important in recent years!
Back in 2013-14, Google and others started publicly taking the subject very seriously. If you had been hacked in Google’s Webmaster Tools back then, you’d receive a notification, with a warning included in the SERPs by your snippet to tell potential customers. Chrome browser added icons to the address bar to alert people that the security wasn’t up to standard, with interstitial pages giving you options about continuing at your own risk!
When Matt Cutts, then head of Google’s web spam team, publicly stated that https would be important for SEO in the search engines, people quickly mobilised. The early adaptors moved in mere days, big corporates added it to their backlog, and SME’s unfortunately found themselves in a position of being in limbo.
The process of changing from http to https is getting easier and easier as time progresses. WordPress has made a function to aid the move, and as it makes up a large percentage of the public web, it’s a massive leap forward.
Here’s a helpful checklist for successfully evaluating whether a move to https is necessary for your site, and how to plan the move!
High level to-dos:– Buy and install the correct SSL certificate.
– Make sure all URL’s 301 to the https version. This is usually done at the load balancers.
– Check for broken links. Ensure all links are relative and still work. No hardcoded absolute links here.
– Make the appropriate ‘under the hood’ onsite updates (see below).
– Externally, check all campaigns and references are updated to the https version.
Sounds easy, right?
Tracking and analysis to-dos:1) Authorise a new Google Search Console account (which is configured, has your settings copied across, and that everyone is granted access to the new account that needs it.
2) Google Analytics should just continue to work – update the property settings to https (you might need to check if you’re using a different system though).
3) You might be required to update the tag manager settings too for them to still show up. This will depend on the provider you use.
Onsite checks and updates:1) Check that all the canonical tags are updated to https. If relative URL’s are already being used, this should be easy.
2) Internal linking: run a crawler on the test site to see if there are any accidental absolute URL’s.
3) Implement strict HSTS to avoid any future security risks.
4) Ensure the robots.txt moves across correctly.
5) XML sitemaps need to publish the newly updated canonical URLs.
6) Easy and normally powerful inbound links. Check and update cross-linking from other friend and family sites.
8) Google’s Search Console: validate a new site and add users. Reference new XML sites and move across any Disavow file references. Plus, check that any other settings are re-setup.
9) If you operate multiple versions of sites, then also update the Href langs tag.
10) Check that your CDN’s are capable and then updated to https (most should be fine these days, but commonly overlooked).
11) And check again, that all references to http 301 to https.
Other essential updates to make by your marketing teams:– Any other marketing channel that links to the site, such as PPC, targeting etc. If you rely on a 301 you may lose tracking or slow the load time down.
– Any directories, member organisations etc.
– Don’t forget to update all of your social media properties and bios.
Questions to ask and other areas that may be affected:– Are there any partnerships or services that use your content? Or any interdependencies with affiliates or an API? They may need to be updated.
– Will any services you offer e.g. widgets, booking modules, social commerce plugins suddenly fail. Do you need to notify anyone?
– If applicable, have you updated your app indexing and relative page encoding from your apps?
Risks to considerWhen you do this (and we think you should!), you may temporarily experience loss in rankings while the new URL replaces the old one. The good news is that this usually only lasts 1-3 days. The search engines won’t treat it as a new domain, just as a separate protocol. So as long as the page for page 301 remains, and https is the primary site, it should all run smoothly. Just pick the right time. Don’t make the change on your busiest trading day!
8 common pitfalls!We have done this for clients and have been shown and aided others on this move. “Even the best laid plans do often go wrong!”, sometimes knowing where to look can mean to mitigate OR triage a problem.
Here is our in-house ‘first things we check’ list.
1) The certificate itself:
– It’s the wrong SSL certificate, so the user’s browser warns them off (not secure enough).
– It has expired.
– It’s registered to the wrong domain (of you have one for all your various sites and thought it would work).
– You’ll need one certififcate for each host.
2) The wrong status code is given back on the redirects.
3) Blocking https via robots.txt or via a rouge noindex meta tag, that was used on a test site.
4) Wrong URL’s are published in the XML sitemaps. Redirects work. Https works, canonical updated, but http URLs in the sitemap adds confusion.
5) Canonicals are only updated on the main site, and extras like the blog aren’t updated.
6) Speed is affected due to increased ‘handshakes’ / connections. Keep an eye on speed & performance.
7) It’s been done at the wrong time. Sometimes too fast as it was seen as easy. Or, done that affects your busiest trading period.
8) Google Search Console set-up:
– Failing to move across settings & extras like any Disavow files
– Doing it when you have another issue, and it blurs your analytics and insight.
– Forgetting to copy across any settings such as target country.
– Failing to learn from the date in search analytics or fetch and crawl sections before it’s lost
Final thoughtMoving to https is one of the easiest dev projects if things go well. If you have a legacy system or outsource your technical works, it may need some managing. If you have a problem, you need to move fast though!
How Can GDR Help?Do you want to take your business’ website to the next level? Are you ready to grow your online presence and become more findable to potential customers? Do you want to impress Google and its extensive search algorithms?
At GDR, we understand that organisations and businesses like yours understand the importance of digital marketing and website optimization, but often don’t have the time to do it.
That’s where we can help! We can handle all aspects of your website, from design and build to SEO and moving you to https – we can create the perfect website for your business, which will:
- Increase reach to customers
- Offer an engaging user experience
- Nurture both new and current leads
- Track ROI
Call us today on 1800 876 673 or email us at firstname.lastname@example.org
We would love to help!
[This blog was written by GDR Group’s SEO Consultant Adrian Land. Adrian has been innovating in digital marketing & SEO for nearly 20 years, working with all types of businesses from start-ups to scale-ups and internationally recognisable brands.]