logo-small

HTTP to HTTPS: A Complete Guide to Securing Your Website #semrushchat

73
Wow-Score
The Wow-Score shows how engaging a blog post is. It is calculated based on the correlation between users’ active reading time, their scrolling speed and the article’s length.
Learn more

HTTP to HTTPS: A Complete Guide to Securing Your Website #semrushchat

Liza Perstneva
HTTP to HTTPS: A Complete Guide to Securing Your Website #semrushchat

Websites are constantly compromised. You may not even think that your innocent blog or site that doesn’t contain any users’ credit card information has anything worth being hacked for. Nevertheless, hackers can easily turn your website into a malicious spy bot, manipulate your important online information, inject your content with toxic links, and even more.  But, it’s not as scary as it sounds. You can avoid these scenarios and keep your website safe by taking a few easy steps. If you are uncertain over your HTTPS efforts, you can apply our  easy-to-use check for “Non-Secure” pages.

During our SEMrush chat we discussed how to secure your site with HTTPS with our special guest Dan Taylor, Technical SEO professional at SALT.agency and blogger.

Check out how to prevent your site from becoming a target for online vandals in the following recap of our discussion.

Q1. What are the benefits of HTTPS for site owners and regular users?

HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP, a protocol that’s used to protect the integrity and confidentiality of data over the Internet. Our chat guests named multiple benefits that moving your website to the HTTPS protocol provides for you and your site visitors. Here they are.

1. Security

Obviously, when users are interacting with your site, they expect a secure and private online experience. According to Google, HTTPS protocol helps you protect your users’ connection to your website. However, some experts pointed out that even after you switch to HTTPS, you may still be vulnerable to some issues, such as downgrade attacks, DDOS attacks or hacks of your site, server or network.

Val Vesa ‏@adspedia shared a post that explains why HTTPS doesn’t secure sites: “HTTPS does not mean website security. This article by @perezbox is self-explanatory: We Must Improve the HTTPS Message.”

But, as Express Writers ‏@ExpWriters pointed out, HTTPS gives a sense of security to users who access your website, especially when they make a purchase.

2. Privacy

Some of our chat guests mentioned that using HTTPS provides privacy for your site visitors. Sean Van Guilder also explained that when users click on an ad and then land on a site that doesn’t use HTTPS, they will see a security warning message from Google. This will make them click back, which means that the site owners will have to pay for clicks without any benefit.

3. Encryption, data integrity, and authentication

Patrick Stox remarked that Google identifies three main reasons why you need to move your site to HTTPS, which are encryption, data integrity and authentication. These are the three layers of protection for your and your users’ data.

4. A lower bounce rate

In August 2014, Google announced that moving your site to HTTPS will give you a slight ranking boost. Even though there’s no certainty whether or not the search engine rewards HTTPS or punishes the lack of it, it’s a fact that warning messages from Google can scare some of your site visitors away.

5. Trust

Debi Norton pointed out two reasons for using HTTPS. First of all, it adheres to Google’s Webmaster Guidelines. Also, from the user experience point of view, it helps your site gain a higher level of trust with your users. “Security equals trust and might equal making more money.”

Check out a few other benefits of HTTPS in the following recap.

SEMrush Chat Recap Q1

Even though HTTPS cannot protect you from all problems and your site may still be vulnerable to some issues, it’s being actively pushed by Google. So, if you haven’t switched to HTTPS yet, it’s time to do so.  

HTTPS Implementation with SEMrush

Is your website secure?

Please specify a valid domain, e.g., www.example.com

Q2. How much of your website should be moved to HTTPS?

Now that we know that you need to migrate from HTTP to HTTPS, it’s time to figure out if it’s worth moving your entire site to itю

Our special guest believes that a complete migration to HTTPS is necessary. All of your internal links should use HTTPS, not only to your webpages, but also images, CSS, JavaScript, etc.

Sarah Wilkes pointed out that it’s worth migrating your entire site to HTTPS, if you collect information from your visitors such as passwords and credit card details. “It depends — anywhere with information that should be secure,“ tweeted Reva Minkoff ‏@revaminkoff.

When it comes to an online shop, Rachel Howe said that, at the very least, your shopping cart and login pages need to use HTTPS.

Marianne Sweeny agrees that you need to at least migrate anything that contains user data to HTTPS.

Also, Sean Van Guilder recommended migrating your site to HTTP/2.0 as well. HTTP/2.0 is a major revision of the HTTP protocol that has freed developers from the need to sprite images, do resource in-lining and concatenate files.

Let’s sum up these key points.

SEMrush Chat Recap Q2

Most of our chat participants recommended moving all of your website to HTTPS or at least sections that contain sensitive information.

Q3. Pre-launch checklist: What factors need to be considered when preparing for the move to HTTPS?

Our chat participants helped us make a pre-launch checklist. Follow the steps below when migrating your site from HTTP to HTTPS.

  • Fix anything that might not be functioning correctly

To begin, you need to fix everything that might be broken or functioning improperly before initiating a migration.

  • 301 redirect

Identify all existing 301 redirects on your website and then update them to their HTTPS version. All 301 redirects that are implemented on 404 pages should be updated to this version.

  • Certification setting

You need to buy and install an SSL certificate. When installed, it activates the HTTPS protocol and allows secure connections between a web browser and the server. There are three different types of certificates: domain validation, organization validation, and extended validation. Once you have installed an SSL certificate, you need to check whether or not there are any issues with it.

  • CDN

If you use a CDN (Content Delivery Network), ensure that it won’t cause any issues, and will properly serve the HTTP domain version of your site and handle SSL when the website is migrated to the new version.

  • Internal links

The internal links on your website also need to be updated to their HTTPS URLs, image files, video files, JavaScript files, etc.

  • Canonical tags

Another step you should take is to configure canonical tags and making them point to the new HTTPS version. These tags should be implemented on the same webpage, but point to HTTPS.

  • Robots.txt

Make sure to update your site’s existing robots.txt file and update the new sitemap that is configured for the HTTPS version. Once you have done this, verify that robots.txt isn’t not blocking any important files, like CMS or product page.

  • Disavow configuration

You need to copy any existing disavow files and upload them to their HTTPS version in Search Console.

Let’s sum up!

SEMrush Chat Recap Q3

As you can see, there’s a lot that needs to be done for a successful migration. We discussed some of the most important steps in this process. You can also check out “The HTTP to HTTPs Migration Checklist”, which was provided by Aleyda Solis

HTTPS Implementation with SEMrush

Is your website secure?

Please specify a valid domain, e.g., www.example.com

Q4. What technical aspects need to be configured to ensure there is no content duplication?

When you move your site from HTTP to HTTPS, you can end up with two versions of the same the website. This means that two identical sites will be indexed in Google and the duplicate content will confuse the search engine. Duplicate content is a red flag that can hurt your site’s capacity rank.

First of all, to avoid duplicate content issues, you need to update canonical tags to make them point to the HTTPS version and update all the implemented 301 redirects to the new version.

You should configure a new sitemap for your site’s HTTPS URLs and submit it to Google and Bing.

Dan Taylor also pointed out that it’s worth explaining to your clients that HTTP URLs may still appear in Google SERPs for a little while.

However, Bastian Grimm remarked that redirects and canonical tags are not enough. Internal links are important for both search engines and your site visitors. Most websites depend on‏ elements, such as image and video files, JavaScript and CSS. All these internal links and internal references need to be updated.

Make sure that the robots.txt file on the HTTPS version is updated. Copy the file from the HTTP version to HTTPS and update the Sitemap reference to the new Sitemap file.

Everybody knows that content duplication can be a problem; therefore, you need to take all the important measures to avoid all duplicate content issues.

SEMrush Chat Recap Q4

Hopefully, these tips will help you make your transition to HTTPS as smooth as it gets.

Q5. What is the one thing that often gets neglected during or after a migration and can ruin the whole HTTP to HTTPS process?

Our chat participants named four important things that developers often neglect during or after a migration from HTTP to HTTPS.

  • Updating internal links, canonical tags, hreflangs, sitemaps, etc.

To avoid sending conflicting signals to search engines, you need to update the most common technical on-page signals to HTTPS.

  • Updating internal links of all types

As we’ve already mentioned, you need to update all internal links and references that may contain internal links inside assets, such as internal URLs in JavaScript, image file references in CSS, and others. Corey pointed out that some developers forget to update links to internal images.

  • Adding the HTTPS property to Google Search Console

When you change a protocol, make sure to add the HTTPS property to Google Search Console. The thing is, Search Console treats HTTP and HTTPS separately. If you have webpages in both protocols, you need to have a separate Search Console property for each of them.

Some of our chat participants pointed out that sometimes developers neglect this important step. “I'd wager it's not updating GSC profile, declaring HTTPS version to reflect the new domain,” tweeted ThinkSEM.

  • Mixed content issue

Many of those who have never moved their websites to HTTPS, run into mixed content issues. During an HTTP to HTTPS migration, you need to make sure that all your content on your webpage can be served up securely.

You can check out a few other answers in the following recap.

SEMrush Chat Recap Q5

After you have decided to switch to HTTPS, make sure you have a well thought-out plan that addresses all the essential steps of a successful migration.

Q6. Which tools should site owners use for each stage of the migration process to ensure it's successful?

AT the end of our discussion, our chat guests shared several tools developers can use to make the migration process successful:

  • Screaming Frog. SEO Spider, Screaming Frog’s website crawler, allows you to easily and quickly find broken links, audit redirects, review robots.txt and discover duplicate content to name a few.

  • Ahrefs. Ahrefs provides a whole toolset for SEO, including a powerful backlink checker.

  • Majestic. Majestic’s Backlink History is another effective tool that lets you determine the number of backlinks detected by its web robots.

  • Google Search Console. Using Search Console, you can easily monitor Google Search results data for your properties.

  • Bing Webmaster Tools. Use Bing’s reporting and diagnostic tools to get more insights into your website.

  • Observatory by Mozilla. The Observatory Tool launched by Mozilla is designed to help developers, website owners, and security professionals configure their sites securely.

  • DeepCrawl. Besides the above-mentioned tools, Modestos Siotos recommended using DeepCrawl, a website crawler that enables you to analyze your site architecture and monitor potential technical issues to improve your site’s performance.

SEMrush Chat Recap Q6

Have you used any other tools to ensure your migration from HTTP to HTTPS is successful? Let us know in the comment section!

That’s it for today!

Moving your website from HTTP to HTTPS is not an easy process. We hope that the tips from our chat guests will help you perform a smooth migration.

Many thanks to Dan Taylor and our other chat participants for sharing their expertise!

HTTPS Implementation with SEMrush

Is your website secure?

Please specify a valid domain, e.g., www.example.com

Liza Perstneva is a Social Media Manager at SEMrush and a #SEMrushchat host. Follow Liza on Twitter.
Share this post
or

Comments

2000 symbols remain
I have missed adding a new property to GA...thanks for this checklist Liza!
Hasan Deniz
Milosz Krasinski
There is no need to create new property or view in GA if you are switching to https. Just update the current one from the settings and you are all good!
The need to create a new property is for GSC. In Search Console, you will need to create a new property with the https version.
I just did the same thing, however, the google has deindexed my pages even after 301 redirects.
Fili Wiese
Everything discussed above and more is further explained with code samples at https://online.marketing/guide/https/
Olga Andrienko
Fili Wiese
I love your thorough guide on site migration, yours and Aleyda's checklists were the ones I have used to create the questions for this chat :) And if you'd ever have time to join us as a special guest on #semrushchat, we'd be flattered!
Have a Suggestion?