Google made it his mission to secure the web. While a noble goal, it requires website owners to become more tech-savvy and invest more in securing their websites. Secure search means Google will give more ranking authority to content and e-commerce websites that have an SSL/TLS certificate. And to emphasis this Google added the HTTPs as a ranking factor to their Algorithm.
The easy barrier of entry to websites development for entrepreneurs and local small businesses might become more technically challenging and more expensive; thus, the importance of having a detailed SEO tutorial.
The main goal of this short but detailed SEO tutorial, inspired by the Google I/O 2014 conference, is to help you move your website’s domain from http to https easily without forgetting any important step. I invite you to carefully go through this SEO checklist (in the order presented) to make sure you are aware of all the most important items that are sometimes overlooked even by most savvy SEO specialist.
1. Verify All the Non-https Domain Types with Google Search Console
You have to realize that a successful website move depends on proper — and up-to-date — Google Search Console settings, formerly Webmaster Tools, so if you haven’t already completed the site verification of your http domain variant, then I urge you to do it today.
Important: You should always use the same email address when verifying your site URLs variants in Google Webmaster Tool. Not doing so can result in failed domain ownership verification and you could get annoyed very fast because you will find out that Google will be unable to recognize that all the URLs variants of your domain are actually referring to the same website.
Also, to simplify the domain ownership verification process, please use the same email address that you have connected your Google Analytics accounts with.
2. Get a Free SSL Certificate for One Domain (Doesn’t Include Sub-Domains)
The first step in the moving process from http to https site is to configure the required SSL/TLS certificates on your server. I’m not going to cover this in details in this article, but I do invite you to read this case study by Andrea Pernici where you will be able to follow a step-by-step tutorial showing you how to get your own free SSL certificate.
Just remember that once the SSL is setup you must verify it by running your site on ssllabs.com tool.
This tool tells you what’s missing on your server so you should test your site using it every time you change your site’s configuration.
3. Add the HSTS Mechanism to Secure Your Subdomains
Before you do anything, you first have to verify that your web server supports HTTP Strict Transport Security (HSTS) and make sure it is enabled.
HSTS: What is it All About?
The HSTS is a mechanism by which a server can indicate that the browser must use a secure connection when communicating with it. Its main goal is to protect web users against some passive eavesdropping.
The HSTS policy is communicated by the server to the web browser via a HTTP response header field named "Strict-Transport-Security." It automatically turns any insecure links referencing the web application into secure links. This means that every time a user tries to access your site it automatically takes them to the https site even when they enter http in the browser location bar. This is good for the site’s performance because it actually skips the http redirect and it will apply the rewrite in the client before it even sends the request.
Why Should You Care About HSTS?
First, you have to realize that in the non-existence of the “includeSubdomains” directive the web application at “yourwebsite.com” domain would be incapable to protect its main “domain cookie” in an effective way, even though the host has set a secure https "flag."
However, by adding the “includeSubdomains” directive, the browser will force any of your subdomains (example: urblog.yourwebsite.com) to operate over HTTPS therefore ensuring sufficient security for domain level cookie.
Now, from an SEO point of view, you should know that serving HSTS is taken by Google Algorithm as a signal that shows that you really want Google to index the secured pages and only serve secure URLs in the search results.
In the example above, the time period max-age=10886400 is the specified period of time during which the web browser shall access the server in a secure-only fashion.
4. Select Preferred Domain (https with or without www)
This is a very important step that you should never overlook because not specifying the preferred domain inside Google Search Console (GSC) will result in having Google treat the www and non-www versions of your domain as different references to separate sites.
You have to understand that search engines like Google consider each URL variant of your domain name (subdomain vs. root domain) as a separate domain in itself. This important fact has a very strong influence on your website SEO and, thus, its ranking on the search engines.
Here is what is happening right now, you and some of your users are maybe using your domain without the www when linking back to it but some other users are using the non-www version. This actually will build a separate SEO link power to each URL and once you specify the preferred domain, then Google will move the SEO link power from the other URL to the one you picked as preferred domain.
5. Add Self Canonical Tag to Your https Domain
Adding the rel="canonical" tag element will signal to the search engines that they should consolidate the page ranking and the links pointing to each individual URLs variants on a uniquely specified, preferred URL.
Since you are moving all your domain’s URLs to https you have to add the canonical tag to your preferred version of https URL (obviously the one you specified in GWT).
Also, the rel=’’canonical’’ tag will prevent duplicate content on your domain since this tag will signal to Google and other Search Engines that this page is the original page.
6. Implement a Permanent Server-Side 301 Redirects of All Your Domain Variants to Https
It’s strongly recommended to avoid creating chained redirects (e.g., Page A > Page B > Page C), and instead just redirect to the final target destination URL (it's indeed faster for the user, especially when they try to access your site on mobile devices).
Here is a very important advice by Google on how you could help search engines see your site as secure: Use relative URLs for resources that reside on the same secure domain.
For example, use <a href="/service/yourpagename.php"> to refer to a page on your site urdomain.com, rather than <a href="https://urdomain.com/service/yourpagename.php">. Doing so ensures your links and resources always use HTTPS.
7. Check Bots’ Reports and Submit https Sitemap in Google Search Console
Check ‘’Index Status’’ Report
If you are doing everything right you should see your unsecured website goes to zero and your secured one go up. Don’t panic, and just be patient. Google call this ‘’move over time,’ which means everything will be consolidated, but you may experience some hiccups.
Check ‘’Crawl Errors’’ Report
You should know that Google has algorithms that automatically detect that a site move has been implemented and they are able to alter Googlebot’s crawling behavior so that their indexing quickly reflects the site move. This is the reason why it’s very important that you frequently run — during your http to https move — a ‘’Crawl Errors’’ Report in GWT to make sure that there are no crawling errors and to fix them if it’s the case.
Create and Submit an https Sitemap
Create new sitemap with the list of all the https pages and submit it to major search engines using the related Google and Bing Webmaster Tool Profile.
What if You’ve Already Submitted a Disavow List?
Final advice, if you’ve uploaded a file to disavow links on your http site, Google recommends to re-upload it again using the Google Search Console account of the new https site.
Congratulations for following this entire step-by-step guide till this point.
Wait, we’re not done yet…
Set-up an Automated HTTPs Monitoring Report
I strongly recommend for you to integrate your SEMrush Account with Google Search Console to set-up an HTTPs report and get a complete overview about the state of your HTTPS certificate. With this report you’ll be able to discover all possible issues and how to fix them. It will also tell you if you have any subdomain that doesn't support HSTS. I encourage you to read SEMrush post to learn more about the HTTPS implementation report.
Final Thoughts to Consider
Before you start, carefully follow the steps stated in this SEO tutorial and remember to make a full back-up of your website prior to start implementing any changes.
If you feel overwhelmed by all this, then I recommend for you to hire a technically savvy webmaster to take care of the http to https move of your domain. Outsourcing the move is a smart investment that can free you from all the technical headaches that can occur if you do it yourself.
Now, let's make the Internet secure...one website at a time!