Expand your knowledge:
Expand your knowledge:
Website Security

HTTPS: just a Google ranking signal?

72
Wow-Score
The Wow-Score shows how engaging a blog post is. It is calculated based on the correlation between users’ active reading time, their scrolling speed and the article’s length.
Learn more

HTTPS: just a Google ranking signal?

Xenia Volynchuk
HTTPS: just a Google ranking signal?

HTTPS was officially acknowledged as a ranking signal in 2014. Since then people have been discussing the strength of this signal and its contribution to the higher rankings. At some point Google agreed that it has boosted rewards for secure websites; however, a recent tweet by Gary Illyes to Pete Meyers makes it clear that Google is not going to increase the weight of this factor anymore. Also, Backlinko’s research shows very little correlation between traffic being encrypted and the page ranking higher on Google SERPs. Despite this, more and more websites are switching to HTTPS. So, what’s true?

We interviewed a lineup of digital marketing experts from the United States, Germany, the United Kingdom, France, Spain and Australia to understand whether this HTTPS hype is worthwhile. We asked these great marketers about the actual impact of HTTPS migration on website traffic, SERP rankings, CTRs and sales, and about their experience with the rate of HTTPS adoption being higher for some particular industries. The comments we received made us think that HTTPS is not just a ranking signal — keep reading to learn why!

Aleyda Solis

Fili Wiese

Guy Levine

Eoghan Henn

Bastian Grimm

Eric Enge

Olivier Andrieu

Jim Stewart

Patrick Stox

Julien Deneuville

Website security: do visitors care?

In January 2017 both Google and Mozilla introduced new versions of their browsers (Chrome 56 and Firefox 51 respectively) with new warnings that mark HTTP webpages with an ‘i’ symbol in the address bar, and with a ‘Not Secure’ label if those pages contain any login or credit card detail forms.

Firefox - Login with Warning for HTTP PagesImage courtesy of Mozilla Security Blog

Chrome 56 Login Warning for HTTP PagesImage courtesy of Google Security Blog

Although these changes made skeptics chuckle — who would pay attention to those little signs unless there was a huge pop-up blocking your screen? Well, Statista has some data to prove them wrong:

  • 38 percent of respondents of a survey on the primary concerns of online shoppers in the United States were concerned about the security of the websites they were shopping on. This was their second top concern, the first being “Shipping is too expensive.”

  • The biggest concern among US adults is about the trustworthiness of online dating sites (37 percent of respondents think they are not at all trustworthy, 28 percent believe they are ‘slightly trustworthy’). 

  • The crimes that Americans worried about the most in 2016 include (#2) having their credit card information used at stores stolen by computer hackers (69 percent) and (#3) having their email, passwords or electronic records hacked into (64 percent).

So, these data unconditionally point to the fact that people do care about the security of the webpages they visit. This means that every time users open a new page, they choose whether they want to stay on this page or not.

Moreover, Google has promised to keep their focus on users’ security by labeling HTTP pages as “not secure” in Incognito mode, in which users may have higher expectations of privacy. Eventually, they plan to label all HTTP pages as non-secure and change the HTTP security indicator to the red triangle symbol that they use for pages with broken HTTPS at the moment.

We interviewed the experts to understand whether Google actually rewards website owners for respecting users’ security with higher rankings and, as a natural outcome, better CTRs, more traffic and higher sales.

Does HTTPS lead to higher rankings, more traffic, and better CTRs?

ALEYDA SOLIS: Although I've seen positive results after HTTPS migrations with an increase in organic search visibility, traffic, and conversions, in my case it's not possible to say if it has happened purely as a result of using HTTPS, since migrations are done along other improvements — usually speed-related ones for example —  and for sites that have an on-going SEO process going on. So, I'm unable to distinguish the specific influence that an HTTPS migration has had individually.

FILI WIESE: That’s a clear yes, on all accounts. HTTPS if anything demonstrates to users that a site is trustworthy. Google does seem to prefer secure sites, whenever possible. Now, these two factors combined with optimized snippets and compelling landing pages generate great, really GREAT user signals, which is a very strong signal for Google that a site lives up to user expectations. As we know Google favors sites that indicate, through user signals that they deliver on their promise. In that sense HTTPS migration is bound to improve metrics across board

PATRICK STOX: Most websites see a slight increase across the board unless something goes wrong. Obviously the more complex the migration, the more chance for things to go wrong.

GUY LEVINE: When we compared the organic performance metrics from 28 days prior to migration, to the 28 days after, we saw the following changes:

  • Search Impressions: 116,771 (+21,626)
  • Clicks: 2,097 (+246)
  • Click Through Rate: 1.8% (-0.15%)
  • Average Position: 35.1 (+3.4)
  • All traffic sources: 4.13 seconds (+0.99)
  • Organic Traffic: 4.33 seconds (+0.34)
  • Mobile Speed: 64/100 (-2)
  • Desktop Speed: 81/100 (0)

From those numbers, the HTTPS migration in isolation could claim to have been a success in terms of organic performance whilst site speed has not been impacted.  Of course, with our ongoing content marketing and coverage, it is not possible to say what impact the HTTPS migration may have had organic performance.  The only disappointing metric there is the slight drop in Click Through Rate, which could suggest that when it comes to sites where privacy is not an issue, users are not necessarily inclined to click on a result just because it is HTTPS.

EOGHAN HENN: I have never witnessed first-hand an HTTPS migration that directly led to an improvement in key metrics, but I don't think that KPI improvement is the most important argument for switching to HTTPS. In a time where internet service providers in some countries are allowed to sell the navigation data of individual users, the privacy of your website visitors should be a real concern to you. Also, switching to HTTPS provides some other interesting benefits, such as less dark traffic in your web analytics tool. When your page runs on HTTP, visits from HTTPS websites normally don't have a value in the HTTP referer field, so your web analytics tool can't figure out where the traffic comes from and marks it as direct traffic. When you switch to HTTPS, the quality of your web analytics data improves in this regard.

BASTIAN GRIMM: Personally, I don’t really believe (or haven’t seen critical evidence suggesting) that switching to HTTPS significantly increases rankings. However, it certainly is an issue not being on HTTPS nowadays since Google is flagging non-secure form fields within the Chrome browser. From a user’s perspective, this totally makes and probably even has a long-lasting, positive impact in terms of data protection. However, the downside is that onsite conversion elements that utilize forms might not convert as well as they used to (assuming that people actually notice these small warnings in those form elements). My personal take is that Google will even go one step further and also flag insecure URLs in SERPs (e.g., similar to highlighting AMPs with a small icon), which will result in a massive decline in your SERP CTR if you’re not on HTTPs by that time.

ERIC ENGE: We actually did an extensive study on the impact of HTTPS conversion on rankings. We also converted our site to HTTPS at the same time, and we saw no material change in our rankings. My general impression is that it's not an issue at all. I can also relay a conversation that Gary Illyes and I had on stage at SMX East 2015, where I compared the impact of the HTTPS boost to that of the US Vice President in the Senate. Basically, if the vote in the Senate is deadlocked, the Vice President gets to cast a vote; otherwise, the VP has no impact at all. In other words, it acts pretty much as a tiebreaker, nothing more.

I also don't think that users notice if a site is HTTP or HTTPS either. However, Pete Meyers recently reported that more than 50 percent of page-one results in Google are HTTPS. I think, two things are going to start to happen that will start to make HTTPS matter more to users:

  • As the percent of results moves to 90 percent or more (perhaps in 2 years), users may start to notice this more, and start to care about it.

  • Browsers like Chrome and Firefox are making moves to flag sites, which are insecure. This will also start to make more consumers concerned about visiting a non-secure site, resulting in more clicks for secure sites.

Based on these factors, Google may then see fit to make it more of a ranking factor than it is today.

JULIEN DENEUVILLE: In my experience, I didn’t notice any big changes in organic traffic after migrating different sites to HTTPS. Unless for all traffic channels it’s becoming more and more problematic to stay on HTTP, because internet users are more sensitive and turnover can be affected. Anyway, it’s difficult to detect the real impact of HTTPS because it’s really hard to isolate any related changes from other possible factors.

JIM STEWART: We have not seen any ranking boost from moving to HTTPS. SSL will also slow things down marginally. Users don't really know the difference in our experience but they will once the chrome warnings turn red.

OLIVIER ANDRIEU: A tiny boost in ranking was noticed for some sites after migrating to HTTPS, especially since October 2016. But for me, this boost, if it exists, is not really sufficient to justify a migration. Red “Non-secure” sign that is shown in the address bar can lead to a possible loss of trust for the sites on HTTP — and that is the real reason for migrating to HTTPS. That’s a phenomenon, a trend set by a large number of major market players and there’s nothing we can do about that. HTTPS migration has become obligatory in 2017. It’s a new benchmark, whether we want it or not.

Do HTTPS websites prevail over SERPs in your industry?

Some research suggests that the percentage of HTTPS websites in Google’s top 20 varies across industries. We asked our fellow marketers whether they notice HTTPS prevalence in some specific industries or not.

ALEYDA SOLIS: I have seen an increase in HTTPS sites in the top results across different industries: from fintech to health and media, with the exception of retail, of course, which has been using HTTPS for a while, including both longer-established players that have migrated as well as sites that were not there in the past that are already using HTTPS. I have seen this with my own clients too: since 2014, when Google made the initial announcement that it had started using HTTPS as a ranking factor, many of them started to prioritize it and when the opportunity came, it was implemented.

GUY LEVINE: For the top 20 across our main target keyword, 9 are HTTP (including #1 and #2) whilst 11 have migrated.  Prior to a recent domain migration, we had been the #1 site for this term and obtained it following our migration, but the current SERP would suggest it is not a major ranking factor.

Check out SEMrush Data Study ‘HTTPS vs HTTP Usage in the Top 5K Domains by Industry

FILI WIESE: When it comes to our industry, there are hardly any stakeholders worth mentioning not using HTTPS. It has become an industry standard and it demonstrates excellence for clients too.

EOGHAN HENN: Yes, in the digital marketing industry you do get the impression that HTTPS dominates the top 20 search results. This is probably due to the fact that there is a high awareness in the industry of the need to switch to HTTPS and of the benefits it brings. In other industries, where fewer big players have made the move, you might still see more HTTP results at the top of the SERPs.

BASTIAN GRIMM: At Peak Ace we deal with a broad variety of websites from very different industries on a daily basis. Therefore, I can absolutely confirm that there are huge differences in adoption rates. All of our clients in banking and finance / insurance have been on secured connections for quite some time already, compared to, for example, the publishing industry, in which we still see lots of the very large news publications that are still on HTTP (which makes sense if you think about it: those ad-driven businesses and especially their ad-servers are dependent on massive amounts of the external data. To fully switch to HTTPS, all of this needs to be migrated as well, which is a huge amount of work and, therefore, takes time).

ERIC ENGE: It looks to me like 60 to 70 percent of the results in SERPs are HTTPS.

JULIEN DENEUVILLE: The number of HTTPS pages has increased since Google started mentioning it as a ranking signal. To me, this doesn’t mean that there is a correlation between HTTPS and rankings. As I indicated before, we also often migrate to HTTPS when major site modifications are deployed. But the fact that webmasters understand the importance of a secured website is a great thing.

JIM STEWART: Most retailers we work with at StewArtMedia have HTTPS either on the checkout or site wide. We still see some sites rank high with no HTTPS.

OLIVIER ANDRIEU: If 50 percent of the top 20 Google search results contain sites that are on HTTPS (the most common stats), it can be due to the fact that the overall number of sites that have moved to HTTPS is constantly growing. I mean that the reason is not necessarily a change in search engine algorithms. As I said before, I have noticed a slight boost in rankings for some sites that were moved, but this is not sufficient to make any reasonable conclusions. It has become so complex to do reverse engineering on Google today. One might also notice some traffic drops for sites that have failed to implement HTTPS, but especially for reasons of duplicate content, indexation issues, etc.

Is it all worth the effort?

A migration gone wrong can result in horrible things — some webmasters report a traffic loss of up to 100 percent and a complete disappearance from SERPs. Taking into account the ‘no guarantees’ effect of this change, we asked the experts whether it’s worth the effort. Does potential improvement in website traffic, SERP rankings and CTRs outweigh the complexity of the migration process, the temporary drop in traffic, and investment of human resources, time and money?

ALEYDA SOLIS: It does at this point, especially for transactional sites. A migration should actually be done for security and trust reasons and not with SEO as a main goal (which should be an additional benefit), as there are many other SEO-related configurations that are also easier to implement that will have a much more direct rankings impact. Your main concern should be users’ security and the potential negative impact of the browser warnings on their experience and trust in your website. It's also important to take into consideration that Google has confirmed that Chrome's security warnings will be expanded in the future as well, so the cost and potential complexity of a migration will be more than compensated for by the potential negative impact of leaving the site without HTTPS.

FILI WIESE: Absolutely, HTTPS migration is very much worth the effort and the benefits hugely outweigh any possible challenges. Security is the obvious benefit highlighted by browser vendors, however from a SEO perspective I think that improved page speed with HTTP/2 is the biggest user benefit for moving to HTTPS.

EOGHAN HENN: I don't think you really have a choice. There is absolutely no excuse for not having switched to HTTPS already.

BASTIAN GRIMM:  If you know exactly what you’re doing, HTTPs migrations are not as bad as their reputation –- at least that’s my personal take. Yes, it’s a huge amount of work and it certainly requires a lot of attention to details, but it’s absolutely possible to migrate to HTTPs without losing organic traffic. I presented a checklist approach to HTTPS migration with to-do’s at SMX Munich 2017 this year, so maybe it will also be helpful. And, of course, the opposite is true as well: if you don’t have experience with migrating — whatever you do — please get help from someone who has successfully done it, otherwise, the results will be fatal!

ERIC ENGE: Right now, I would not expect to make more money, just because you converted your site to HTTPS. There are plenty of reasons to convert, such as avoiding your content being altered by a third-party before users see it, but expecting better rankings or more traffic is not realistic, I think.

JULIEN DENEUVILLE: Yes! But not for SEO. As for me, a migration to HTTPS also represents some SEO risks: it’s very easy to fail at your migration, for example, if you don’t modify all internal links or links to external resources. Even if the ranking boost is very small, it can be increased soon. Moreover, as user attention to website security and awareness of the topic will grow, brands will have no choice: it will come sooner or later.

JIM STEWART: As the general public become more aware of HTTPS, they will favour secure sites over insecure ones.  It is a cost to business but one that has to be done. You are better off doing it sooner rather than later as it can be a disruptive process. Don't expect a ranking boost though. However, you may see a drop in the not too distant future if you don't switch.

OLIVIER ANDRIEU: Yes, it’s clear, for many sites, that the migration can be done quite easily, without problems. Of that I am certain. I've migrated more than 30 sites to HTTPS. For 90 percent of them, (it was with the assistance of a good system administrator, who is indispensable), it was very quick, about 1 hour. The only site for which it wasn’t so fast was Abondance.com, because it has already existed for 20 years and has a lot of pages from different eras, etc. Nothing was technically difficult about this, but it took a lot of time to check everything.

HTTPS advice that you would like to share?

ALEYDA SOLIS: A few aspects that are important to take into consideration when doing an HTTPS migration are:

  • The usage of content delivery networks: it's key to make sure that they also are moved to HTTPS — and get the right HTTPS certificate that can be used in many subdomains if you use them to serve assets — and every single resource on the site is HTTPS based too, to avoid "mixed content" warnings.

  • Hae a mindful approach to hotlinking and serving images from other sites. I've seen sites using user-generated content that have allowed their authors to embed content by hotlinking directly, which resulted in getting the "mixed content" warnings. This is why it's critical to first do a full SEO audit to have a proper understanding of the current crawling and indexation status of the site, as well as any configuration that can later impact the HTTPS migration.

  • Having a detailed plan. I've created a checklist to facilitate the migration process with steps to follow before, during and after a migration, as well as a presentation sharing many of the most common problem scenarios from HTTPS migrations; there's also a video of my talk in case you prefer to watch it too!

FILI WIESE: To learn more about the SEO best practices in moving to HTTPS, I recommend my Ultimate Guide on HTTPS

EOGHAN HENN: One piece of advice related to HTTPS and domain switches that I would like to share is the following: if you switch domains and redirect your old URLs to your new domains, and you already had HTTPS pages on your old domain, please make sure you keep a valid SSL certificate for your old domain, otherwise the redirects for the old HTTPS pages won't work. I have seen cases of this being forgotten in the past and it can cause serious harm to your business if the power of your old domain is not transferred to your new one due to redirects that are not working.

GUY LEVINE: Don’t expect big things from an HTTPs migration in terms of organic visibility, but don’t dismiss it purely on lack of apparent SEO benefits.

OLIVIER ANDRIEU: HTTPS migration is becoming a must in 2017, whether you like this idea or not. Although I used to say there was no hurry to do it, today I say it’s time.  Here are my tips:

  1. Install a digital certificate to enable HTTPS (Certificate issued by Let’s Encrypt work perfectly for any SEO needs).
  2. Check HTTPS versions and every element of your pages to make sure that the secure indicator in the browser is showing correctly (for me, I used the Firefox function ‘Tools > Web Developer > Network’ for that) and fixed it if needed.
  3. When all the elements are secure, add 301 redirects to lead visitors from the HTTP versions of your pages to the HTTPS versions. Google usually indexes the HTTPS versions very quickly (but it also depends on the frequency of recrawl of your current site).

JIM STEWART: Upload your HTTP sitemaps to your HTTPS Google Search Console. We find that it speeds up the deindexing of HTTP. If you simply wait for Google to request your old HTTP only to find out is has been redirected to HTTPS, it will take a lot longer to deindex the HTTP. By serving a sitemap full of HTTP URLs  over HTTPS will help Google understand faster that the site is now HTTPS. Google cannot crawl your HTTP sitemaps anymore, as they will be redirected to HTTPS. So serving the HTTP sitemaps over HTTPS allows Google to re-request individual HTTP pages and see the 301 redirects to HTTPS.

PATRICK STOX: Don't panic. Make sure all tracking is set up ahead of time to diagnose issues. Try to keep it to an HTTPS migration only. Doing a website redesign, information architecture change, content changes, and a migration at the same time as many companies do makes tracking and diagnosing issues difficult.

If you need further advice on making a smooth transition to HTTPS, check out our Complete Guide to Securing Your Website.

Conclusion

HTTP encryption is definitely a change you will want to make to your website. Surprisingly, the first and foremost reason for that is not the possibility of higher rankings, but users’ trust.

Statistics show that people already pay attention to the security of the webpages they visit, and some experts believe, that this results in more traffic for HTTPS pages and less traffic to the HTTP ones. This will be taken to another level with Google’s future labeling of all HTTP pages as non-secure in a more aggressive manner and irrespective of whether there is any form on the page or not.

Also, the good news is that HTTPS migration is usually implemented together with the number of other SEO tasks, which, when done correctly, can actually have a positive impact on your SERP rankings, website traffic and CTR.

Although adoption of HTTPS happens much faster in certain industries like banking compared to the other ones, there is an undeniable trend toward HTTPS migration that you can’t overlook. So, grab your checklist and get started!

If you have anything to add to the topic, speak up in the comments below!

HTTPS Implementation with SEMrush

Is your website secure?

Please specify a valid domain, e.g., www.example.com

Like this post? Follow us on RSS and read more interesting posts:

RSS
Online Marketing Specialist at SEMrush.
Expand your knowledge:
Website Security
Share this post
or

Comments

2000 symbols remain
Navin Rao
HTTPS, is really helpful, doesn't matter what type of website you have. A great case study to see before and after installing an SSL. Amazing statistics.
You would automatically assume that HTTPS would increase conversions but sometimes this is not the case. Good article Xenia.
This comment was deleted.
Xenia Volynchuk
Google Employee
Hey! Finally a Google employee on our blog :) Totally agree with you — HTTPS is everything. Although I believe that you need to have some experience / interest in SEO to understand all that HTTP / HTTPS / HTTP2 story :)
Xenia Volynchuk
I agree. You should plan accordingly especially with an SEO expert. I feel that HTTPS is the future though and its worth the investment. With HTTP2 and PWA it should help increase conversions.
Yes, I agree with this article. Google ranking depends on Domain registration length, Domain history, Domain Authority of linking page, Link relevancy and more.
Andrea Maria
Exactly, HTTPS will be a standard. Good quality content is the number one factor for rankings. HTTPS will not effect your search ranking but if you don't have it web browsers will give warnings. Chrome will eventually stop supporting http in the future.
Peter Egan
While we don't sell products or complete transactions from our website, we do have a contact form and a job application form, so it looks like we're going to have to make the switch.

Is it as simple as setting up a 301 from all the http URLs to the https URLs (which I'm totally capable of doing), or is there more to it than that? Trying to decide whether or not this is a job for me or if I need to hire someone more experienced with migrations.

Thanks in advance.
Peter Egan
Peter Egan
Thanks for the article by the way. This is the best material I've yet to read on the topic.
Fili Wiese
Peter Egan
Depending on your website, and the size of it and its backlinks, there is a little bit more to it than just redirecting. Check out this guide: https://online.marketing/guide/https/ which discusses all the SEO aspects of moving to HTTPS.
Xenia Volynchuk
Peter Egan
Hi Peter! Thanks a lot for your feedback! As Fili noted (thanks), HTTPS migration involves a number of jobs apart from redirecting HTTP pages to HTTPS versions, so have a look at the workflow and decide, whether you can resolve all of the tasks yourself. On a separate note, I have to say that CV submission and newsletter subscription forms are not the same as login forms and credit card detail forms – although implementing HTTPS for such pages is important, it is not critical (at least, as of today :)).
Nicholas McDonough
There's a misconception that you'll outrank your competitors if they're not. With so many other factors, I feel that it's so slight that it will be difficult to notice. Users may more inclined to visit because they see a site is secure.

One should carefully evaluate based on industry and competition.

It will be interesting if Google and others decide to make this standout more on mobile. The padlock or lack thereof is far more noticeable on desktop.
Xenia Volynchuk
Nicholas McDonough
Hi Nicholas! Thanks for sharing your thoughts! I really like your addition about the mobile browsers. Since mobile web traffic overtakes desktop today, it would make perfect sense if these warnings stood out against the address bar or the page.
Xenia Volynchuk
Although Mobile traffic is higher than desktop, desktop still has more conversions. People usually don't buy much on their mobile devices.
Xenia Volynchuk
Google Employee
Do you have any proof for that?
Xenia Volynchuk
Global (Source smartinsights)
Desktop 4.23% 3.88% 3.66% 4.25% 3.63%
Smartphone 1.42% 1.31% 1.17% 1.49% 1.25%
With HTTP2 and more robust networks this will hopefully change. And actually alot of people use their mobile devices for researching products. Look at the developing world such as Latin America or India and the desktop conversion rate is even larger than compared to mobile.
Melanie Nathan
Google Employee
I’m curious, what do you do for Google?
Google Employee
"Improvements in mobile experiences over the past years haven't impacted this figure, showing that smartphone is more popular as a device for browsing products while desktop is preferred more for transacting"
Nicholas McDonough
This comment was deleted.
Nicholas McDonough
Google Employee
What's with the cloak and dagger BS Name? Some of your comments are generalized and not accurate.
Nicholas McDonough
Which one Nicholas?

Subscribe to the SEMrush Blog to get valuable content delivered right to your inbox

Thank you!

You have successfully subscribed to our blog.