Why are some sites HTTP and some sites HTTPS? If that’s a question you’ve ever asked yourself, then there are some fundamental things you need to know about the internet. Simply put, the S in HTTPS stands for secure and means that a site has a security certificate (more on that below).
Back in 2017 (or perhaps 2015 depending on how you look at it) Google decided that all sites should switch to HTTPS in order to make the internet safer and that safer sites would get a boost in search rankings.
I personally learned about it when I received an email from Google Search Console saying:
“Starting October 2017, Chrome (version 62) will show a ‘NOT SECURE’ warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.”
When I heard this news I immediately bought an SSL Certificate to switch my site from
http://theonlineadvertisingguide.com
to
https://theonlineadvertisingguide.com.
And I’m here to tell you how and why you should do it too.
What is an SSL Certificate and do I really need one?
An SSL certificate for your site creates a digital key between your host and a browser, meaning it is very difficult for hackers to find out what information people are entering on your site.
I’ve never had one before because The Online Advertising Guide isn’t selling anything, so I didn’t think I needed one. However Google, in all its infinite wisdom, has decided that being secure is the only way to be, and so will warn people about entering information into any text box, including search forms.
This means that not having a secure site will hurt traffic. I mean, who wants to go to a site that your browser says is dangerous?
On top of this, Google decided years ago to prefer secure sites to unsecured ones in their search results. This means that not only will getting a certificate stop those horrible warnings from appearing on your site, but you’ll also get some more traffic from search too. Hooray!
And before you come to the obvious conclusion – no this isn’t a shakedown by Google. They don’t sell the security certificates, so they are getting precious little out of the deal (possibly nothing? If you know different, I’m all ears).
So to summarise – this is good for SEO, it’s good for security, and it’s good for traffic. That’s right – it’s just a good idea regardless, so keep reading.
How do I get an SSL Certificate then?
The easiest way to switch to HTTPS is to see if your host sells SSL Certificates. I know that BlueHost and GoDaddy do, and imagine that others do too.
While you can probably find an SSL Certificate cheaper elsewhere, not all SSL Certificates are equally as good, so I would recommend going with a company you already trust (eg your host). On top of that, if you buy an SSL Certificate through your host then it’s likely that they will support you through the process. If you buy it from elsewhere, you will still have to get in touch with your host to set it up for you anyway so you’re not exactly saving yourself much time and effort.
There are many different types of SSL Certificate, so read carefully to see which one is best for you. For sites with just have one domain (and no subdomains like sub.domain.com for example) then a simple Positive SSL should be fine for you and only cost about $5 per month. Many hosting deals will throw this in for free these days (it doesn’t hurt to ask either way).
Once it’s set up, do I have to do anything else?
Unfortunately yes. My host did a lot of things for me, like changing every link on my site to https (including to images) and adding canonical links to every page to the new https version.
If you’re not so lucky, and your host doesn’t get stuck in making your life better, there are lots of great guides out there on what to do first. I personally like this one from WPBeginner and this one from CSS tricks.
After you have done these things, there is still a lot more to do I’m afraid, however, as even the best host won’t fix things happening off your site. This is why I came up with this handy checklist of things that I personally did.
Let me know if you think there are other things you need to do I have missed off of the following list:
12 Steps to Security: Switching to HTTPS Checklist
1) Buy an SSL Certificate
Covered above. Buy it from your host ideally.
2) Get your host to install your SSL Certificate
When I updated to HTTPS my site went down for a bit. This is apparently not that out of the ordinary, so don’t freak out (like I did). I would recommend buying it through a Live Chat salesperson, so they can take you through the whole thing in a calm and orderly fashion.
As I said – my host added canonical links to all WordPress pages as well as updated all internal links. If yours doesn’t do this, then you’re going to need to do it yourself (using the guides I mentioned above).
3) Update 301 redirects
If you’ve set up 301 redirects for your site, you’re going to want to update all of them to point at the new https versions of the pages.
Ideally, you don’t want anyone going to the http version anymore, so having redirects which lead there makes no sense.
4) Install HTTPS Redirection
If you’re using WordPress, it makes sense to install the plugin HTTPS Redirection. If people go to your site through an old link (such as the ones still listed in Google), they will still be sent to the http version of the site.
The HTTPS Redirection plugin will force all users onto the https version of your site however they get to a page, and stop that http traffic dead in it’s tracks.
5) Update your Google Analytics property from the http to https version
Until you do this, Google Analytics won’t record any of your new https traffic. The setting is in Admin > Property Settings as a drop down:
Update to HTTPS in Google Analytics
6) Update Social Media Profiles
All of your social media profiles for your site will have that pesky little http:// in them somewhere. Make sure to go into each of them and update to the new https:// version (including on any special buttons on your profiles).
7) Update pinned Social Media posts
If you’ve pinned a post on a social media feed, then you want that to be doing its best for you right? So update the URL in it to https!
Otherwise, people will click the link and be redirected an extra time for no reason. The time that extra redirect takes will cost you users in the long run.
8) Update scheduled Social Media posts
If you use a social media scheduling program like Hootsuite or Buffer, make sure you go in and update all your scheduled posts with the new https URL.
9) Add new Search Console properties
Honestly, this is the stupidest thing to me. Search Console thinks these as four different websites:
- https://theonlineadvertisingguide.com
- https://theonlineadvertisingguide.com
- http://www.theonlineadvertisingguide.com
- https://www.theonlineadvertisingguide.com
This means you should add all four different URLs individually. Le sigh. You will probably only have to verify one of them though, so there is that at least.
Keep in mind that your new properties won’t have search console data for a while. Also – your old http:// version of your site will start to run into problems on there if you are redirecting to the https version automatically.
10) Unlink Google Analytics from old http Search Console property & link it to the new https property
You want to get that sweet Search Console data in your Analytics right? Then switch linked properties in Google Analytics.
You can also find this setting in Admin > Property Settings near the bottom. Just click “Adjust Search Console” and choose the new one.
Use this button to change the Search Console property you are linked to
11) Add a new sitemap to your new Search Console properties
Your new sitemap for the https versions of the site should be located in the same place as the old one for the http versions. So simply go into your new properties, go down to Crawl > Sitemaps and add the site map again. Super simple.
Add a new Sitemap to Search Console by pressing this button
I would definitely recommend testing your sitemap before adding it btw. For a short period mine was linking to some dodgy website before Google came to its senses. Again – don’t freak out if this happens to you (like I did), just give it a day and then test it again.
Note: Google can take a while to actually index your pages, so this process will, unfortunately, hamper your access to Search Console data.
12) Revalidate Pinterest Pins
If you’re on Pinterest (like we now are), you want to have rich pins available to you (they are just better ok). To get them you have to validate your site using this tool.
I actually don’t know if revalidating your site is necessary after the switch to https as I can’t find any information either way on it. There is something weirdly satisfying about validating your site with Pinterest though, so you might as well.
Next: Common SEO Myths