Websites are constantly compromised. You may not even think that your innocent blog or site that doesn’t contain any users’ credit card information has anything worth being hacked for. Nevertheless, hackers can easily turn your website into a malicious spy bot, manipulate your important online information, inject your content with toxic links, and even more.But, it’s not as scary as it sounds. You can avoid these scenarios and keep your website safe by taking a few easy steps. If you are uncertain over your HTTPS efforts, you can apply oureasy-to-use check for “ Non-Secure” pages.
During our SEMrush chat we discussed how to secure your site with HTTPS with our special guest Dan Taylor, Technical SEO professional at SALT.agency and blogger.
Check out how to prevent your site from becoming a target for online vandals in the following recap of our discussion.
Q1. What are the benefits of HTTPS for site owners and regular users?
HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP, a protocol that’s used to protect the integrity and confidentiality of data over the Internet. Our chat guests named multiple benefits that moving your website to the HTTPS protocol provides for you and your site visitors. Here they are.
1. Security
Obviously, when users are interacting with your site, they expect a secure and private online experience. According to Google, HTTPS protocol helps you protect your users’ connection to your website. However, some experts pointed out that even after you switch to HTTPS, you may still be vulnerable to some issues, such as downgrade attacks, DDOS attacks or hacks of your site, server or network.
Val Vesa @adspedia shared a post that explains why HTTPS doesn’t secure sites: “HTTPS does not mean website security. This article by @perezbox is self-explanatory: We Must Improve the HTTPS Message.”
But, as Express Writers @ExpWriters pointed out, HTTPS gives a sense of security to users who access your website, especially when they make a purchase.
@semrush is becoming more important, especially after the high profile Dyn DDoS attack in October 2016 (2/2) #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
@semrush for a long time it's just been about the "ranking boost", but with Chrome 56 it's a clear indication that user security (1/2)
— Dan Taylor (@danny_taywitter) February 8, 2017
2. Privacy
Some of our chat guests mentioned that using HTTPS provides privacy for your site visitors. Sean Van Guilder also explained that when users click on an ad and then land on a site that doesn’t use HTTPS, they will see a security warning message from Google. This will make them click back, which means that the site owners will have to pay for clicks without any benefit.
A1: privacy for users, more organic traffic for site owners, and eventually lower CPC for PPC #semrushchat
— Sean Van Guilder (@seanvanguilder) February 8, 2017
3. Encryption, data integrity, and authentication
Patrick Stox remarked that Google identifies three main reasons why you need to move your site to HTTPS, which are encryption, data integrity and authentication. These are the three layers of protection for your and your users’ data.
A1. Encryption, Data integrity, Authentication #semrushchat
— Patrick Stox (@patrickstox) February 8, 2017
4. A lower bounce rate
In August 2014, Google announced that moving your site to HTTPS will give you a slight ranking boost. Even though there’s no certainty whether or not the search engine rewards HTTPS or punishes the lack of it, it’s a fact that warning messages from Google can scare some of your site visitors away.
A1: Google may give you a slight ranking boost, no "non-secure" messages showing up in browsers, which can scare some ppl away #semrushchat
— Rachel Howe (@R8chel_Marie) February 8, 2017
5. Trust
Debi Norton pointed out two reasons for using HTTPS. First of all, it adheres to Google’s Webmaster Guidelines. Also, from the user experience point of view, it helps your site gain a higher level of trust with your users. “Security equals trust and might equal making more money.”
a1 Migrating over to HTTPS Adheres to G-Guidelines. From the User Experience It Provides a Level of "Trust" with the website. #SEMRushchat https://t.co/Xo8sWUMKh7
— Debi Norton (@BRAVOMedia1) February 8, 2017
Check out a few other benefits of HTTPS in the following recap.
Even though HTTPS cannot protect you from all problems and your site may still be vulnerable to some issues, it’s being actively pushed by Google. So, if you haven’t switched to HTTPS yet, it’s time to do so.
Q2. How much of your website should be moved to HTTPS?
Now that we know that you need to migrate from HTTP to HTTPS, it’s time to figure out if it’s worth moving your entire site to it.
Our special guest believes that a complete migration to HTTPS is necessary. All of your internal links should use HTTPS, not only to your webpages, but also images, CSS, JavaScript, etc.
@semrush a2: All of it. A lot of sites at the moment just have the basket/checkout on https but the migration needs to be full #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
Sarah Wilkes pointed out that it’s worth migrating your entire site to HTTPS, if you collect information from your visitors such as passwords and credit card details. “It depends — anywhere with information that should be secure,“ tweeted Reva Minkoff @revaminkoff.
A2: It depends! If you're taking information off your users then be cautious - go all. If you're not, then it's not an issue. #semrushchat
— Sarah Wilkes (@TrafficJamSarah) February 8, 2017
When it comes to an online shop, Rachel Howe said that, at the very least, your shopping cart and login pages need to use HTTPS.
A2: I'd recommend the shopping cart and login pages, if you have them, at the very least #semrushchat
— Rachel Howe (@R8chel_Marie) February 8, 2017
Marianne Sweeny agrees that you need to at least migrate anything that contains user data to HTTPS.
@semrush A2: GOOG is getting more emphatic on this. At least, anything that captures user data. At most, entire site. #semrushchat
— Marianne Sweeny (@msweeny) February 8, 2017
Also, Sean Van Guilder recommended migrating your site to HTTP/2.0 as well. HTTP/2.0 is a major revision of the HTTP protocol that has freed developers from the need to sprite images, do resource in-lining and concatenate files.
A2: highly recommend getting a move on HTTPS/2 as well #semrushchat
— Sean Van Guilder (@seanvanguilder) February 8, 2017
Let’s sum up these key points.
Most of our chat participants recommended moving all of your website to HTTPS or at least sections that contain sensitive information.
Q3. Pre-launch checklist: What factors need to be considered when preparing for the move to HTTPS?
Our chat participants helped us make a pre-launch checklist. Follow the steps below when migrating your site from HTTP to HTTPS.
Fix anything that might not be functioning correctly
To begin, you need to fix everything that might be broken or functioning improperly before initiating a migration.
A3: First & foremost -- audit your entire website to fix anything that might be amiss/broken/not functioning before migrating. #semrushchat https://t.co/ehAGnG4cdi
— ThinkSEM (@ThinkSEM) February 8, 2017
301 redirect
Identify all existing 301 redirects on your website and then update them to their HTTPS version. All 301 redirects that are implemented on 404 pages should be updated to this version.
@semrush 3. Identifying all existing 301s on the website, and then 'breaking them' so that there aren't any chains #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
Certification setting
You need to buy and install an SSL certificate. When installed, it activates the HTTPS protocol and allows secure connections between a web browser and the server. There are three different types of certificates: domain validation, organization validation, and extended validation. Once you have installed an SSL certificate, you need to check whether or not there are any issues with it.
CDN
If you use a CDN (Content Delivery Network), ensure that it won’t cause any issues, and will properly serve the HTTP domain version of your site and handle SSL when the website is migrated to the new version.
A3: Type of certificate, installation challenges, whatever is in the chain like CDNs, load balancers, CMS's, server environment #semrushchat
— Patrick Stox (@patrickstox) February 8, 2017
Internal links
The internal links on your website also need to be updated to their HTTPS URLs, image files, video files, JavaScript files, etc.
A3 Internal links External images, CDN's, redirects, loads. Awesome read migrating @tnw by @martijnsch https://t.co/DGxctq74pt #semrushchat
— Arnout Hellemans (@hellemans) February 8, 2017
Canonical tags
Another step you should take is to configure canonical tags and making them point to the new HTTPS version. These tags should be implemented on the same webpage, but point to HTTPS.
A3: internal links, redirects, javascripts, canonical tags, APIs, etc. There's a lot... #semrushchat
— Ryan Jones (@RyanJones) February 8, 2017
Robots.txt
Make sure to update your site’s existing robots.txt file and update the new sitemap that is configured for the HTTPS version. Once you have done this, verify that robots.txt isn’t not blocking any important files, like CMS or product page.
A3: prepare all references, ALL - canonicals, hreflangs, rel-next/prevs, intl. links, sitemaps, robots.txt, markup references #semrushchat
— Bastian Grimm (@basgr) February 8, 2017
Disavow configuration
You need to copy any existing disavow files and upload them to their HTTPS version in Search Console.
A3: btw dont forget to upload your disavow file to the (new) https property PRIOR to moving #semrushchat
— Bastian Grimm (@basgr) February 8, 2017
Let’s sum up!
As you can see, there’s a lot that needs to be done for a successful migration. We discussed some of the most important steps in this process. You can also check out “ The HTTP to HTTPs Migration Checklist”, which was provided by Aleyda Solis
Q4. What technical aspects need to be configured to ensure there is no content duplication?
When you move your site from HTTP to HTTPS, you can end up with two versions of the same the website. This means that two identical sites will be indexed in Google and the duplicate content will confuse the search engine. Duplicate content is a red flag that can hurt your site’s capacity rank.
First of all, to avoid duplicate content issues, you need to update canonical tags to make them point to the HTTPS version and update all the implemented 301 redirects to the new version.
@semrush a4.Canonical tag so GOOG keeps version that you want indexed and presented. Dup content a nuisance more than penalty #semrushchat
— Marianne Sweeny (@msweeny) February 8, 2017
You should configure a new sitemap for your site’s HTTPS URLs and submit it to Google and Bing.
@semrush A4 update canonicals, configure GSC & BWMT, update XML sitemap, make sure 301s work (tested) #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
Dan Taylor also pointed out that it’s worth explaining to your clients that HTTP URLs may still appear in Google SERPs for a little while.
However, Bastian Grimm remarked that redirects and canonical tags are not enough. Internal links are important for both search engines and your site visitors. Most websites depend on elements, such as image and video files, JavaScript and CSS. All these internal links and internal references need to be updated.
A4: redirs & canon is NOT enough folks, adjust ALL internal references - otherwise massive crawl waste #semrushchat
— Bastian Grimm (@basgr) February 8, 2017
Make sure that the robots.txt file on the HTTPS version is updated. Copy the file from the HTTP version to HTTPS and update the Sitemap reference to the new Sitemap file.
A4: Think redirects, canonical, 404s and robots.txt to be updated #semrushchat
— Sarah Wilkes (@TrafficJamSarah) February 8, 2017
Everybody knows that content duplication can be a problem; therefore, you need to take all the important measures to avoid all duplicate content issues.
Hopefully, these tips will help you make your transition to HTTPS as smooth as it gets.
Q5. What is the one thing that often gets neglected during or after a migration and can ruin the whole HTTP to HTTPS process?
Our chat participants named four important things that developers often neglect during or after a migration from HTTP to HTTPS.
Updating internal links, canonical tags, hreflangs, sitemaps, etc.
To avoid sending conflicting signals to search engines, you need to update the most common technical on-page signals to HTTPS.
@semrush A5 people not updating internal links, canonicals, hreflang, sitemaps, menu links... #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
Updating internal links of all types
As we’ve already mentioned, you need to update all internal links and references that may contain internal links inside assets, such as internal URLs in JavaScript, image file references in CSS, and others. Corey pointed out that some developers forget to update links to internal images.
A5: Redirect http to https and update all links, references and requests to https:. This includes images folks! #semrushchat
— Corey (@CoreyW85) February 8, 2017
Adding the HTTPS property to Google Search Console
When you change a protocol, make sure to add the HTTPS property to Google Search Console. The thing is, Search Console treats HTTP and HTTPS separately. If you have webpages in both protocols, you need to have a separate Search Console property for each of them.
Some of our chat participants pointed out that sometimes developers neglect this important step. “I'd wager it's not updating GSC profile, declaring HTTPS version to reflect the new domain,” tweeted ThinkSEM.
A5: Updating redirects and internal links, and not changing the Google Search Console profile (to name a few!) #semrushchat
— Traffic Jam Media (@trafficjammedia) February 8, 2017
Mixed content issue
Many of those who have never moved their websites to HTTPS, run into mixed content issues. During an HTTP to HTTPS migration, you need to make sure that all your content on your webpage can be served up securely.
A5: Lol. Redirects, mixed content, people not looking at the right data. There's a lot that usually goes wrong. #semrushchat
— Patrick Stox (@patrickstox) February 8, 2017
You can check out a few other answers in the following recap.
After you have decided to switch to HTTPS, make sure you have a well thought-out plan that addresses all the essential steps of a successful migration.
Q6. Which tools should site owners use for each stage of the migration process to ensure it's successful?
AT the end of our discussion, our chat guests shared several tools developers can use to make the migration process successful:
Screaming Frog. SEO Spider, Screaming Frog’s website crawler, allows you to easily and quickly find broken links, audit redirects, review robots.txt and discover duplicate content to name a few.
Ahrefs. Ahrefs provides a whole toolset for SEO, including a powerful backlink checker.
Majestic. Majestic’s Backlink History is another effective tool that lets you determine the number of backlinks detected by its web robots.
@semrush A6: A lot. To identify URLs a crawler like @screamingfrog, for backlinks good tools like @ahrefs, @Majestic #semrushchat
— Dan Taylor (@danny_taywitter) February 8, 2017
Google Search Console. Using Search Console, you can easily monitor Google Search results data for your properties.
Bing Webmaster Tools. Use Bing’s reporting and diagnostic tools to get more insights into your website.
A6: Website crawling tool, Search Console, BWT, Analytics, http header checkers #semrushchat
— Rachel Howe (@R8chel_Marie) February 8, 2017
Observatory by Mozilla. The Observatory Tool launched by Mozilla is designed to help developers, website owners, and security professionals configure their sites securely.
A6: A crawler, GSC (create a property set), also highly recommend https://t.co/HcEyedS41W to check TLS issues / optimizations #semrushchat
— Patrick Stox (@patrickstox) February 8, 2017
DeepCrawl. Besides the above-mentioned tools, Modestos Siotos recommended using DeepCrawl, a website crawler that enables you to analyze your site architecture and monitor potential technical issues to improve your site’s performance.
6) Screaming Frog / Deep Crawl for technical checks, Majestic / Ahrefs for backlink metrics, Google Search Console post-launch #semrushchat
— Modestos Siotos (@Modestos_) February 8, 2017
Have you used any other tools to ensure your migration from HTTP to HTTPS is successful? Let us know in the comment section!
That’s it for today!
Moving your website from HTTP to HTTPS is not an easy process. We hope that the tips from our chat guests will help you perform a smooth migration.
Many thanks to Dan Taylor and our other chat participants for sharing their expertise!
Innovative SEO services
SEO is a patience game; no secret there. We`ll work with you to develop a Search strategy focused on producing increased traffic rankings in as early as 3-months.
A proven Allinclusive. SEO services for measuring, executing, and optimizing for Search Engine success. We say what we do and do what we say.
Our company as Semrush Agency Partner has designed a search engine optimization service that is both ethical and result-driven. We use the latest tools, strategies, and trends to help you move up in the search engines for the right keywords to get noticed by the right audience.
Today, you can schedule a Discovery call with us about your company needs.
Source:
