According to recent stats, 1% of all websites are secured with an SSL certificate and 40% of organic search results on the first page of Google include an HTTPS site. These statistics clearly show the importance of a secure protocol for a website.
Contents
- What’s the difference between HTTP and HTTPS?
- Why should you switch the website to HTTPS?
- How to migrate to a secure HTTPS site?
- How do you fix unsecured pages?
What’s the difference between HTTP and HTTPS?
What’s the HTTP protocol?
HTTP, for HyperText Transfer Protocol, is a protocol used by the World Wide Web to share formatted messages and information. It tells web servers and browsers what actions they should take in response to different commands.
In other words, when you type in a URL in your browser, it actually sends an HTTP command back to the web server asking it to fetch and display the requested page as defined. Page formatting is controlled by HTML, which ensures consistency across all sites.
However, the HTTP protocol quickly showed its limits. Indeed, when some ill-intentioned souls knew how the exchange of information worked, their hacking became child's play. Network administrators have therefore developed a procedure to protect the information that passes through the sites. This is based on the SSL certificate, which encrypts the online data between the sender and the recipient. This is how HTTPS was born.
What is HTTPS?
This encryption procedure means that the computers (those which send and receive) transmit a code to each other, made up of random strings of characters. Therefore, if someone tries to interfere with the message, they'll only find data that can't be interpreted without the decryption code. This code is a document called "SSL certificate" and contains the keys to decoding the message. The security during the transfer is called Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The process of exchanging public keys using an SSL certificate to enable HTTPS, SSL and TLS is called Public Key Infrastructure (PKI).
HTTPS is therefore the ultra-secure version of HTTP. Secure websites wishing to protect an Internet user's connection by encrypting their information can do so in 3 layers:
Encryption, which ensures the user's activity has not been traced and that none of their data can be stolen.
Data integrity, which prevents files from being corrupted during transfer.
Authentication further strengthens protection against attacks.
Why should you switch the website to HTTPS?
One might wonder if the implementation of such a strict protocol can negatively influence our positions in the SERPs. In fact, it is the opposite! HTTPS affects today's search engine rankings and is essential to be positioned in the top spots.
Why not?
Simply because Google's motive is to provide its users with relevant results, on sites whose navigation is fluid, fast and secure. If the spectrum of mandatory HTTPS had been looming for several years, it was in 2015 that the search engine announced that the HTTPS protocol was officially taken into account for ranking pages. Between two sites of equal quality and performance, Google will favor the one with a HTTPS protocol.
Moreover, because of the multiple fraud and hacking scandals, Internet users are now vigilant and know how to recognize a secure site with notably "the little padlock next to the url!". HTTPS therefore sends a signal of trust to Internet users, who will be more likely to return to the site. Finally, it should be noted that users using Chrome see the site in HTTP blocked by their browser, which indicates that it's an insecure site! We dare to imagine the bounce rate of these sites...which is also a criteria for ranking.
How to migrate to a secure HTTPS site?
You are now convinced of the importance of HTTPS for your SEO? Then let's move on to getting your SSL certificate set up! Here are the main steps.
Backup your website
Setting up a backup is not specific to the migration from HTTP to HTTPS, but it remains essential. Ideally, you should even work on a test server.
Get your SSL Certificate
Some hosting companies offer an option to easily switch your site to HTTPS from your client interface. If your host does not offer this service, you can choose from a number of SSL certificate providers. Among the most reputable ones:
GoGetSSL
SSLs.com
They offer 3 types of SSL certificates:
Domain Validation: Single domain or subdomain: it's a simple email validation.
Company or Organization Validation: Single domain or subdomain, but it requires more paperwork as a company verification is done. This type of certificate is issued within 1 to 3 days. It offers an advanced level of security.
Extended Validation: Only one domain or subdomain and company verification required. It's issued within 2 to 7 days and shows a green address bar, which is a nice indicator of trust for Internet users.
It's also possible to obtain an SSL certificate for free with Let's Encrypt and Certbot.
Certbot is rather easy to use. It automatically retrieves and deploys SSL/TLS certificates for your web server.
Install your SSL certificate
The installation of the SSL certificate depends on the tool you are using.
Here is a complete guide on how to install your SSL certificate depending on your server (Apache, Nginx...).
If you deploy Let's Encrypt with Certbot, you'll find a complete documentation that allows a semi-automated installation. It is possible to select an "advanced" mode for a better control of the operations.
Implement 301 in .htaccess
The website's migration continues with the implementation of 301 redirects (from HTTP pages to HTTPS pages) directly via the .htaccess, which is usually located at the root of your site.
Once you've located it, you need to add the following lines:
To redirect all traffic:
>
RewriteEngine On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
To redirect by specifying the domain:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^VotreDomaine\.com [NC] RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
Once this is done, you must be sure that no more pages are available in both versions, otherwise it will be considered as duplicate content...And beware of the damage!
Test and go live
Once everything is set up, it’s time for the SSL test. This is going to give you an overall grade on your site’s SSL implementation quality, and will indicate in detail any problems and solutions to resolve them.
Update the site environment
Switching from HTTP to HTTPS also requires you to modify your whole site’s environment, that means all the tools and software related to it: Search Console, Google Analytics ... In Google tools, the site in HTTPS must be added as a new property. You should also think about updating the sitemap (on a site managed with CMS like WordPress or Prestashop, there are usually extensions that do it automatically). You should also check the URLs in the robots.txt file and update any hard links on your site. To do this, a good crawler like Botify or Oncrawl will detect URLs and links in HTTP.
Of course, don't forget to update the links to your site on your social profiles, your email signatures, etc. In the end, updating the site environment can take more time than the migration itself!
How do you fix unsecured pages?
Check the HTTPS protocol
Make sure the homepage is hosted in HTTPS and that the browser indicates that the connection is secure with correct settings (green padlock with "Secure" on Chrome) and that the certificate is valid by clicking on the padlock:
If this is not the case, you need to set up/update the site’s SSL certificate.
- Check that URLs starting with HTTP instead of HTTPS redirect to the corresponding HTTPS URL. This must be a 301 redirect and not a 302.
If the URLs in HTTP loads, without a 404 or redirection, it means that your site's pages are duplicated. In this case, it is absolutely necessary to implement 301 redirects as soon as possible.
Then, you need to modify all internal links to remove any links pointing to the HTTP URLs and change them to HTTPS ones. Why should you do this? To make your internal linking more fluid and to ensure that the robot crawls efficiently with the least number of redirects possible.
Presence of HTTP URLs in the site linking
We recommend that you use a crawler to identify if there are any HTTP URLs in your site linking (=linked). This is what we do during an audit.
If the crawler finds HTTP URLs, change the links pointing to these pages, so that they point to the correct HTTPS pages instead.
Summary of HTTPS implementation steps
- Choose a quality SSL/TLS security certificate.
- Redirect all your site's URLs from the HTTP version to the HTTPS version.
- Update all your internal links, don't hesitate to ask your SmartKeyword representative to send you a list. It is normally already included in a technical audit.
- Update your Google Search Console, if it is a property with URL prefix and not a domain property.
Conclusion
The HTTP to HTTPS migration is therefore an essential step in the life of a site and relatively simple technically. Nevertheless, it is important to follow the instructions of the different tools in order to avoid making mistakes that could severely penalize your site. Once this operation is done, you should notice a progressive improvement of your natural traffic.
Remember also that HTTPS alone is not enough to protect your site from hackers, especially if you use WordPress which is known for its security flaws. There are tools to check and reinforce the security level of a site, such as Netsparker, OpenVAS and Securityheaders.
Further reading
The complete guide to Internal Meshing
The step-by-step method to build your semantic cocoons, your mesh and the optimal tree structure of your website.