Plus, 8 common pitfalls to avoid!
SSL certificates and encryption has been around, well, since long before online transactions, with many sites using it for bits and pieces that need protecting like account settings. In recent years, malware, hijacking, hacking and cybercrime are all terms that the mainstream public have become familiar with. This is something the media has cottoned on to, leading to a tendency to report on issues surrounding online security. And, due to the increase in public awareness, as well as the willingness of search engines and software providers to call it out, some much needed changes have come about.
Back in 2013-14, Google and others started publicly taking the subject very seriously. If you had been hacked in (then) Google’s Webmaster Tools, you’d receive a notification, with a warning included in the SERPs by your snippet to tell potential customers. Chrome browser added icons to the address bar to alert people that the security wasn’t up to standard, with interstitial pages giving you options about continuing at your own risk!
When Matt Cutts, then head of Google’s web spam team, publicly stated that https would be important for SEO in the search engines, people quickly mobilised. The early adaptors moved in mere days, big corporates added it to their backlog, and SME’s unfortunately found themselves in a position of being in limbo.
The process of changing from http to https is getting easier and easier the further into 2016 we get. WordPress has made a function to aid the move, and as it makes up a large percentage of the public web, it’s a massive leap forward.
Over at SESOME, we’ve recently moved our own site to https. As we regularly advise companies on making their sites more secure, or help them when things aren’t going to plan, for us the move was essential in understanding how it works in practice.
Here’s a helpful checklist for successfully evaluating whether a move to https is necessary for your site, and how to plan it:
High level to-dos:
- Buy and install the correct SSL certificate.
- Make sure all URL’s 301 to the https version. This is usually done at the load balancers.
- Check for broken links. Ensure all links are relative and still work. No hardcoded absolute links here.
- Make the appropriate ‘under the hood’ onsite updates (see below).
- Externally, check all campaigns and references are updated to the https version.
Sounds easy, right?
Tracking and analysis to-dos:
- Authorise a new Google Search Console account (which is configured, has your settings copied across, and that everyone is granted access to the new account that needs it.
- Google Analytics should just continue to work – update the property settings to https (you might need to check if you’re using a different system though).
- You might be required to update the tag manager settings too for them to still show up. This will depend on the provider you use.
Onsite checks and updates:
- Check that all the canonical tags are updated to https. If relative URL’s are already being used, this should be easy.
- Internal linking: run a crawler on the test site to see if there are any accidental absolute URL’s
- Implement strict HSTS to avoid any future security risks.
- Ensure the robots.txt moves across correctly.
- XML sitemaps need to publish the newly updated canonical URLs.
- Easy and normally powerful inbound links. Check and update cross-linking from other friend and family sites.
- Google’s Search Console: validate a new site and add users. Reference new XML sites and move across any Disavow file references. Plus, check that any other settings are re-setup
- If you operate multiple versions of sites, the also update the Href langs tag.
- Check that your CDN’s are capable and then updated to https (most should be fine these days, but commonly overlooked).
- And check again, that all references to http 301 to https.
Other essential updates to make by your marketing teams:
- Any other marketing channel that links to the site, such as PPC, targeting etc. If you rely on the 301 you may loose tracking or slow the load time down.
- Any directories, member organisations etc.
- Don’t forget all of your social media properties and bios.
Questions & randoms that may also be affected:
- Are there any partnerships or services that use your content? Or any interdependencies with affiliates or an API? They may need to update (maybe not) or this may stop working.
- Will any services you offer e.g. widgets, booking modules, social commerce plugins suddenly fail. Do you need to notify anyone?
- If applicable, have you updated your app indexing and relative page encoding from your apps?
Risks to consider
When you do this, and I think you should. You may temporarily experience loss in rankings while the new URL replaces the old one. This usually only lasts 1-3 days though. The search engines won’t treat it as a new domain, just as a separate protocol. So as long as the page for page 301 remains, and https is the primary site, it should all run smoothly. Just pick the right time. I mean don’t make the change on your busiest trading day.
8 common pitfalls!
We have done this for clients and have been shown and aided others on this move. “Even the best laid plans do often go wrong!”, sometimes knowing where to look can mean to mitigate OR triage a problem.
Here is our in-house first things we check list.
- The certificate itself:
- It’s the wrong SSL certificate, so the user’s browser warns them off (not secure enough).
- It has expired.
- It’s registered to the wrong domain (of you have one for all your various sites and thought it would work). You need one for each host.
- The wrong status code is given back on the redirects.
- Blocking https via robots.txt or via a rouge noindex meta tag, that was used on a test site.
- Wrong URL’s are published in the XML sitemaps. Redirects work. Https works, canonical updated, but http URLs in the sitemap adds confusion.
- Canonicals are only updated on the main site, and extras like the blog aren’t updated.
- Speed is affected due to increased ‘handshakes’ / connections. Keep an eye on speed & performance.
- It’s been done at the wrong time. Sometimes too fast as it was seen as easy. Or, done that affects your busiest trading period.
- Google Search Console set-up:
- Failing to move across settings & extras like any Disavow files
- Doing it when you have another issue, and it blurs your analytics and insight.
- Forgetting to copy across any settings such as target country.
- Failing to learn from the date in search analytics or fetch and crawl sections before it’s lost.
Moving to https is one of the easiest dev projects if things go well. If you have a legacy system or outsource your technical works, it may need some managing. If you have a problem, you need to move fast though!
If you need any help with this type of project, just ask.