Yesterday one of our client’s hosting companies accidentally applied https to their site. It was via the popular server management software WHM. Apparently there has been an update recently for “auto SSL“. If your hosting company installs that update, it will automatically apply SSL and update it the certificate as required. That is a BIG issue if you have not prepared for it to be switched on. Let me know if that has happened to you.
Welcome back Rankers!
Now then, a few weeks ago I did a show about three top SEO things to do before the end of the year. One of them was moving to HTTPS. The reason for this, and I did a blog post about this on ProBlogger only this week (ProBlogger.com), and I‘ve been fielding a fair amount of questions as it seems to have struck a nerve. We conducted a training session in the bloggersSEO Facebook support group that also raised many questions.
The main question was, ‘Why should I bother moving to HTTPS if I‘m not conducting transactions or aren‘t collecting personal information?‘ Well it‘s because Google is going to push as hard as they can to have every site HTTPS in the future. The reason for that is simple: It‘s good for the user.
HTTPS stops what is called ‘man-in-the-middle‘ attacks. That means that when you request a webpage from a web server, that server encrypts that for you before sending it to you. Your machine then decrypts it. This ensures no one can have a sneaky look at what‘s happening between you and the server. It‘s a good thing for the user, hence the reason why Google wants everyone on it. Now obviously you don‘t have to go on it, but Google is subtly warning users initially, leading to something less subtle down the track such as a giant red warning sign or similar.
Initially for users on the Chrome browser, they will see a warning come January that says, ‘This site is not secure.‘ Therefore, a user that searches for your site, or finds it via a Google search, and it doesn‘t have HTTPS, they will see a warning sign. So regardless of whether you are conducting transactions via an eCommerce site, or collecting personal details (if you have basic forms on your site, then you are collecting details), you need to be on HTTPS. This is happening, so you are better off doing it sooner rather than later.
There are many poor ways to make the move to HTTPS, and there are many good ways.
The way we do it, and have done a few recently, is that firstly you need your certificate. Where do you get one? Most hosting companies will have some sort of HTTPS certificate available to purchase through their site. They should handle the purchase and installation of the certificate for you. You need to ask them for a 2048-bit certificate (the most secure one) and you need to understand what you need that certificate for. How many domains do you need it for? If you think only for one, you might actually need it for two. You may need it for both www and non-www if you use both somewhere along the line. It won‘t cost you much more for that.
If you happen to have many sub-domains, you may want to investigate which is the correct certificate for your situation as some are limited. Others come with insurance in the event you are hacked, but I‘ve yet to hear of this happening. Some sites may also need dynamic HTTPS. For most of us, a multiple domain certificate will suffice. Get your hosting company to install it.
Once all that is sorted, you then have to redirect all of the HTTP to the equivalent HTTPS pages at an individual level. You have to set up the HTTPS version in Google Search Console.
Do not remove the old HTTP from Search Console. Leave it there for the time being.
You also need to set up your HTTPS sitemaps in Google Search Console and, strangely, Google wants you to submit your HTTP sitemaps into your HTTPS Google Search Console. That appears a little counterintuitive but it‘s what Google wants. It may be so they can see the relationship between the two sitemaps in the two sites.
Once all your redirections and sitemaps are in place, I would then run a check using something like Screaming Frog, and do a protocol check to make sure the only HTTP references are ones that are external links and not actually part of the site that you are on currently.
Those are the highlights if you like. For us, depending on the site, it amounts to roughly ten hours of work. Some hosting companies can do it faster as they have everything set up and ready to redirect. For most hosting companies that isn‘t the case though. I‘ve heard some horror stories recently where some hosted solutions are simply moving their clients to HTTPS without doing any of the required work. That will result in a drop in rankings.
You need to follow the steps. Obtain the correct 2048-bit encrypted certificate, make sure there are no resources within the pages themselves that are not HTTPS, redirect all the HTTP to the HTTPS, set up the Search Console for the HTTPS, and finally watch it like a hawk for the following week or so.
Hopefully that‘s helpful. I‘ll see you all next week. Please share the video amongst your friends. Bye for now.