In August 2014 Google announced that they would use HTTPS as one of the ranking factors used to decide a website’s position in their search engine’s results. This is part of the web giant’s goal of making the web a secure place by default.
Google also suggested that they may highlight non-secure websites as a security risk for websites visited using the Chrome web browser. This would have a serious effect on visitors to a site, potentially affecting sales and revenue.
Secure Sockets Layer (SSL) is the standard security technology used to encrypt webpages on the internet. SSL allows for data to be passed privately between two sources (such as a web server and browser). SSL certificates are only issued to companies or legally accountable individuals.
If a URL begins with https://, this is a good indication you’re browsing a secure site. Web browsers often include additional features to let you know you’re browsing a secure website, such as displaying a padlock symbol.
Having information transferred between the browser and server securely is important to ensure trust and safe web. This is especially important for eCommerce websites where private information is exchanged including contact information, addresses and payment information.
Not only is Google using security as a ranking factor, from a website owners perspective, but there are also many benefits to switching your website to HTTPS/SSL.
As SSL certificates are only issued to companies or legally accountable individuals, your website will stand out against lesser established online traders.
Improved security across your website instils confidence and builds trust with users, reducing the fears of buying online, leading to a better return on investment.
Many online retailers prefer to provide consistent user experience, taking payment on their own website instead of handing off to a payment provider before returning back. Payment providers require you to have SSL implemented in order to take payment on your own site, this ensures sensitive payment information is always protected.
Moving your website to HTTPS isn’t always a simple flick of a switch. There are some issues that will need attention before making the move.
Any remote services must also use SSL. For example, if you are requesting an RSS feed from another website using XHR/Ajax then that also needs to be served from an HTTPS secured site. If you have made use of a content delivery network (CDN), assets included from their service will also need to use SSL to avoid “insecure item” warnings.
Moving to SSL can also have implications for your usage of social widgets including Facebook’s Like Button and Comments plugin. This is due to Facebook’s Open Graph, which uses the original website address, under the http:// schema. After moving to https://, Facebook’s Open Graph will see this as a brand new URL – even with the correct 301 redirects in place.
The same applies to Google Webmaster Tools and Bing Webmaster Tools. Analytics and webmaster tools accounts need updating. Essentially one for HTTP and one for HTTPS. Google Analytics tracking may be affected if not correctly configured, so it’s worth double-checking any external tracking solutions are operating as expected following a transition.
Another external entity to consider is your payment provider. If your payment provider is expecting to call back to an HTTP resource and your site redirects to an HTTPS resource, it will fail. Make sure you update any URLs your payment provider is using to avoid failed payments.
To sum up, to benefit from this additional ranking factor, not only do we recommend adding an SSL certificate to your website, but you should roll it out across your entire website, not just pages which handle sensitive, private data.
Ensure all linked assets including external services such as a CDNs are also serving files over HTTPS. A useful tool to check all links are secure is Why No Padlock. Test your pages across a range of browsers and devices to ensure there are no problems with insecure content. Some assets are loaded differently depending on the browser used.
Set up 301 redirects for all the traffic from HTTP to HTTPS. 301 redirects are an indication that the requested resource has permanently moved.
Even with 301 redirects in place, you’ll need to create a new site within Google Webmaster Tools for the HTTPS site. Make sure the new URLs are updated in XML sitemaps and re-submitted to Google and Bing webmaster tools to ensure the new URLs are indexed as quickly as possible.
There is a guide to moving your website to HTTPS or SSL on the Google Webmaster Tools help pages which provides a step by step checklist to help you switch to HTTPS. Another good resource to consider is provided by Yoast, based on their experiences moving their website to HTTPS/SSL.