There are two types of SEOs:
Those who love the technical stuff…
…and those who hate it.
If you fall into the first category, you’re probably already experienced with HTTPS.
If you’re in the second category of SEOs, you might be a little intimidated by it.
If you are intimidated, it’s for a good reason, and I completely understand it.
There are some parts of HTTPS that are complex, but most of it is simple.
Furthermore, you don’t need to understand the exact behind-the-scenes work going on in order to implement HTTPS on a website.
What’s the deal? Is HTTPS important or not?
The idea of HTTPS has always been a good one, and most leading businesses implemented it a long time ago.
However, somewhat recently, Google announced that HTTPS is a ranking factor.
Obviously, that got SEOs talking about and debating the subject.
At the time, it was a very small ranking factor, affecting less than 1% of global searches. Even now, it’s not a big factor.
However, security is something that Google takes very seriously, and it’s likely to become more important in the future.
Some SEOs jumped right on it and made the switch.
Most saw little to no improvement, but there was certainly anecdotal evidence of ranking improvements:
There is a potential benefit of making the switch.
On top of search rankings, you also get a pretty lock symbol in Chrome and Firefox.
If your site isn’t HTTPS, you don’t get this symbol, and sometimes visitors may get warnings about the security of your site on certain types of pages.
HTTPS: Explain it to me as if I’m five
I’m not going to pretend to know all the technical details behind HTTPS (Hypertext Transfer Protocol Secure), but I can certainly tell you the basics.
The main benefit of HTTPS is that it makes your site more secure for your users. More specifically, it’s more secure when a user is giving you any sort of information.
It’s essential on pages where users are required to give their credit card information and/or other personal details. However, it’s a good thing to have on all pages.
The real change happens when a user submits their data. HTTPS is able to provide multiple layers of protection to that data:
- encryption – the data is worthless to anyone who somehow manages to intercept it because they don’t have the key to decrypt it (you do).
- data integrity – data can’t be corrupted, which is a good thing.
- authentication – it prevents “man in the middle” attacks, which means that it’s not possible for anyone to trick your customers into thinking they’re providing you data when they’re really giving it to a scammer. This is what your SSL certificate (more on that soon) is for.
Do you need HTTPS?
As an SEO or business owner, you understand that using HTTPS is a good thing.
But is it really necessary?
Well, there are two benefits to having it:
- a small boost in rankings (possibly larger in the future)
- a more secure site for your users
If you run a big site such as Quick Sprout, even a small boost in SEO results in tens of thousands of visitors per month. That’s one reason why HTTPS definitely made sense for Quick Sprout.
However, if you’re starting out, you’re not going to see a real difference in your search traffic.
In the future, it could make a bigger impact, but for now it won’t.
All in all, if you’re expecting to get a significant amount of search traffic in the next few years, you should plan on switching to HTTPS.
What about security?
If you just have a blog and all you require from your users is to enter their email addresses to opt in to your email lists, you probably don’t need HTTPS for security reasons.
However, if you accept payments or important personal information for any reason, you need HTTPS on those pages at a minimum.
Between those two factors, you should know whether you need to implement HTTPS on your site at all. A large portion of sites should have it, but not all do.
If you do need to implement HTTPS, I’m going to show you the steps you need to follow. I’ll provide as many specifics as I can, but there are many parts that will vary based on your site choices (I’ll lay it out for you).
Step 1: Pick a type of SSL certificate
SSL? What’s that?
SSL is the protocol that HTTPS uses. Basically, you need to install an SSL certificate on your site in order for it to use HTTPS.
There are three different types of certificates you can get:
- Domain validation – the cheapest and most basic; it only really covers encryption (from the three things we went over earlier).
- Organization validation – the middle choice in terms of price, which also includes authentication. If you’re collecting personal information, you probably want at least this option.
- Extended validation – the top of the line option, which provides the best security you can get with HTTPS. This is mainly for big ecommerce sites and sites that collect really important private information.
Here’s a nice little summary:
Google recommends that you use 2048-bit encryption certificates, so keep that in mind if you go with an organization validation certificate (which offers different levels of encryption).
Where to buy an SSL certificate: You can buy a certificate from a ton of different websites. They will offer different types at different prices, so you can shop around if you’d like.
However, I recommend buying one from your hosting company.
Because most hosting companies offer them in the first place, and many of them will also help you install them. So for convenience sake, start by looking at them.
For example, HostGator sells a few different types of certificates:
You can see that the prices aren’t too steep.
Once you’ve bought one, you can then get them to install it for you on your hosting server (provided you have a dedicated IP):
If that’s not possible…Not all hosting providers will install the certificate for you.
At this point, see if they have an installation guide by Googling:
(hosting company) + SSL certificate installation
If that doesn’t bring up anything useful, contact their support.
The process of installing a certificate differs from host to host, which is why I can’t give you specific steps here.
Step 2: Create a URL map of your site and redirect
Take an example URL of:
Then compare it to:
The only difference is one “s” in the URL, and it’s before the actual domain name.
But it makes a difference. These are two entirely separate URLs.
What that means is that you need to create copies of all your site’s pages and then redirect all of your old “http” pages to your new “https” pages.
Although a pain, it’s pretty simple.
A URL map can just be a simple spreadsheet, containing a list of old URLs with a list of the corresponding new URLs beside it.
If you wanted to make changes to your site structure or URL format, now would be a good time to do it.
If you’re using WordPress, you can add all the 301 (permanent) redirects to your .htaccess file.
Each line should look something like this:
Redirect 301 /oldpage.html https://www.yoursite.com/newpage.html
You just need to fix the bolded parts.
If you’re planning to move to a brand new domain while you’re doing this, refer to my guide to moving a WordPress site for step-by-step instructions.
3. Update your internal links
You’re not quite done with linking yet.
You likely have many internal links throughout your site. These may point to your old “http” pages.
Ideally, you want these to point directly to your HTTPS pages.
Introducing relative URLs: If you’re lucky, you’ve been using relative URLs all along.
These don’t specify an absolute (entire) URL; instead, they tell your browser to add something to the end of the domain.
For example, if this link:
was placed somewhere on our domain example.com, clicking it would take you to:
When you switch to “HTTPS,” the same link would take you to:
which is perfect.
If your site wasn’t built like that and instead uses absolute links:
then you’ll need to find each link and add the correct new URL to it.
4. Update image and other links
It’s not just links to pages on your site that you need to worry about.
It’s also any other link to resources such as images, stylesheets, and scripts.
If you right-click any of your site’s pages and click “view source,” you’ll see all kinds of tags like this:
<script src=”http://www.domain.com/js/file.js” />
The problem is that you need to ensure that all files used and served on your site also use HTTPS.
If those sources and image locations exist on your domain, you need to point them to the correct HTTPS locations.
If you have both HTTP and HTTPS URLs, you can use protocol relative URLs, which look like this:
<script src=”//www.domain.com/js/file.js” />
The double slash in front tells your browser to use HTTPS in front of that URL when the file is being requested from an HTTPS page.
Don’t forget about your CDN: If you use a CDN, you need to make sure that your CDN supports HTTPS.
Most CDNs do support HTTPS by now, but not all of them.
For example, Cloudflare does.
If they don’t have detailed instructions on how to implement HTTPS, so you’ll again have to contact their support.
Then, you’ll have to go back to your new HTTPS site and make sure that the source for all images is pointing to the HTTPS image location on your CDN.
To ensure that you don’t miss any links or images, I recommend using a site crawling tool like Screaming Frog SEO.
You put your domain in the spider text box at the top, and it will extract a ton of information from your site.
Then, click the “internal”, “external”, and “images” filters along the top to see what’s on your site.
If they’re all HTTPS, you’re good to go.
5. Add your site again in WMT
Now that your site is basically whole again, you want to get Google crawling it as soon as possible to limit the chances of your traffic being negatively affected.
You need to re-add your site to Google webmaster tools (Search Console) because the HTTPS site is considered a completely different site.
Then, you should submit your new sitemap in your new listing.
On top of that, re-submit your old sitemap (in your old WMT property) because then Google will see the 301 redirects and update its listings.
6. Do some quick testing to make sure everything went well
If all goes smoothly, you should see no change or a small positive bump in search rankings.
If traffic drops off significantly for more than a day or two, you likely have a problem and should go through this guide again (and ask your host or an SEO consultant for help).
First you should make sure that your SSL certificate is installed correctly.
To do that, use this free SSL server test:
Just put in your new homepage URL, and it’ll do a thorough test:
Other than this, you want to watch your rankings to make sure you spot issues.
Finally, you should click around various pages on your site and make sure that the HTTPS lock shows up correctly (green) in Chrome.
I know that you might not love technical SEO, but it’s important.
By now you should know whether or not HTTPS is needed for your site and how to implement it.