Friday, March 25, 2016

Should You Switch Your Site to HTTPS? Here’s Why You Should or Shouldn’t

secure


There are two types of SEOs:


Those who love the technical stuff…


…and those who hate it.


If you fall into the first category, you’re probably already experienced with HTTPS.


If you’re in the second category of SEOs, you might be a little intimidated by it.


If you are intimidated, it’s for a good reason, and I completely understand it.


There are some parts of HTTPS that are complex, but most of it is simple.


Furthermore, you don’t need to understand the exact behind-the-scenes work going on in order to implement HTTPS on a website. 


What’s the deal? Is HTTPS important or not?


The idea of HTTPS has always been a good one, and most leading businesses implemented it a long time ago.


However, somewhat recently, Google announced that HTTPS is a ranking factor.


Obviously, that got SEOs talking about and debating the subject.


At the time, it was a very small ranking factor, affecting less than 1% of global searches. Even now, it’s not a big factor.


However, security is something that Google takes very seriously, and it’s likely to become more important in the future.


Some SEOs jumped right on it and made the switch.


Most saw little to no improvement, but there was certainly anecdotal evidence of ranking improvements:


image05


There is a potential benefit of making the switch.


On top of search rankings, you also get a pretty lock symbol in Chrome and Firefox.


image00


If your site isn’t HTTPS, you don’t get this symbol, and sometimes visitors may get warnings about the security of your site on certain types of pages.


HTTPS: Explain it to me as if I’m five


I’m not going to pretend to know all the technical details behind HTTPS (Hypertext Transfer Protocol Secure), but I can certainly tell you the basics.


The main benefit of HTTPS is that it makes your site more secure for your users. More specifically, it’s more secure when a user is giving you any sort of information.


It’s essential on pages where users are required to give their credit card information and/or other personal details. However, it’s a good thing to have on all pages.


The real change happens when a user submits their data. HTTPS is able to provide multiple layers of protection to that data:



  • encryption – the data is worthless to anyone who somehow manages to intercept it because they don’t have the key to decrypt it (you do).

  • data integrity - data can’t be corrupted, which is a good thing.

  • authentication - it prevents “man in the middle” attacks, which means that it’s not possible for anyone to trick your customers into thinking they’re providing you data when they’re really giving it to a scammer. This is what your SSL certificate (more on that soon) is for.


image07


Do you need HTTPS?


As an SEO or business owner, you understand that using HTTPS is a good thing.


But is it really necessary?


Well, there are two benefits to having it:



  • a small boost in rankings (possibly larger in the future)

  • a more secure site for your users


If you run a big site such as Quick Sprout, even a small boost in SEO results in tens of thousands of visitors per month. That’s one reason why HTTPS definitely made sense for Quick Sprout.


However, if you’re starting out, you’re not going to see a real difference in your search traffic.


In the future, it could make a bigger impact, but for now it won’t.


All in all, if you’re expecting to get a significant amount of search traffic in the next few years, you should plan on switching to HTTPS.


What about security?


If you just have a blog and all you require from your users is to enter their email addresses to opt in to your email lists, you probably don’t need HTTPS for security reasons.


However, if you accept payments or important personal information for any reason, you need HTTPS on those pages at a minimum.


Between those two factors, you should know whether you need to implement HTTPS on your site at all. A large portion of sites should have it, but not all do.


If you do need to implement HTTPS, I’m going to show you the steps you need to follow. I’ll provide as many specifics as I can, but there are many parts that will vary based on your site choices (I’ll lay it out for you).


Step 1: Pick a type of SSL certificate


SSL? What’s that?


SSL is the protocol that HTTPS uses. Basically, you need to install an SSL certificate on your site in order for it to use HTTPS.


There are three different types of certificates you can get:



  • Domain validation – the cheapest and most basic; it only really covers encryption (from the three things we went over earlier).

  • Organization validation – the middle choice in terms of price, which also includes authentication. If you’re collecting personal information, you probably want at least this option.

  • Extended validation – the top of the line option, which provides the best security you can get with HTTPS. This is mainly for big e-commerce sites and sites that collect really important private information.


Here’s a nice little summary:


image01


Google recommends that you use 2048-bit encryption certificates, so keep that in mind if you go with an organization validation certificate (which offers different levels of encryption).


Where to buy an SSL certificate: You can buy a certificate from a ton of different websites. They will offer different types at different prices, so you can shop around if you’d like.


However, I recommend buying one from your hosting company.


Why?


Because most hosting companies offer them in the first place, and many of them will also help you install them. So for convenience sake, start by looking at them.


For example, Hostgator sells a few different types of certificates:


image02


You can see that the prices aren’t too steep.


Once you’ve bought one, you can then get them to install it for you on your hosting server (provided you have a dedicated IP):


image09


If that’s not possible…Not all hosting providers will install the certificate for you.


At this point, see if they have an installation guide by Googling:


(hosting company) + SSL certificate installation


If that doesn’t bring up anything useful, contact their support.


The process of installing a certificate differs from host to host, which is why I can’t give you specific steps here.


Step 2: Create a URL map of your site and redirect


Take an example URL of:


http://www.example.com


Then compare it to:


https://www.example.com


The only difference is one “s” in the URL, and it’s before the actual domain name.


But it makes a difference. These are two entirely separate URLs.


What that means is that you need to create copies of all your site’s pages and then redirect all of your old “http” pages to your new “https” pages.


Although a pain, it’s pretty simple.


A URL map can just be a simple spreadsheet, containing a list of old URLs with a list of the corresponding new URLs beside it.


If you wanted to make changes to your site structure or URL format, now would be a good time to do it.


If you’re using WordPress, you can add all the 301 (permanent) redirects to your .htaccess file.


Each line should look something like this:


Redirect 301 /oldpage.html https://www.yoursite.com/newpage.html


You just need to fix the bolded parts.


If you’re planning to move to a brand new domain while you’re doing this, refer to my guide to moving a WordPress site for step-by-step instructions.


3. Update your internal links


You’re not quite done with linking yet.


You likely have many internal links throughout your site. These may point to your old “http” pages.


Ideally, you want these to point directly to your HTTPS pages.


Introducing relative URLs: If you’re lucky, you’ve been using relative URLs all along.


These don’t specify an absolute (entire) URL; instead, they tell your browser to add something to the end of the domain.


For example, if this link:


Link


was placed somewhere on our domain example.com, clicking it would take you to:


http://www.example.com/page2


When you switch to “HTTPS,” the same link would take you to:


https://www.example.com/page2


which is perfect.


If your site wasn’t built like that and instead uses absolute links:


Link


then you’ll need to find each link and add the correct new URL to it.


4. Update image and other links


It’s not just links to pages on your site that you need to worry about.


It’s also any other link to resources such as images, stylesheets, and scripts.


If you right-click any of your site’s pages and click “view source,” you’ll see all kinds of tags like this: