How to move your site to SSL
Written by Martin Oxby and published
Google doesn’t often disclose ranking signals, but when they do the search marketing industry works itself into a tizzy. A perfect example is its recent announcement that going HTTPS could provide a slight rankings boost. All of a sudden I have seen hosting and domain registrar companies offering SSL certificates “to give that ranking boost.” Here’s one I saw on Twitter.
Improve your Google search results ranking by installing the SSL that gives you secure HTTPS! https://t.co/mSSd9DIzcF
— Namecheap.com (@Namecheap) August 7, 2014
I’ve always hated hype in SEO. A good, solid, SEO strategy is one that rides the waves of change, doing the right things consistently over time.
What did intrigue me was this – one barrier to entry might not be the actual cost of “going HTTPS” but the time and potential SEO risk of screwing up your own rankings when “moving home.” If you get the redirects wrong, you could accidentally misdirect users to the wrong location, or no location at all! Formatting your .htaccess or web.config files incorrectly can cause a site to go down.
And, from an SEO perspective, inbound links not correctly attributed to the correct end URL can lose you valuable traffic and rankings potential. So I set up a test.
Reasons for the Test
- I don’t believe in knee-jerk reactions in SEO, and so encourage fact/data driven decision-making model.
- Instead of risking a client site, we thought, “Let’s test our own site.” (scary!)
- We have a valid reason for going SSL – We transmit personal data via our contact forms.
- I wanted to see if our current keyword rankings would maintain (not increase) by going SSL.
In keeping with proper tests, we tried to keep as many other variables as stable as possible. Such as
- No URL structure or content changes
- No new links or projects launched at the time
- No other marketing “push”
These were the steps taken at the start of the test:
- SSL Certificate installed and verified by our server administrator
- URL rewriting to 301 redirect to the https version
- Previously set up 301 redirects updated
- Rel=“canonical” updated to the https version
- HTTPS version authorized in Google Webmaster Tools
John Mueller confirmed during a Google+ Chat that you can’t use the normal “moving my site” tool in Google Webmaster Tools. This is an oversight Google probably should have sorted before making this announcement. But life isn’t perfect!
Here is the path to the ultimate results. I have shortened my notes from each day, so you can get to the TL;DR as fast as possible.
We implemented all of the above and then waited.
Despite no indication of HTTPS results being in the index yet, my Webmaster Tools showed the transition had started with historic data applying to HTTP being filtered into the authorised HTTPS account for our domain.
I also remembered that the sitemap.xml file needed updating (There’s always another file isn’t there?) This meant that I had not informed Google explicitly of the new URL structure. I also ensured the site map was re-submitted both on the HTTP and SSL-authorized sites in Webmaster Tools.
Interestingly, the Fetch and Render tool gave me an error fetching a Google Font. Okay, Google shouldn’t block their own font library in its own robots.txt, but that aside, it made me look again at my code. I was referencing the HTTP version in my header, when we don’t want to be sending both secure and insecure resources. So, I updated my LINK tag to pull in the HTTPS version accordingly.
It didn’t prevent the robots.txt error, but my users were now being sent secure files, which is a good thing from a user experience perspective.
Movement! Hurrah! Granted, the only movement here was the home page being indexed as HTTPS, but that’s better than nothing, right? Also we had a ranking increase for one of our local search terms (the black line in the graph below).
But let’s not get hasty and inadvertently attribute this to switching to HTTPS. Remember that there has been much movement on the local search front recently with the so-called “Pigeon” update. In fact, if you look at our local terms (targets for home page only, since that was the one indexed) they have been gradually improving over July anyway. So was this the result of HTTPS? I don’t think the data suggests that at all.
After a few days of barely any URLs switching over in the SERPs, today we finally saw some major movement with a high proportion (about 50%) of our non-blog pages transferring over to the search results.
Today I tried to speed up the process by also migrating our WordPress blog – currently separate from our main site, by popping in some custom htaccess. Because htaccess can be defined on a per-folder basis and WordPress is installed into a folder, our blog had its own URL rules, separate to those of our site. So we had to update the folder’s rules.
What this meant was, once users (and search engines) landed on a blog page, they were automatically redirected to the HTTPS version. Rel=301 means it was a permanent redirect, which tells search engines to ditch the old URL in its index and replace it with our HTTPS one instead.
Finally, most of our services pages have transferred over. Impressions and clicks dropped off on our HTTP version in GWT…
… and they are picking up in the HTTPS version.
(Please ignore our CTR% – we are working on that!)
What happened to our rankings? Here’s the graph for our Top 10 ranking keywords.
We didn’t lose our rankings by going SSL. And the slight upward trend was happening anyway, regardless of adding our SSL certificate.
Here are some of my observations during this test:
- Although it ought to be accurate, the number of URLs indexed and displayed in Google Webmaster Tools does not actually seem to match reality. Perform an inurl:https://www.yourdomain.com search to see which URLs have already migrated.
- For some bizarre reason, it is possible to have both http and https versions ranking – the same page can have different listings for different keywords. We saw this, despite having 301 redirects and clear canonical designation in place,
- You need to be patient to allow Google to re-index your site. Currently, Google re-indexes using Googlebot to crawl 301 redirects.
- You can migrate safely to HTTPS without loss of rank if everything is done correctly: htaccess (or web.config for Windows servers), canonical, sitemap.xml, GWT authorisation – the lot.
- In theory, you should update links to your site to point to the HTTPS version, but it would be somewhat remiss of Google to devalue incoming links to your domain based on protocol. Matt Cutts has said that 301’s pass the same value as links, but opinion is divided on this. From our experience changing domains, we have seen value from updating links. It would seem odd then, given that links represent an endorsement by Google in the past, that those same links would be devalued based on new protocol.
- Check all folders for “rogue” htaccess files, they may all need updating!
- It took nearly two weeks to move over to HTTPS, which is really slow and I genuinely hope that John Mueller and the team at Google get the “moving website location” tool to include the change of protocol if they want people to adopt this quickly and easily.
In my view, purely informational sites probably don’t need to go HTTPS.
But, really, what is the problem with having an entirely encrypted Web? Sites willing to encrypt their communications are at least one step more trustworthy than those that don’t — not in the quality of content on the website, but how they treat users while they are browsing.
Why not treat all experiences on the Web with respect, regardless of any self-motivated reasons?