Http to Https/SSL for Better SEO – Improve Ranking In Google

It’s rare that Google reveals any of its actual search engine ranking factors, so it came up as a big surprise when representatives announced that they will reward websites using HTTPS/SSL encryption with a Improve Website Ranking. SSL isn’t like any other ranking factors, implementing it requires complexity, validation, and technical guide. Webmasters balance this out with benefits that include increased security, better referral data, and boost in rankings.

HTTP vs HTTPS

There are lots of criteria that differentiate one from the other. But these three listed below are the major differences between HTTP and HTTPS.

  • URL Scheme: HTTPS URLs begin with https:// and use port 443 by default, whereas HTTP URLs begin with http:// and use port 80 by default.
  • Security: HTTP is insecure and is subject to eavesdropping attacks, which can let attackers gain access to sensitive information of a website while HTTPS is designed to withstand and secure against such attacks.
  • Network layers: HTTP operates at the highest layer of the TCP/IP model which is the Application layer. SSL security protocol operates as a lower sub-layer of the same TCP/IP model but it encrypts an HTTP message prior to transmission and decrypts it upon arrival. Thus, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL connection.

Ranking benefits for switching to HTTPS/SSL

2-https-seoGoogle has confirmed that HTTPS/SSL are ranking boost in Google’s search results. Matt Cutts had said about SSL that he’d “personally love to make it part of the ranking algorithm”. They said that they recently introduced the signal into Google’s search algorithm, and happy with the results. They suggest that the “weight” of the SSL signal is currently light, but it will increase in importance over time. Right now they are giving all webmasters a “heads up” and giving them time to add SSL to their websites. A completely SSL site looks more trustworthy than a non-SSL one. Google already using Search, Gmail, Youtube and Google Drive on SSL.

From a spam fighting perspective I think I can see why Matt cutts would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them.So in other words, encrypting your website is a good way to get ahead of the curve. While is may not significantly improve your ranking right now, it will “future-proof” your website when Google starts increasing the value of SSL encryption in Google rankings. Here is example of recent rank improvement in Google after https:

3-https-ranking-factor

HTTPS for referrer data

At any point traffic passes from a secure HTTPS / SSL site to a non-secure HTTP site, the referral data gets escape away. This is an issue because you don’t know where the traffic actually originates from, and this traffic appears in your site analytic report as ‘Direct.’ in traffic source So if all search engines were on HTTPS and your site wasn’t, you’d never get keyword data. The solution for that is simple though: move your website to HTTPS and you’d suddenly have all your data back. This is the case with Bing’s HTTPS implementation: if you search on it and go to an HTTPS page from their results, the keyword data is all there, as you’d expect. As more and more sites make the switch, this becomes increasingly important.

Growing number of sites using HTTPS

4-number-of-sites-using-HTTPSNow lots and lots of sites start using HTTPS today, According to the latest statistics from BuiltWith, about 4.2% of the top 10,000 websites redirect users to SSL/HTTPS by default. This number is likely to increase in the very near future as more websites pursue adoption for HTTPS for SEO best practices

This post talks about the SEO implications while switching to HTTPS. If you are looking for a technical guide, there are several we’d recommend:

Should I Switch to HTTPS for SEO ?

If Google is encouraging “all website owners to switch from HTTP to HTTPS to keep everyone safe on the web,” then you better listen – they do own 68% of the search engine market share. So, why wouldn’t Google want to reward website owners who are listening to their advice? HTTPS may be a lightweight signal for now but a Heavier One in the Future. If website owners and the Big G believe it’s needed to enhance user’s experience, then expect HTTPS to eventually play a bigger role in search ranking algorithm. Now that Bing has launched its HTTPS version (some users still get the HTTP version by default as you have to switch to it yourself), it makes even more sense to move your website to HTTPS.

What type of SSL certificate works best?

There are various kinds of SSL certificates. They are basically categorized into three groups: Domain Validation, Organization Validation and Extended Validation.

5-ssl-types

 

 

 

 

 

 

 

 

 

Domain-level validation is the most basic type of SSL and generally the least expensive which provide basic encryption, can be issued in minutes and involve a simple validation of domain ownership.

  • Organization-validated SSL certificates are include authentication of the business or organization link to that domain also applicant’s right to request certificate for domain. This provides a higher level of security and lets customers know they can trust your server with their personal information.
  • Extended validation is top of the line. With extended validation, the certifying authority conducts a very in-depth examination of your business before issuing the certificate. This type of SSL provides the highest degree of security and user trust and also added green address bar in browser.

From security and user experience point of view, the type of certificate you choose can have an impact. Consider how different certificates alter how your website appears in the web browser address bar.The green bar associated with extended certificates communicates trust, while the warning symbols associated with errors can cause worry with visitors.

6-https-ssl

 

 

 

 

 

 

 

 

Moving your website to https / SSL

  • Make sure every element of your website uses HTTPS, including widgets, java script, CSS files, images and your content delivery network (CDN).
  • Use 301 redirects to point all HTTP URLs to HTTPS.
  • Make sure all canonical tags point to the HTTPS version of the URL.
  • Use relative URLs whenever possible.
  • Register the HTTPS version in both Google and Bing Webmaster Tools.
  • Update your sitemaps to reflect the new URLs. Submit the new sitemaps to Webmaster Tools. Leave your old (HTTP) sitemaps in place for 30 days so search engines can crawl and “process” your 301 redirects.
  • Update your robots.txt file. Add your new sitemaps to the file. Make sure your robots.txt doesn’t block any important pages.
  • If necessary, update your analytics tracking code..
  • Many sites still use FeedBurner for RSS feeds. Unfortunately, Google stopped supporting it long ago and FeedBurner isn’t compatible with HTTPS. If you use FeedBurner, you’ll need to migrate your RSS to an HTTPS-compatible service. If you’re technically competent you can do this yourself, or FeedPress has a very inexpensive RSS migration solution.
  • Migrating social share counts when moving to HTTPS, you often want to preserve you social share counts. These are the numbers that display in social share buttons. These counts don’t impact your rankings. In fact, some social networks will transfer the social counts through their APIs, but it may take weeks or months for them to show up correctly.

Moving WordPress Website to HTTPS/SSL

Links in WordPress (such as image attachments, themes CSS and JavaScript files) are relative to the install URL.

To change WordPress from HTTP to HTTPS, the install URL must changed from say http://websitewebhosting.net to https://websitewebhosting.net.

  • Login to your WordPress dashboard and navigate to Settings > General.
  • Ensure that the WordPress Address (URL) and Site Address (URL) are https. If not, add S after http to make https and save it.

Redirect from http to https

This last bit will help you tremendously when you’ve not updated every single link in your site yet. You can just add a straight server level redirect from http to https. In NGINX, you need to add for redirect
server {
listen 80;
server_name websitewebhosting.net www.websitewebhosting.net;
return 301 https://websitewebhosting.net$request_uri;
}

This seems to be the fastest way of doing this in NGINX, in Apache you’d do something like this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

SSL test

If you’ve done above correctly, you should be able to pass the Qualys SSL test with flying colors, we sure do. I think you should aim for at least A in this test, though A+ is easily achievable when you add the Strict Transport Security header, this implementation in header tells user agents to only access HTTPS pages even when directed to an HTTP page. This eliminates redirects, speeds up response time, and provides extra security. In NGINX, you add this like this:

# This forces every request after this one to be over HTTPS

add_header Strict-Transport-Security “max-age=31536000”;

Best SSL certificate provider

Some sites will review services of inferior quality and tell you it’s the best SSL certificate provider just to make a quick buck. But we only recommend trusted certificate authority for SSL that we also use. We recommend Godaddy for SSL certificate, some features that makes it better for everyone.

  • Keeps payments & customer data private
  • Secures your site fast
  • Backed by up to $1,000,000 in liability protection
  • Supports strong SHA-2 & 2048-bit encryption
  • Compatible with all major browsers
  • One certificate covers unlimited servers
  • One-click installation for GoDaddy hosted accounts
  • Increases search rankings.

Buy SSL certificate


GoDaddy logo

Godaddy SSL

 

GoDaddy SSL Certificates are a simple and cost-effective way to protect your website with an SSL (HTTPS) and also boost your search rankings on Google. Best Deal! Save 30% off on all products (including SSL certficates). This is Godaddy’s featured offer right now. Save 30%


How to Install a Godaddy SSL Certificate

This guide will take you through the process of adding your newly-purchased SSL Certificate to your Hosting Account. We’ll also have a few tips and point out some common mistakes to avoid.

Save 30% << This coupon code has been tested this week and it’s working fine.ssl-coupon
set-up-ssl-certificate-activatedAfter you purchase your Certificate, you’ll be taken to a screen to activate your new product. Click the button that says “Set Up“. set-up-SSL-CertificateNow the Certificate will show up in your Godaddy Account Manager.

Go to your Godaddy Account Manager, scroll down to the “SSL Certificates” section and then click “Launch“.godaddy-account-manager-click-launch

You’ll be taken to an Installation Setup Page. On this page you can:

– Specify as you’re adding the SSL to a Godaddy Server

– Choose the SHA-1 Algorithm or the SHA-2 Algorithm (you want SHA-2, ). SHA-2 function immediately. SHA-1 is potentially insecure, which defeats the purpose of an SSL certificate.

– Agree to Terms & Conditions.

– Click “Nextselect-hosting-you-want-to-add-ssl-to-sha

After clicking “Next”, the Installation process has begun. You can relax! In the “SSL Certificate” of your Account Manager, you’ll see this “In Progress” message as Godaddy adds the certificate to your account. You will get an email when this setup is complete.

But keep in mind that it will take about 72 hours before it becomes fully active. ssl-installation-in-progress

select-hosting-you-want-to-add-ssl-to-shaAfter select 3rd Party Server. Next, log in to your WHM (Web Host Manager) backend and create a certificate signing request (CSR). To do this, go to the Web SSL/TLS menu in your WHM and click on “Generate an SSL Certificate Signing Request.” CSR requestFill in the information for your certificate (email address, password, company name, etc.). Be careful to ensure the key size is set to 2048, or GoDaddy will not accept the CSR.

Once you click “Create,” your server will create three strings of random text, the signing request, the certificate, and a key. Save the key to a backup text file and copy your signing request, including the beginning and ending lines, and log back into GoDaddy’s certificate management screen.

Locate the blank certificate you wish to use with this site and click on “Manage Certificate.”ssl-manage

Inside your certificate, find the field requesting your CSR and paste it in. GoDaddy will automatically fill in much of the certificate’s data for you. Click “Create Certificate,” and GoDaddy will begin verifying the domain and generating the certificate. (Please note, if your email address associated with the domain is different from the one associated with the certificate, you will have to authorize the certificate setup for it to complete successfully.) Once your certificate is done, you can move back into applying it to your account.

Applying Your Certificate

Once your certificate has been generated, download it to your computer by clicking the “Download” button. ssl-downloadNext, extract the .zip file you just downloaded and, using Notepad or an equivalent text editor, open the .crt file. Copy its entire contents, then log into your WHM. Under “SSL Management,” click “Install an SSL Certificate and Set up the Domain.” Paste the contents of the .crt file into the box below “Install an SSL Cert.”ssl-apply

Once this step is complete, the other fields on the page should populate automatically, and you can hit “Submit.” If everything is in order, the server should accept the certificate and restart Apache. Certificate installation should now be complete. (In case help needed, you can ask to your hosting support team to guide )

Now your SSL Certificate is correctly installed, you can use free tool to check that your Certificate is installed correctly as mention (SSL test) above.

SSL Certificates FAQ:

Wildcard SSL Certificates are only needed if you have sub-domains on your website. So with our website: websitewebhosting.net is protected with your subdomain like: blog.websitewebhosting.net. Some websites use sub-domains, and for them a Wildcard SSL certificate is essential. So if you decide to expand your website to include forums: (i.e. forums.websitewebhosting.net), then you should get a wildcard version.
When you first purchase an SSL Certificate, the hosting company or domain registrar needs to verify that you actually own the domain name. Otherwise you could buy an SSL Certificate for, say, Amazon.com, and then you could steal everybody’s payment information from that site. This is a pretty simple process, however. You will get an e-mail with an authorization code. It’s a straightforward process that takes less than a minute.
UCC SSLs can cover multiple subdomains, unique domain names, and websites. For example, you can secure www.coolexample.com, mail.coolexample.com, and www.awesomeexample.com.
How do you want to show visitors that your site is secure? Do you want visitors to see the SSL belongs to a verified organization, or is HTTPS in the address enough? All SSL-secured sites display HTTPS in the address. Premium Extended Validation (EV) SSLs also display a prominent indicator — usually a green address bar — to quickly assure visitors that the organization’s legal and physical existence was verified according to strict industry standards.
I am seeing this question a lot, from e-commerce sites that have SSL on their checkout forms. The answer is, yes, you need to still do something. This ranking boost is applied to only the pages that have SSL on them. Typically, SSL is only on those checkout pages and not on your product pages, content pages, etc. So you need to make your whole domain name, all the URLs, all the files, all the includes, all of it, go over HTTPS. So yes, you need to do something.This obviously will take some time, you need to test and then test, to make sure the HTTPS certificate doesn’t show errors to your users. There can be images, videos, and third-party includes that need to be adapted on the pages to ensure that it doesn’t give the user a security warning.
Google has told us time and time again, that if you switch your site over properly, there is no downside. Google has said before there was an SSL boost that there is no ranking change in a negative way for going SSL. Even back in 2012, Matt Cutts encouraged users to go SSL with their sites. Google even improved Google Webmaster Tools to support HTTPS vs HTTP reporting also started improving search engine rankings.

SSL can require more resources on your server and not setting it up properly could lead to load issues and delays. Below are the specific lines from our NGINX config related to the SSL session cache:
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

The next thing is pull available ciphers.
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Add-on: OCSP Stapling- just add this to your NGINX config (this uses Google’s DNS for resolving and assumes your certificate file contains the entire certificate chain):
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;

Much of the web is now moving towards SSL encryption, and within a few years it may even become the default. So Http to Https is becomes necessary for SEO.

Still confused? Here’s a good video that breaks down why Https / SSL is essential:

Will you make the switch to HTTPS?