In 2016, Google announced that it was going to move towards favoring sites that offered additional protection for web users, by favoring sites that used the secure hyper-text transfer protocol, also knowns as https. You’ve probably seen the majority of websites you use begin with http. This is the more widely used, and is typically used when you don’t need high security. Up until now, you’ve likely seen https when performing online activities like shopping on a website, or doing online banking. However, Google is now asking webmasters to secure all website traffic, as a first step in making online activity safe for all, and to keep the bad guys out.
If you are in the search engine business, or work with clients whom you do SEO work for, here are some of the main points that Google put out to webmasters the world over. We tend to talk a lot about Google in our business, and the reason for that is about 80% of the Internet search engine traffic goes through that main provider. The good news is that when we offer up information and/or best practices, these also apply to other search engines like Yahoo and Bing. With that said, here are some of the main talking points that Google has brought up in regards to moving websites over to the https protocol, and how they may favor https going forward.
For webmasters, you’re probably familiar with using the search console. For this operation, there’s really no migration path, just need to put https instead of http when using this tool.
Do you perform split testing, also known as a/b testing? Currently, if you are using http, but want to perform a/b testing with using http vs. https, then you might consider using 302 redirects that are not cached and do a canonical back to the http version of the page you’re testing against. Another thing you need to be aware of is that you should not be blocking https traffic in the robots file hosted on your website. The canonical doesn’t guarantee that a uniform resource locator (URL) using http will be indexed, but it does send a strong signal that it should considered for indexing, so your chances are good that it will happen. When performing the migration from http to https, and it’s time to do the actual migration, there are some guidelines you should follow. When migrating, add 301 redirects from the http version to the https version, make sure that the canonical tag is on every page and pointing to the updated, new version. Another item that deserves your attention here is complete an updated site map for both the http and https sites – this will assist Google in picking up all the changes that have been made. It has been mentioned a number of times that in the future, maybe 2017, that only the sitemap for https will be required. But for now, you’ll want to submit both http and https URLs.
When updating the website to make use of https, the website will need to use the https version of robots.txt file. However this is configured, you’ll want to ensure that it can be reached. And while you’re making these changes to the website, make sure that you don’t accidentally configure the site so that the http (regular) files and versions are blocked by the https (secure) robots.txt file. It’s very rare, but sometimes the reverse can happen. When in doubt, make a backup copy of the website you’re ready to make changes to, and test without the site going live. The last thing you want to have happen is a site getting lost or becoming unreachable because of something so simple being misconfigured.
On the topic of https vs. https,
there’s a common misconception floating around that a website has to be all of one or the other. Not true, it quite possible to have a mixture of both non-secure and secure protocols within a website. For example, you may find that you (or your client who you do web services for) may want to have only administration pages set to use https, or maybe only have https set on an ecommerce website at the point of checkout. If you do decide to move to using just the secure hyper-text transfer protocol (https) for the whole website, we recommend that you perform the migration in sections, and don’t try to do it all at once. When doing something like this, take it on a project, don’t rush, check your work, and make sure that you have, at all time, a back out plan. Prior to making any major changes to a site like this, the best practice is to make at least two copies of everything, and have those copies be at different sites, or on different backup platforms. So you might do something like backup everything to a tape library, and then use an online service for making the second copy. It’s very unlikely that both will fail, and especially unlikely that both would fail at the same time. This step is very important, but believe it or not, it’s something that not too many webmasters or SEO companies think about or take action towards. So feel free to take a lesson from others, and save yourself a lot of time and trouble in this arena.
When you make changes to a site, and if you move parts of the site, or the whole site from http to https, don’t be concerned if you see a drop in rankings. Because moving to a new protocol is viewed as a major change (albeit a good one) this might cause the site to take a dip in rankings for a short time frame. However, these changes tend to not be long lasting, the ranking of the site might move up and down a few times before settling into its new rank. Google have stated that while they are not able to make any sort of guarantees, as they are recommending the move from https from http, they won’t penalize a site for taking this recommended change.
Of course, with the move to https, you’ll need to make sure the site is using a proper secure sockets layer certificate. This is an area that can become very technical, very complex, very quickly. You may have heard differing opinions about what the best way to go about implanting an SSL certificate is, and who you might need to purchase it from. Generally speaking, if one obtains a certificate from any of the major vendors, it will be acceptable for use on the site. Google, Yahoo and Bing should not particularly favor one vendor against another. However, you should stay away from what are known as wild-card certificates. Sometimes this type of cert will cost less money, but is not made to be specific to a certain website, but could cover a number of domains, hosts, or computers. The reason that you want to stay away from using a wildcard cert is that browsers are aware of these, and may often pop up a message to the user that the site is not secure when in reality it is, or there might be a message about the name of the SSL certificate not matching the name of the website. Both of these message might cause the end user of the site to navigate away, and cause confusion on their end.
In part 2 of this article, we’ll continue the discussion
about this change, more information on certificates, keyword searches, indexing, migration, and crawl rates.