How (and why) to migrate from HTTP to HTTPS

HTTPS is an enhancement to the standard protocol that provides a higher level of privacy. Hypertext Transport Protocol Secure, which is what this abbreviation means, encrypts user data, preventing intermediaries from intercepting, and also performs a number of other important technical functions, which are better to read about separately*. From a security point of view, HTTPS should be used on sites where the user can enter personal and/or payment information. But from the point of view of SEO optimization, Hypertext Transport Protocol Secure should be used on all promoted sites.

*There is a base Wikipedia article referenced by Google itself - https://en.wikipedia.org /wiki/HTTPS. Because HTTPS is HTTP that uses Secure Socket Layer, you can go directly to the article about SSL.

Why HTTPS is a must for SEO

1. August 7, 2014, the presence of a secure protocol has officially become a ranking factor in the Google search engine. At the time of the announcement of the update, the following information was published in the news: "... [now] this is a very light signal - it affects less than 1% of global requests and has less weight than other signals", but nevertheless, other things being equal, it may affect your ranking among competitors. News Link https://developers.google.com/search/blog/.
2. Sites without a secure protocol get "Not secure" in the browser search bar, which greatly reduces the trust in the resource. This implementation took place in July 2018.
3. If you do not have a secure protocol, some users may not go to your site from the issuance, choosing protected resources for themselves. Because of this, the CTR will drop and, subsequently, the positions.
4. HTTPS to HTTP conversion data is blocked in Google Analytics. This means you won't see your referral sites.
5. I don't know about you, but some HTTP sites just stopped opening with Google Chrome for me. At the same time, such sites open in other browsers and are displayed in the cache, respectively, information about the error is displayed only at the Google Chrome user level (compare the two screenshots below).

This is how an attempt to switch to an HTTP domain in Chrome browser looks like:

It will open in FireFox browser:

I’ll immediately note for those who doubt: everything is correct in the site settings, this is specifically the reluctance to open http. Considering that Google Chrome uses up to 70% of users, this is a serious loss of traffic.

Potential Issues

The main potential problem for a site with traffic is the loss of this traffic in the process of moving for a long period of time or forever. It is rare that the migration goes smoothly, because the duplicates that appear during the scanning of domain pages are glued together randomly (301 does not help right away), interfering with each other for some period of time.

In addition, purely technically, there may be:

• 🟥 Internal redirect chains instead of direct redirects between pages.
• 🟥 Broken links.
• 🟥 Invalid sitemap.xml and robots.txt.
• 🟥 Wrong url in important tags.
• 🟥 Problem displaying a page in the browser called mixed content when some of the content is not translated to http.

And of course, an indirect link will reduce the influence of your external donors on the site, and this is another reason why the site will have worse positions and reduced traffic in the beginning. However, you still need to migrate, and the sooner the better. Launch new sites immediately with a certificate.

Schematic algorithm for migrating from HTTP to HTTPS

Step One: You need to back up your file system and site configurations. It is performed so that in case of any problems you can quickly roll back. You can back up files in many ways: download to your hard drive, make a virtual copy on a server, and so on.

Step two: decide where the certificate will be obtained. Free SSL can be obtained from hosting, CDN (for example, Cloudflare, it is also free there), or purchased from a registrar (although some registrars can issue certificates for free). On my registrar and hosting from Namecheap, you can install an SSL certificate and immediately redirect from HTTP to HTTPS.

There are separate certificate providers like GoGetSSL and SSLs.com where you can buy advanced versions of SSL (not just a domain check for a secure connection, but a business check, domain name verification with a company name, and so on). If you choose to install SSL from special vendors, you still have to go through the procedure for installing a certificate (which does not make sense to describe here, because it will look different on each service); on a registrar or CDN, this makes it much easier by literally switching the slider in the desired section.

Step three: make your site available on HTTPS by activating the certificate in the chosen way. In fact, at the current stage, you should have two identical sites on a secure and insecure protocol with a 200 response. In some cases, there may be problems with layout - read below how to fix this. Next, submit your HTTPS domain for certificate verification using one of the verification services, such as https://www.ssllabs.com/.

Step four: edit the code - fix ALL internal links to the address with HTTPS, and even better - to relative ones. This is not only about links in the content, but about all links in the head: to styles, js, and so on. For example: the style file was located at //aboutseo.blog/css/main-styles.css, you change it to https://aboutseo.blog/css/main-styles.css (absolute link) or /css/ main-styles.css (relative link). Naturally, this is not done in a manual format, but in an automated one.

Step five: replace links in tags: in canonicals, hreflang tags. Also replace the url in the microdata. Why I singled out this item separately, and did not attach it to the previous one: the fact is that if we can refer to styles, scripts and internal links using the relative writing of the url, then in the link tags and micro-markup it is necessary to enter everything in the form of absolute addresses . Relative spelling will be considered an error.

Step six: do a 301. This is done either on Cloudflare (there are separate settings - make the site available only on HTTPS), or on the server. Each hosting has its own interface and configuration logic, so if you do not quite understand how to do this, contact support. Usually you do not need to set up a page redirect yourself: the servers have a simple tool for redirecting to http. You can also execute 301 by setting configurations on the server by typing the following commands:

For Nginx configurations:

 
        server {
    listen 80;
    server_name domain.com www.domain.com;
    return 301 https://domain.com$request_uri;
               }  

For configurations in Apache:

 
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 
        

Step seven: update robots.txt and sitemap.xml. It is not necessary to configure 301 between sitemaps, you can even specify in the map for http addresses on https as canonical, since Google has the option to read the canonical in the sitemap, read here - https://developers.google.com/.

Step eight: technical check. First, check the site from an anonymous browser tab for the correct display of the layout (it makes no sense to open it from the current window, since the browser can cache styles). You will also need to see in the search line the inscription "Secure connection" with a lock, which will indicate the correct operation of the certificate. Secondly, start 2 site scrapings using ScreamingFrog or any other spider: on HTTP and on HTTPS. In the first case, you should see that all pages of the site return a 301 response, in the second case, all pages with a 200 response. If something is not working right somewhere, you need to fix it right away.

Step Nine: Add sites to Search Console and request top page recrawls. This is already a purely SEO item, necessary for the gluing to happen faster. Also request that the sitemap be scanned (but update it first, of course, as I wrote in point 7), and also send again the link disavowal file for the domain with HTTPS.

Step ten: update the url in GoogleAnalytics. If you have active social networks, also change the address there. Again, this is purely a SEO point, but still worth doing.

I understand that perhaps the instructions are not detailed enough, especially for those who do not understand the technique well. However, the fact is that the exact algorithm for moving from HTTP to HTTPS depends largely on what tools and services you use (CDN, hosting, registrar, CMS, etc.). Here I rather gave a schematized instruction, the steps of which are mandatory.

How long does it take to migrate from HTTP to HTTPS

The last move I made (it was a small site with several dozen pages under the request Holenderskie kasyno online) took me (if we take into account the restoration of positions in top 10) month. Gluing went through the following steps:

1. In spite of 301 redirects, Google initially defined pages as canonical on HTTP.
2. Then pages on HTTPS began to slowly appear in the search results, but at positions 30-50
3. 32 days after setting up 301, the main page (the home page) has recovered in terms of its queries in the top 5 (see screenshot below).

Did I lose converting traffic this month? Yes, lost by 98%. Would I have done the same if I knew in advance that it would be so? Yes, I did. And I recommend it to you, because improving security will be a priority goal for Google in the future. And this will be the conclusion for my article).