Ever since Google suggested websites move to HTTPS, a lot of businesses have made the migration. Along they way, many of them had made mistakes. Some of these mistake come from mis-understanding what this really does for you.
Whenever I have technical questions that exceed my abilities, I turn to my awesome web host, Knownhost. They are always there to help me out and willing to go the extra mile. This time I turned to Chris and asked him a couple questions about HTTPS- especially as it relates to your business’ website.
Before we get into this, let’s define a couple acronyms.
Understanding that, I approached KnownHost with a couple questions:
An SSL protects login information or other user details being sent between the browser and the server. A good analogy would be that the server has a key and your browser has a key. When sending the information, that information is in a virtual “locked chest” and both keys (one of which your browser has and other the server has) are needed to open that chest and transfer that information so someone in between cannot read it.
Many businesses believe that SSL certificates will protect their website 100% from those looking to exploit their WordPress or Joolma websites. This is not the case as an SSL only protects information being sent (for example, via a login form on the site).
With an SSL in effect, the browser sends a copy of the SSL certificate and then the browser will perform a check to ensure the SSL is trustworthy. If it is, it sends a digitally signed acknowledgment to the server to start an SSL encrypted session. Then the encrypted data is shared between the browser and the server.
Although we don’t have any direct information from Google regarding their reasons for making this recommendation, we believe Google is recommending this to help ensure users’ faith that their information is safe when they access a website using Google’s search results and to deflect any possible blame on Google for stolen personal data.
Does that help demystify this for you? As you can see, HTTPS is not the panacea some people think. That being said, if you want to make this migration, please take a look at some of the common mistakes I’ve noticed that people make during this transition.
Have you ever tried to visit a website only to get a page from your browser, asking you to make an “exception”? That’s because someone is trying to run an HTTPS website without a valid a SSL certificate. It could be that someone is too cheap to buy one. It might be because their certificate has expired. It’s no good to have an HTTPS website if every one of your visitors hits this “exception” page. Keep your certificate up-to-date!
Whether it’s vandalism or malicious, more and more websites are getting hacked these days. In fact, it’s so common that Google has recently hired a large team just to handle reconsideration requests from hacked websites. Yes, you read that right: if your website is hacked Google will “penalize” it (to protect its users) and you’ll need to file a reconsideration request as if you have a search engine penalty. That sucks. I’ve seen this happen to a lot of websites recently.
That being said, as Chris mentioned above, and SSL certificate won’t protect you from all hackers. It will help protect login information, so people can’t get your password (as easily). It can help protect credit card data too, as it’s transferred to your payment gateway. However, an SSL certificate doesn’t protect you from all forms of hacking. In other words, don’t think this will stop your hackers.
I sigh just thinking about this claim. Sure, Google announced that this will be a part of their algorithm. In fact, in January, they made this an official part of their Webmaster Guidelines. So, I have to admit, this might give you an edge over your competitors’ websites- if all other factors are the same. Don’t forget, there are hundreds of ranking factors in Google’s algorithm. This is only one- and we don’t know how much more (or less) Google weighs it along with the many others.
The fact is there are probably a ton of other things you need to do first, before you’re at the point where this is the only difference between you and the other competing websites in your SERPs.
Besides, ranking is a poor way to measure you SEO efforts, anyway.
Whenever I see this I know exactly what happened: somebody read somewhere that having an HTTPS website will help you get more traffic from Google. That sounds good to them so they go to their developers and ask them to make this happen. The developer is busy on Reddit so they throw it up using a default redirect and they can get back to more important things.
Unfortunately, by default, most servers use a 302 redirect. From a human perspective, that’s fine- you still end up on the right page. Unfortunately, if Google sees you’re using a 302 redirect you are telling it, “I’m not here, right now, but I’m coming back later.” While Google will crawl the page at the end of the redirect, it will not pass the link authority to the destination page- you’re coming back, after all. As a result, Google starts ranking those new pages as if they don’t have any links- and your organic traffic drops off a cliff.
What you should have done is told your developer to take 15 extra seconds to use a 301 rather than a 302 redirect. This way all those links that were pointing to your old, HTTP website now get credited to your new, HTTPS website- and you won’t suffer from a loss of traffic, either.
You’re not done when you use a 301 redirect. Don’t forget to update your URLs, too. There are several places this can go wrong.
When you setup your Google Analytics account you probably set your website to HTTP. Now that your website is HTTPS, you’ll need to go into your admin and update this. You’ll find this under Admin. Look for your “Property” (in the middle column) and select “Property Settings.” On this page you’ll see your Tracking Id, Property Name and the Default URL. Make sure your “Default URL” is now set to https://
Webmaster Tools (okay, Search Console- old habits die hard) is finicky. It only gives you data for the exact website you give it. That means, if you are running a WWW website but only verify WMT data from the URL without WWW, you’re actually not getting the complete data.
The same is true for HTTPS websites. To get the correct data you’ll need to verify your website again, using HTTPS. In fact, it’s interesting to watch Google index your HTTPS site while it de-indexes your HTTP site. Keep both profiles open, for a while at least. You’ll see Google at work.
What mistakes have you made when moving to HTTPS? Have you seen other people’s mistakes? Leave your thoughts in the comments, below.
Reliable Acorn will help you create a custom digital marketing strategy that does just that.Ready to Talk?