NEW! Raven by TapClicks - SEO + SEM Tools with Deeper Competitive Insights

GET STARTED FREE External Link Tap Click Logo Tap Click Logo

The Raven Blog

We write tips for digital marketers and we create beginner through advanced guides for search engine optimization. Improve your SEO and Content Marketing game.

How to move your site to SSL

Written by and published



Google doesn’t often disclose ranking signals, but when they do the search marketing industry works itself into a tizzy. A perfect example is its recent announcement that going HTTPS could provide a slight rankings boost. All of a sudden I have seen hosting and domain registrar companies offering SSL certificates “to give that ranking boost.” Here’s one I saw on Twitter.

I’ve always hated hype in SEO. A good, solid, SEO strategy is one that rides the waves of change, doing the right things consistently over time.

What did intrigue me was this – one barrier to entry might not be the actual cost of “going HTTPS” but the time and potential SEO risk of screwing up your own rankings when “moving home.” If you get the redirects wrong, you could accidentally misdirect users to the wrong location, or no location at all! Formatting your .htaccess or web.config files incorrectly can cause a site to go down.

And, from an SEO perspective, inbound links not correctly attributed to the correct end URL can lose you valuable traffic and rankings potential. So I set up a test.

Reasons for the Test

  • I don’t believe in knee-jerk reactions in SEO, and so encourage fact/data driven decision-making model.
  • Instead of risking a client site, we thought, “Let’s test our own site.” (scary!)
  • We have a valid reason for going SSL – We transmit personal data via our contact forms.
  • I wanted to see if our current keyword rankings would maintain (not increase) by going SSL.

In keeping with proper tests, we tried to keep as many other variables as stable as possible. Such as

  • No URL structure or content changes
  • No new links or projects launched at the time
  • No other marketing “push”

Steps Taken

These were the steps taken at the start of the test:

  1.     SSL Certificate installed and verified by our server administrator
  2.     URL rewriting to 301 redirect to the https version
  3.     Previously set up 301 redirects updated
  4.     Rel=“canonical” updated to the https version
  5.     HTTPS version authorized in Google Webmaster Tools

John Mueller confirmed during a Google+ Chat that you can’t use the normal “moving my site” tool in Google Webmaster Tools. This is an oversight Google probably should have sorted before making this announcement. But life isn’t perfect!

John Mueller Talks HTTPS to Martin Oxby on Google Plus

Results

Here is the path to the ultimate results. I have shortened my notes from each day, so you can get to the TL;DR as fast as possible.

We implemented all of the above and then waited.

Day 3

Despite no indication of HTTPS results being in the index yet, my Webmaster Tools showed the transition had started with historic data applying to HTTP being filtered into the authorised HTTPS account for our domain. HTTP vs HTTPS Results

I also remembered that the sitemap.xml file needed updating (There’s always another file isn’t there?)  This meant that I had not informed Google explicitly of the new URL structure. I also ensured the site map was re-submitted both on the HTTP and SSL-authorized sites in Webmaster Tools.

Interestingly, the Fetch and Render tool gave me an error fetching a Google Font. Okay, Google shouldn’t block their own font library in its own robots.txt, but that aside, it made me look again at my code. I was referencing the HTTP version in my header, when we don’t want to be sending both secure and insecure resources. So, I updated my LINK tag to pull in the HTTPS version accordingly.

It didn’t prevent the robots.txt error, but my users were now being sent secure files, which is a good thing from a user experience perspective.

Day 4

Movement! Hurrah! Granted, the only movement here was the home page being indexedURLs Submitted - URLs Indexed as HTTPS, but that’s better than nothing, right? Also we had a ranking increase for one of our local search terms (the black line in the graph below).

But let’s not get hasty and inadvertently attribute this to switching to HTTPS. Remember that there has been much movement on the local search front recently with the so-called “Pigeon” update. In fact, if you look at our local terms (targets for home page only, since that was the one indexed) they have been gradually improving over July anyway. So was this the result of HTTPS? I don’t think the data suggests that at all.

Project Summit Data

Day 7

After a few days of barely any URLs switching over in the SERPs, today we finally saw some major movement with a high proportion (about 50%) of our non-blog pages transferring over to the search results.

Day 8

Today I tried to speed up the process by also migrating our WordPress blog – currently separate from our main site, by popping in some custom htaccess. Because htaccess can be defined on a per-folder basis and WordPress is installed into a folder, our blog had its own URL rules, separate to those of our site. So we had to update the folder’s rules.

HTTPS Redirects

What this meant was, once users (and search engines) landed on a blog page, they were automatically redirected to the HTTPS version. Rel=301 means it was a permanent redirect, which tells search engines to ditch the old URL in its index and replace it with our HTTPS one instead.

Day 11

Finally, most of our services pages have transferred over. Impressions and clicks dropped off on our HTTP version in GWT…

HTTPS Pages Indexed

… and they are picking up in the HTTPS version.

(Please ignore our CTR% – we are working on that!)

What happened to our rankings? Here’s the graph for our Top 10 ranking keywords.

Search Rankings Graph

We didn’t lose our rankings by going SSL. And the slight upward trend was happening anyway, regardless of adding our SSL certificate.

Uncover your top priority on-page  issues quickly with Raven Site Auditor’s intuitive charts. Get Started Free.Uncover your top priority on-page  issues quickly with Raven Site Auditor’s intuitive charts. Get Started Free.Uncover your top priority on-page  issues quickly with Raven Site Auditor’s intuitive charts. Get Started Free.

TL;DR

Here are some of my observations during this test:

  • Although it ought to be accurate, the number of URLs indexed and displayed in Google Webmaster Tools does not actually seem to match reality. Perform an inurl:https://www.yourdomain.com search to see which URLs have already migrated.
  • For some bizarre reason, it is possible to have both http and https versions ranking – the same page can have different listings for different keywords. We saw this, despite having 301 redirects and clear canonical designation in place,
  • You need to be patient to allow Google to re-index your site. Currently, Google re-indexes using Googlebot to crawl 301 redirects.
  • You can migrate safely to HTTPS without loss of rank if everything is done correctly: htaccess (or web.config for Windows servers), canonical, sitemap.xml, GWT authorisation – the lot.
  • In theory, you should update links to your site to point to the HTTPS version, but it would be somewhat remiss of Google to devalue incoming links to your domain based on protocol. Matt Cutts has said that 301’s pass the same value as links, but opinion is divided on this. From our experience changing domains, we have seen value from updating links. It would seem odd then, given that links represent an endorsement by Google in the past, that those same links would be devalued based on new protocol.
  • Check all folders for “rogue” htaccess files, they may all need updating!
  • It took nearly two weeks to move over to HTTPS, which is really slow and I genuinely hope that John Mueller and the team at Google get the “moving website location” tool to include the change of protocol if they want people to adopt this quickly and easily.

Final Thoughts

In my view, purely informational sites probably don’t need to go HTTPS.

But, really, what is the problem with having an entirely encrypted Web? Sites willing to encrypt their communications are at least one step more trustworthy than those that don’t — not in the quality of content on the website, but how they treat users while they are browsing.

Why not treat all experiences on the Web with respect, regardless of any self-motivated reasons?

Marketing Report Example

Learn About Our Site Auditor

Analyze over 20 different technical SEO issues and create to-do lists for your team while sending error reports to your client.

31 Responses to “How to move your site to SSL”

  1. Great insight, thank you for sharing. Curious was there any change in the crawler chart for “Time spent downloading a page (in milliseconds)” after you switched to SSL

  2. Dave Culbertson

    Great write-up! Have you checked your analytics data to see if the share of direct visits has dropped and the share or organic and/or referred visits increased? Some browsers don’t send the referrer information when going from an HTTPS to HTTP site, but the referrer should be sent if the path is HTTPS to HTTPS (also, HTTP to HTTP or HTTP to HTTPS)

    • Martin Oxby

      Hi Ivan,

      Which URL are you looking at, if I can ask? The main site’s pages are all SSL. Anything under /blog/ may still be HTTP as we are reviewing the whole site ahead of a redesign.

      Apologies for the delay in getting back to you, been preparing for a large business exhibition the last couple of days 🙂

  3. Sean Owens

    Absolutely excellent article, its a huge amount of trouble to go to but hopefully worth it. I had completely forgotten also about the sitemap. We see the number of indexed pages dropping since we installed SSL. Wondering about reverting. I have to scan all my internal links to make sure they are all http too.

    • Martin Oxby

      Don’t revert back – it’s worth looking through the issues. Especially ensuring your 301 Redirects are working properly, so that all inbound links maintain their value across to HTTPS.

      Another challenge as you say internal links (which is why relative links are better) but also internal assets – images, PDFs/Downloads, videos etc to make sure you’re not serving some secure and some insecure content (this can flag up warnings to users).

      If you need someone to have a look from the outside, I’m happy to help.

  4. Hammy Havoc

    When moving a site to HTTPS, it seems that social media share stats are lost, this isn’t great in terms of business/advertising, apparently Facebook and Google follow 301 redirects, what can be done for Twitter?

    • Martin Oxby

      I’m not sure there is at this stage (though I’m open to someone correcting me). To be honest, the best thing you can do is update any short-links to https and any auto-sharing to https and start collecting stats. As ‘tweets’ are not a ranking factor, you can just collect them again, so you’re not any worse off.

    • I’m not sure there is at this stage (though I’m open to someone correcting me). To be honest, the best thing you can do is update any short-links to https and any auto-sharing to https and start collecting stats. As ‘tweets’ are not a ranking factor, you can just collect them again, so you’re not any worse off.

  5. What if I have ecommerce shop and I have ssl set to checkout and cart? There is https and http verion in google webmaster. There was already added https mapsite. What it should be done to make things ok and do not have duplicate content? Should I redirect all other http requestes to https or just set canonical to https or to http ?

    • Martin Oxby

      You probably don’t need to worry about duplicate content over checkout and cart pages. However, if you have moved to HTTPS then you really ought to use 301 Redirects and ensure rel=”canonical” is set correctly on those pages, then eventually Google will drop the HTTP versions out of the SERPs.

      As for whether all your pages should be HTTPS, on e-commerce sites I would say yes to that. Users are still transmitting data by adding/removing products. Also if they have an account with your site then that login and all subsequent actions should be encrypted.

      By that stage you have set so many sections to HTTPS that it would just make sense to move the whole thing over to SSL.

      Hope this helps!

  6. What if I have ecommerce shop and I have ssl set to checkout and cart? There is https and http verion in google webmaster. There was already added https mapsite. What it should be done to make things ok and do not have duplicate content? Should I redirect all other http requestes to https or just set canonical to https or to http ?

    • Martin Oxby

      You probably don’t need to worry about duplicate content over checkout and cart pages. However, if you have moved to HTTPS then you really ought to use 301 Redirects and ensure rel=”canonical” is set correctly on those pages, then eventually Google will drop the HTTP versions out of the SERPs.

      As for whether all your pages should be HTTPS, on e-commerce sites I would say yes to that. Users are still transmitting data by adding/removing products. Also if they have an account with your site then that login and all subsequent actions should be encrypted.

      By that stage you have set so many sections to HTTPS that it would just make sense to move the whole thing over to SSL.

      Hope this helps!

  7. Jai Aenugu

    Hey, Great article. Thanks! I recently moved my wordpress site (spicydealzz) to https. It is authorised in GWT and GA but google is not indexing my site in GWT. Whenever I do ‘fetch as google’ it says redirected. Could you please advise?

  8. Jai Aenugu

    Hey, Great article. Thanks! I recently moved my wordpress site (spicydealzz) to https. It is authorised in GWT and GA but google is not indexing my site in GWT. Whenever I do ‘fetch as google’ it says redirected. Could you please advise?

  9. Hello Martin.
    I’ve already redirected urls to https. Everything is okay, but having problem at homepage. Semrush detects that “No redirect or canonical to HTTPS homepage from HTTP version”.
    option 1: I am using all in one SEO, unfortunately no option to use canonical for homepage.
    option 2: I’ve already add to .htaccess :
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    but the code is not working for homepage. How to fix it? Thanks for your help