Moving your website to HTTPS / SSL

Time-to-switch-to-https

The Importance of SSL On Your Website

For several years now, Google has been forcing websites to implement SSL certificates. It all started with its 2014 HTTPS Everywhere campaign whose goal was to raise awareness of the value of SSL certificates. SSL later became a Google ranking signal to further encourage its adoption.

Currently, over two-thirds of all websites are unencrypted, and Google is taking the next steps to change that.

Is your site in that category?

Is your site being penalized by Google for not being secure?

As of July 2018, Google SSL requirements were enforced by flagging sites without SSL as unsafe in Chrome.

website-not-secure-chrome-warning

This update goes beyond adding it to its list of ranking factors only. It fundamentally changes the way web users think about their online security.

SSL certificates are designed to make users feel secure while using the internet. Without them, you could be jeopardizing your business, as well as your customer’s sensitive data. This article will explain what an SSL certificate is, how it works, how to install one, and more.

By moving your entire website to HTTPS / SSL, you can improve search rankings and protect your business / website reputation while playing a proactive role in protecting user privacy.

 

Use SSL/HTTPS To Rank &

Look Better on Google

 

Minimum requirements needed to move to HTTPS

  •  a shared hosting plan with SSL support; just contact your hosting provider about that, they usually offer support for it. In cPanel you can find it under SSL / TLS manager.
  •  Server Name Indication support or a dedicated IP address; all decent hosting providers are offering SNI support or dedicated IP addresses for shared hosting plans.
  •  a SSL certificate
  •  a properly configured website (read bellow)

If you’re going for SNI, you should know that there is no support for SNI in Windows XP’s Internet Explorer versions. Internet Explorer 7+ (Vista or later) and all new browsers do have support for SNI.

What is an SSL Certificate?

Put simply, an SSL certificate is a text file with encrypted data that you install on your server. This allows you to secure/encrypt sensitive information and communications between your website and your audience. Many think of it as their electronic passport.

SSL stands for ‘Secure Sockets Layer,’ and when a website owner has one, all data passed between web browsers and servers remains private and encrypted.

Without valid certificates, websites cannot establish a secure connection with web servers, meaning that users will not be digitally connected to a cryptographic key. This puts your company’s and your customers’ information at risk, especially considering current cyber-crime trends. As a result, the lack of SSL and HTTPS could potentially damage your brand image.

People will avoid purchasing from you or even signing up to your newsletter through fear of having their details stolen. Your conversions will plummet.

One of the most important things in business is to make customers feel like they are visiting a trusted, reliable website where making purchases is safe. SSL establishes a secure connection which then reassures your visitors using visual cues.

Seeing the lock icon or green bar when visiting a site can automatically make a visitor trust your company and take the next step in making a purchase.

 

Why is SSL So Important To Google?

SSL certificates are important for various reasons, for both business and website visitor. To get an idea of why it could be essential for your site, you can ask yourself the following questions:

  • Does your site take text inputs in the form of login panels, contact forms and search bars?
  • Is your website on HTTP://?

If yes, then you need SSL to prevent risk. Without one, you stand to put your visitors in danger and eventually lose them.

More reasons why this is important:

Encrypt sensitive information – without an HTTPS connection, the computer in between you and the server will be able to see sensitive information, like credit card numbers and passwords. With an SSL, this information is unreadable except to the server the data is being sent to.

Credit card numbers, social security numbers, and login details can be transmitted securely with HTTPS in place.

Provides data protection from online hackers and criminals

Online criminals are great at identifying any weakness in networks. They usually strike gold at the point where information is being transmitted. Without the ability to encrypt traffic, you run the risk of being hacked, having information stolen, and more.

Build more trust with customers

Building trust with your customers is one of the most important parts of running a successful company in 2018.

With trust comes customer loyalty. SSL security reassures customers that their information is safe with just a few visual cues. You boost your business credibility on top of this.

This is also relevant because:

  • HTTPS gives a stronger ranking on Google.
  • You will create safer experiences for your customers.
  • You will build customer trust and improve conversions over time.
  • You will protect both sensitive customer and internal data.
  • You will encrypt browser-to-server and server-to-server communication.
  • You will increase the security of your mobile and cloud apps.
  • You will protect against phishing.

Google said so – There are numerous reasons supporting the fact that this is important, but perhaps the most critical one is ‘because Google said so.’

Nobody wants to experience a drop in search rankings in Google or a negative impact on their business or online reputation. Without SSL, this is likely to happen.

 

Buying an SSL certificate for your site. Isn’t it expensive?

A SSL certificate is cheaper than you may think. For example, if you go for just a domain validation certificate, it will cost you around $9 a year. The nice part is that a domain validation certificate is usually issued within few minutes.

But, if you’re running a business you really should consider an EV SSL certificate, which is slightly more expensive. For more specific needs like validating multiple domains or multiple sub-domains, with a single certificate, you should also check other SSL packages.

As a tip, while activating the SSL certificate, make sure that WhoisGuard or other similar tools are disabled.

Generating and installing your SSL certificate

In order to generate a SSL certificate you’ll need to submit a certificate signing request (CSR) for your website. You can generate the CSR from your control panel or you can ask your hosting provider to generate it for you.

After sending the CSR you’ll also have to specify an email address (from your domain) that will be used to approve certificate’s activation.

After approval, the certificate will be emailed back to you. All you have to do now is to install it using your control panel or ask your hosting provider to install it for you.

Moving your website to HTTPS / SSL

At this stage, your HTTPS version should be up and running. You’ll have to make sure that all your resources are loaded using a secure connection and that all your internal links are using HTTPS.

If you’re using a cache plugin like WP Super Cache (on WordPress) or a system cache plugin (on Joomla) you should disable it at this point. It will be easier to debug mixed content warnings with cache disabled.

Replace all internal links with their corresponding HTTPS version

You can force all links to be loaded through HTTPS using HTTP Strict Transport Security or you can replace all your internal links using the Search and Replace Plugin.

On SEOSecretSauce.com I had to replace all http://seosecretsauce.com occurrences with https://seosecretsauce.com in all tables of my database.

In WordPress, if you use a Search and Replace Plugin, make sure you manually replace links from widgets with their HTTPS equivalent. Usually these type of plugins are not able to replace things inside widgets (because of the way widgets content is stored in the database).

You should also check your page source and replace / update all your HTTP internal links (if there are any) present in PHP, CSS, JavaScript and other type of files.

Avoid mixed content errors and warnings

After replacing the majority of your internal links you should access your website using the HTTPS URL (https://yourdomain.tld) to debug and fix all remaining mixed content warnings.

At first load, you’ll probably see a warning similar to this one:

Use the Inspector to find which resources are causing errors. In your browser, start the Inspector using CTRL+SHIFT+I and go to Console tab. The resources causing the warning will be displayed within console:

SSL support with CDN

Your CDN service also needs to have SSL support, because almost all your page resources will be loaded through a CDN edge. If you’re using MaxCDN, you’re lucky, because you can switch to SSL with no additional costs.

On MaxCDN, in Pull Zone settings you’ll have an option called Shared SSL. By enabling this option a new CNAME will be available in pull zone’s settings section, which looks like this: name-alias.netdna-ssl.com. Don’t forget to update the new CNAME in your website theme, CDN manager and / or cache plugin.

If you don’t want to use a shared SSL certificate, you can enable SNI SSL which allows you to install your own custom SSL certificate or you can use a Dedicated SSL plan.

Redirect from HTTP to HTTPS

After fixing all mixed content warnings you should redirect all your HTTP requests to HTTPS. Because duplicate content can always be a major source of SEO problems, you should use a 301 redirect.

Apache .htaccess example:

[bash]
RewriteCond %{HTTP_HOST} ^yourdomain\.tld [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.tld/$1 [R=301,L]
[/bash]

If you need to keep SSL off for some sub-directories (e.g. foo1 and foo2) you should use something like this:

[bash]
RewriteCond %{REQUEST_URI} !/foo1/
RewriteCond %{REQUEST_URI} !/foo2/
RewriteCond %{HTTP_HOST} ^domain\.tld [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.tld/$1 [R=301,L]
[/bash]

And here is the result of moving your website to HTTPS, no warnings and a green padlock icon:

 

green-padlock-ssl

SEO tips for HTTPS sites and other SSL tweaks

In terms of SEO, besides 301 redirection of all links, you should also add the HTTPS version of your website to Google Webmaster Tools. You’ll be able to add and verify it, but you won’t be able to use the change of address feature. In fact there is no need to follow the change of address procedure, because the only thing that has changed is the protocol and not the actual domain name. Adding the HTTPS version of your site map is also recommended.

Regarding Bing’s Webmaster Tools, you don’t have to add and verify the HTTPS version of your website, but is recommended to replace the site map with its HTTPS equivalent.

If you have embedded videos on your site, you should also update those links. For YouTube you’ll need to replace all http://youtube.com occurrences with their https://youtube.com equivalent.

Pay attention to third-party services like Google AdSense and Google Analytics. If you’re using an old Google AdSense code you’ll have to update that. Same thing applies to Google Analytics, Clicky Analytics and other similar analytics services.

If you use one of my analytics plugins (for Google or Clicky), these kind of things will be handled automatically. These plugins will automatically generate and insert the proper tracking code.

If you were using a cache Plugin don’t forget to enable it back, to make the necessary updates and to clear the entire cache.

SSL Certificates are no longer optional with Google

Purchasing and installing SSL is no longer something that online business owners can ignore. Google chrome is set to mark sites as insecure if they do not follow the steps above.

Sites without secure connection will be labeled as ‘Not Secure,’ and perhaps even blacklisted. Those all-important visual cues will not be in a surfer’s address bar to reassure visitors to your site, and you will likely lose them because of this.

Without an up-to-date, validated SSL certificate, you can only damage your position in Google search results. However, there is more to it than making the search engine like you. Without a secured connection, you are putting your whole business and brand reputation at risk.

We are Las Vegas local

Get your SSL Certificate!

Call Us Now 702-405-6475

Is Your Site Secure?