Using the HTTPS protocol to secure your business website is becoming increasingly important, providing assurance to visitors and a potential improvement in search visibility. Here Justin Aldridge, SEO director at Artemis Marketing, explains what HTTPS does and how to migrate your site.
As a business or website owner you have a responsibility not only to protect yourself but also the visitors to your website. As well as storing any user and order details securely, any communication through the website also needs to be secure as insecure connections can be intercepted and even modified by a malicious third party.
The easiest way to protect the traffic to your website is using the HTTPS protocol. The majority of websites today still use the traditional HTTP unsecured protocol, in fact, only 0.1% of websites online today are using HTTPS.
That is not many websites and it reflects the current issue with the internet and how vulnerable people are online, especially those that are less familiar with how hackers work and what makes a website or connection secure.
Firstly, a secure connection gives visitors to your website increased trust and confidence in your website when interacting or buying through it. A secure website can, therefore, lead to increased sales or leads. This is especially true in Google Chrome, the most popular browser, which will soon start flagging unsecured login pages as 'Not secure'.
Eventually Google will roll out this notification to all pages on websites still using HTTP which could further negatively impact sales and leads.
And, the second main benefit to a business is that Google now applies a search ranking benefit to HTTPS sites. When Google first announced this benefit we tested it on some sites but we didn't see any corresponding ranking benefit. However, in more recent transitions to HTTPS we have seen the benefit applied to the website's rankings. The ranking benefit is very real:
Note, however, that ranking increases vary from keyword to keyword and it really depends on the competition in the search results. It doesn't appear to be a very strong positive ranking signal, but it's definitely a signal and it helps to improve overall rankings.
What you will need are the following:
Website hosts like 123 Reg, GoDaddy and 1&1 generally already have their servers configured to accept secure connections. This shouldn't be a concern, but it's worth checking first in case you're on an old server which isn't.
Then you need to buy your security certificate. I often feel that this is an area that causes the most stress! For simplicity of implementation, the first port of call should be your web developer. They should be able to advise you where to buy it and how to get this configured on your server for your website. A certificate can typically cost £5 to £10 per month.
There is the possibility of installing a free certificate from Let's Encrypt, which is an online initiative to prevent the cost of a certificate stopping people or businesses from being able to secure their websites. It does require some technical knowledge to implement and it needs updating every 90 days, so it's probably best if it's done by a web developer.
Some host companies, such as Siteground, pre-configure websites on their servers with free Let's Encrypt certificates, which means it's all done and you don't have to do anything apart from make your website default to HTTPS. This is very handy indeed and it would be great if more hosts did this.
Other hosts, such as GoDaddy, Hostgator and 1and1, have options to buy and install certificates directly through them. This is often the easiest route to get the certificate installed if you are doing it yourself.
You should start by checking what products your host company offer for installing and configuring the certificate on the server for your website. Note that they are often called SSL Certificates.
In terms of certificates and how to configure them it's worth checking Google's tips again.
https://www.example.com
Now you need to take some additional steps to complete the transfer and preserve your Google rankings:
As a business or website owner you have a responsibility not only to protect yourself but also the visitors to your website. As well as storing any user and order details securely, any communication through the website also needs to be secure as insecure connections can be intercepted and even modified by a malicious third party.
The easiest way to protect the traffic to your website is using the HTTPS protocol. The majority of websites today still use the traditional HTTP unsecured protocol, in fact, only 0.1% of websites online today are using HTTPS.
That is not many websites and it reflects the current issue with the internet and how vulnerable people are online, especially those that are less familiar with how hackers work and what makes a website or connection secure.
So what is HTTPS exactly?
There are plenty of articles online to explain this and Google's own tips are a great place to start. Essentially, HTTPS is comprised of the traditional HTTP connection which is then encrypted using TLS (Transport Layer Security). As Google states, there are three core benefits that HTTPS provides:- Encryption: The data is sent and received in an encrypted format, so that third parties can't listen in or steal data such as the username and password you enter on a website
- Data integrity: This ensures that the data to and from the browser is not modified or corrupted, and detects if issues have occurred
- Authentication: This ensures that you are communicating with the website you were intending to communicate with
How HTTPS helps your business
There are two main ways that having your website address prefixed with HTTPS instead of HTTP helps your business.Firstly, a secure connection gives visitors to your website increased trust and confidence in your website when interacting or buying through it. A secure website can, therefore, lead to increased sales or leads. This is especially true in Google Chrome, the most popular browser, which will soon start flagging unsecured login pages as 'Not secure'.
Eventually Google will roll out this notification to all pages on websites still using HTTP which could further negatively impact sales and leads.
And, the second main benefit to a business is that Google now applies a search ranking benefit to HTTPS sites. When Google first announced this benefit we tested it on some sites but we didn't see any corresponding ranking benefit. However, in more recent transitions to HTTPS we have seen the benefit applied to the website's rankings. The ranking benefit is very real:
Note, however, that ranking increases vary from keyword to keyword and it really depends on the competition in the search results. It doesn't appear to be a very strong positive ranking signal, but it's definitely a signal and it helps to improve overall rankings.
Where to begin to enable HTTPS on your website
There are so many guides out there to help you move your website to HTTPS and often they can be quite confusing, especially when the articles become unnecessarily technical.What you will need are the following:
- A web server (host) that can accept secure connections. Most hosts will have enabled this already
- A security certificate. You will need to buy this, usually from your host, or you can get a free one from Let's Encrypt
- An hour or so to update your website and other resources accordingly, depending on the size of your website.
Website hosts like 123 Reg, GoDaddy and 1&1 generally already have their servers configured to accept secure connections. This shouldn't be a concern, but it's worth checking first in case you're on an old server which isn't.
Then you need to buy your security certificate. I often feel that this is an area that causes the most stress! For simplicity of implementation, the first port of call should be your web developer. They should be able to advise you where to buy it and how to get this configured on your server for your website. A certificate can typically cost £5 to £10 per month.
There is the possibility of installing a free certificate from Let's Encrypt, which is an online initiative to prevent the cost of a certificate stopping people or businesses from being able to secure their websites. It does require some technical knowledge to implement and it needs updating every 90 days, so it's probably best if it's done by a web developer.
Some host companies, such as Siteground, pre-configure websites on their servers with free Let's Encrypt certificates, which means it's all done and you don't have to do anything apart from make your website default to HTTPS. This is very handy indeed and it would be great if more hosts did this.
Other hosts, such as GoDaddy, Hostgator and 1and1, have options to buy and install certificates directly through them. This is often the easiest route to get the certificate installed if you are doing it yourself.
You should start by checking what products your host company offer for installing and configuring the certificate on the server for your website. Note that they are often called SSL Certificates.
In terms of certificates and how to configure them it's worth checking Google's tips again.
I have my HTTPS certificate, what now?
Once you have your certificate installed on your server you should now be able to access your website with HTTPS in front of the website address, such as:https://www.example.com
Now you need to take some additional steps to complete the transfer and preserve your Google rankings:
- All traffic to the HTTP version of a page needs to be 301 permanently redirected to its HTTPS equivalent. For most websites, a simple bit of code in the htaccess file like this will do the job:
Apache config:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
This is quite a technical change and it's key that it's implemented 100% correctly. Without this it could significantly impact the rankings of a website
