Move your site to HTTPS – Get Better search rankings

Move your site to HTTPS – Get Better search rankings

If you’ve ever been to this site before, you may have noticed that all pages and links are now being served up through HTTPS. Most people are familiar with HTTPS being used exclusively for online shopping sites and user account login pages, but there’s a current trend happening wherein ALL pages on a domain are being secured through SSL/TLS (hopefully just TLS now). It’s no secret that many webmasters engineer their sites to play friendly with Google above all other search engines so that their sites may enjoy better search positions and I’m no different! So when Google announced back in 2014 that they were running tests to add more ranking weight to sites using HTTPS versus sites that weren’t, a lot of top websites responded.

Now this isn’t to say that websites like Twitter or Facebook moved to all HTTPS sites just because Google did it, but it’s a strong indicator of what’s to come when some of the most popular sites on the internet are starting (or continuing) a trend. Google sees the future of the internet as a more secure one and they are willing to

Brief overview of SSL/TLS and HTTPS

SSL secured site (HTTPS)Back in the early days of the internet, websites were designed specifically with access speed in mind. Web pages were usually simple text documents with a little added flair thanks to HTML and sites that had tons of images and HTML code to parse were death sentences for those companies or institutions because nobody wanted to wait a few minutes for a page to load. I won’t get into all the gritty details of SSL/TLS, but essentially when you secure a webpage, it requires encryption and decryption processes each time the page is accessed. This added overhead to your web browsing experience and slowed things down a bit, so web designers usually only secured pages worth securing. This is why entire HTTPS sites still look foreign to some web users. I come from a time where you would only see a secured page when you were about to enter your credit card information.

But times have changed. Internet connections are faster, browsers are faster and computers are faster. Obviously as a result, the encryption/decryption process is much faster. Regardless, the majority of the web still uses HTTPS the way we used to and many webmasters who just have simple websites that aren’t acquiring any sensitive information from users just don’t have it all. But that’s changing too. We are all using the internet much differently than in the past and more and more sites are adding new functionality, collecting new data and asking users to interact more. These bits of data may not be full on credit card numbers, but much of it can still be used to identify a user. Add that to the increasing number of attacks that have been unleashed on the internet in the recent past and you have a recipe for disaster.

Getting Started With HTTPS

The first step in securing your website is to find out what kind of certificate you need/want. The differences will dramatically alter the price and you may not need all the features that the higher-end certificates offer. If you just need your site secured and you want to follow Google’s basic recommendations for better search rankings, here’s some basic tips:

  • Domain Protection – A single domain certificate will protect one domain (example.com and www.example.com). A multi-domain cert will protect all your domains (example.com, test.com, website.com, etc.), but usually only up to 99 domains and the cost rises with the number of domains protected. A wild-card cert will protect one domain and unlimited subdomains (www.example.com, mail.example.com, store.example.com, etc.).
  • 2048-bit keys – You’ll be hard-pressed to find a key with less than 2048 bit encryption these days, but that’s good because Google requires this at a minimum. Check out the math behind breaking a 2048-bit key!
  • Relative URLs – Rather than using the full URL of links that reside on the same server, Google recommends that you use a relative URL. So instead of linking to https://www.example.com/category/page-name.html, always use /category/page-name.html. This is good practice no matter what, but if you’re using WordPress or some other CMS, you might notice that relative URLs are NOT the norm. Consider using a plugin for this or try modifying links by hand if you dare.
  • Don’t block HTTPS with robots.txt – It’s common for a website to block all HTTPS pages from search indexing using the robots.txt. But that only applies to pages such as temporary shopping cart URLs or user account pages. If you block ALL HTTPS pages, then Google won’t index your site thus defeating the purpose of all this!

 
Another important decision to make is the type of validation you wish to use. I didn’t add it to this list above because it’s irrelevant to Google’s search rankings, but it might be relevant to your situation. In my case, I purchased the cheapest certificate you can buy…feature-wise. It still provides the same level of security as a high-end certificate, but it just visually looks different. There are basically three types of validation, but each certificate retailer might market them different to spice it up a bit. If you strip off fancy marketing, you’re left with these options:

  1. Domain Validation (DV) – This type of validation will validate your domain only. If you’re running a site like mine, this is all you really need. It informs the visitor via the green lock icon in the address bar that this is a secure site and all data transmitted is being encrypted.
  2. Organization Validation (OV) – In addition to validating your domain, this certificate will go a step further and validate your organization information like physical address, name and phone number. You won’t generally need this if you’re running a basic blog site. But if you’re running an online shop, this certificate will generate added peace of mind for shoppers by showing them your real-world information.
  3. Extended Validation (EV)EV certificate example (HTTPS)This validation includes everything provided by the previous two, but it also adds the green address bar to further your visitor’s peace of mind by actually changing the color of the entire address bar to green while also displaying your business/organization’s name prominently to the world. Note: the full green address bar is only applicable to Internet Explorer. Take a look at the image to the right for an example of an EV certificate on the various browsers.

As you might have guessed, these validation types are in order from least expensive to most expensive. There are many different places to purchase TLS certificates and as such, prices change dramatically. The first place you might want to look is your own webhost. They generally offer easy installation and configuration as well since everything is done in-house. You might even get a discount since you’re paying for hosting services as well. But keep in mind, you do not need to by a certificate from your web host OR your domain registrar. Feel free to shop around and get the best price for you.

Once you have decided on what type of certificate to purchase, get in touch with your webhost for information on how to configure everything and remember that even though Google has stated the increased weight applied to ranking for HTTPS is relatively low at the moment, there may come a time in the future where having HTTPS is as important as having great, original content.

Checking your Server for HTTPS vulnerabilities

HTTPS server reportIf you already have HTTPS setup on your server, it’s highly recommended that you run a server check to ensure that you’re doing everything you can to protect not just your website, but the entire server as well. This mostly only applies to users who administer their own servers (like a VPS or co-location hosted solution), but running the test on any server will help identify any outstanding issues that should be worked out with your webhost. Hopefully they’re already on top of it before you are!

The SSL test is hosted by Qualys, Inc. and will produce a report similar to the one you see here. If your server contains any issues, they will let you know how to fix them. Assuming you have admin access to your server, you should follow these tips as soon as possible to ensure server security.

Related posts

Happy 2015! Digitizing Life is now live!

Happy 2015! Digitizing Life is now live!

First of all, happy new year!! While I'm out ringing in 2015 (and so should you), my photography website has been launched. I've been working on this site (the one you're reading) and a couple others for so long, I haven't been able to pay much attention to my other hobby, but that time has...

Redirect Sub-domain Folder to Sub-domain URL – For Beginners

Redirect Sub-domain Folder to Sub-domain URL - For Beginners

If you've ever run into the need or desire to run a website using a sub-domain, this post may help you. I got stuck with this particular issue and even though it was such a simple fix, it eluded me for quite some time! As a quick refresher for those new to domains and web development, creating...

Web Hosting – Choosing the right home for your website

Web Hosting - Choosing the right home for your website

It goes without saying, but you do need a web host in order to have a website. A web host is a company that provides a server that all of your website's files are stored on and then served up to the visitors that come see your page. There are literally thousands of web hosting companies out...

Leave a Reply