You may have seen headlines recently about Google changes that mean ALL websites should be on an SSL connection.
Argh! Panic! Right?
Well, kinda, but probably not.
Here’s the Back Story:
SSL (or Secure Socket Layer) is essentially like an overlay to HTTP, the protocol that governs how information is transmitted between websites and users. It’s what it sounds like – a layer that makes HTTP secure. A website that uses SSL can usually be identified because the website address will begin with HTTPS rather than just HTTP.
Our sites use SSL because we collect membership information, and take transactions. Our badges are also SSL, because some of our users have SSL sites, and need to display the image securely.
In simple terms, SSL takes the data submitted by a user and encrypts it, and protects it during transport so it can’t be messed with. Your SSL certificate also helps protect users against being directed to duplicate, fraudulent copies of websites without knowing.
Back in 2014, Google announced that in an effort to make the Internet a safer place, they would start using SSL as a factor when calculating search engine results. And more recently, that they will add a feature to the Chrome icon that doesn’t just show a padlock when you’re visiting a secure website, but which shows a red cross when you’re visiting a non-secure site.
And here’s what it means:
Making the web more secure is a good thing. But most blogs DO NOT NEED SSL.
If you’re not collecting sensitive financial data, and the only information users are providing is an email address to comment, or join your mailing list, you probably do not need SSL to make your site more secure.
The reason you might WANT to implement SSL is because you think it will harm your search traffic if you don’t have it – or it might boost your traffic if you do.
Well, kinda, sorta.
Remember, SSL is just one potential aspect of search ranking. There’s also your site’s domain age, and inbound links, and mobile responsiveness, and page load time, and pop-up ads, and keywords – remember that SSL is just one part of this mix. For a very big site with millions of visitors, then a small bump attributed to SSL might be worth thousands of extra visitors per month – but for most bloggers, especially those just starting out – it’s unlikely to be a big deal.
There’s a caveat here, of course. Over time SSL might become a BIGGER deal in rankings, in which case, you might want to look again. But if the only reason you’re considering SSL right now is for traffic, then we’d suggest focusing on improving other aspects of SEO before going down the SSL road.
What if i Choose to Move to SSL?
Essentially, there are two key benefits to using SSL.
- A boost in search traffic through higher rankings (potentially)
- A more secure site for your visitors
If you feel that your site requires SSL for one of these reasons, then the very, very best option, which we recommend with ALL of our heart is to get your host to do the work for you. If you don’t have this option, hire a developer from PeoplePerHour. This isn’t a job for people who don’t love computers and messing around in WordPress files. So how do you go about it?
1. Buy an SSL Certificate
You can buy an SSL certificate from your domain for your hosting company. Some hosting companies are offering them for free at the moment, otherwise, expect to pay around £20 per domain for a domain validation SSL, perhaps a little more for an Organisation Validation SSL. The domain SSL is all you need for a non-transactional website, while the OV certificate covers most basic commercial sites.
2. Update your Site
Your hosting company should install the SSL for you. This means they handle all the messy business of creating URL maps and redirecting links – effectively when you use SSL you’re creating an entirely new copy of your site and redirecting all your old HTTP pages to the new HTTPS pages. Ideally you also want to update all your internal links so they point to the new HTTPS pages, too. Oh, and you’ll need to update image links and stylesheets, too. And you’ll want to make sure any ad networks you’re working with support SSL (most do).
Like we said – messy.
If you’re using WordPress it is entirely possible for you to add 301 redirects to your .htaccess file but if you’re the sort of person who just read that sentence and seriously considered hiding under the desk, GET YOUR HOST TO DO IT FOR YOU. Or pay someone from PeoplePerHour. This is not the sort of job non-tech-enthusiasts should be bothering with, in our humble opinion.
3. Get Google to Crawl your New Site
Now you have an effectively new site, you want Google to crawl it and re-index it, to ensure your search traffic isn’t impacted.
You’ll want to add it as a new site and if you use Webmaster tools, submit a new site map as soon as possible. Make sure your Analytics code is also updated.
4. Test your Site
After a few days, you’ll probably want to test the SSL is installed correctly (again, your host is the best person to do this) and ensure all content is being indexed correctly. If it isn’t, you’ll need to work through the installation process again – we strongly recommend asking your host to do this for you if at ALL possible.
Have you made the move to SSL? Got any questions? Let us know in the comments.
Picture: Shutterstock
Discussion10 Comments
I’m on Blogger & have 1.5 k posts. I am seriously hiding under the desk. In fact I may give up and go back to bed!
Google bloggers have it comparatively easy, because there’s a simple “turn on HTTPS redirect” option in your account – but it’s not available for custom domain blogs. I do hear from SEO friends they will offer this option in the future, if you decide you want SSL on a custom domain blogger blog, so you could easily wait – there’s no huge urgency at this time, we don’t think. But I think it *is* possible to do, if you wanted to get a developer to do it for you sooner, via a CDN like Cloudflare.
Thanks for the ‘head up’. I’m on a custom domain on Blogger, so I’ll try and forget I ever read this. Until I need to know 😉 Thanks!
I have moved my store side which does collect financial information as well as more details about people to https but as the emails on the main site are hosted off site at secure email services I’ve decided at this point not necessary to move everything. PLUS with the majority of income coming from ad networks and ad networks as yet having a very low numbers of https ads I would lose money moving to the https across the site
I think that seems like a really sensible approach – you’re right that until you’re getting significant numbers of ads that can be delivered over HTTPS it’s a major issue for bloggers who want to monetise sites.
Would moving negatively impact your DR and PR? Because all those links you’ve built up over the years would point to the old site?
In the short term, possibly, but assuming you set up 301 redirects that should be addressed over time.
Technically 301 redirects don’t pass all the authority that you’ve built up across – it was always something in the region of a 15% loss…
However, various Google people have said that there is no authority loss if you 301 a non-http site to https, and from the experience of a few sites, that seems to be broadly the case (It’s always hard to separate out a single factor, even in a short space of time, but there hasn’t been an unexpected drop on any site I’ve worked on, beyond the normal variation in rankings which occurs anyway).
In return you’ll get a small ranking benefit, but it’s a very small one – and only works if none of your competition have already made the switch. So if you and a competitor were #3 and #2 for a term, and every other factor was completely equal, it may just about be enough to lift you one place higher, but generally won’t.
If you’re collecting passwords, data or running commercial activities, you should really already have an SSL certifcate in place – if not, I’d say you should plan to make the switch in the coming months. It won’t tank your site overnight if you don’t – the main problem will be later this year when Google intends to start showing a new warning that all sites without SSL are insecure if you’re browing in Chrome, but that won’t be for a while yet… And the good news is that you have a bit of time for your hosting company to either make it easy for you, or to research free options like Lets Encrypt.
Whether you’re hiring someone via PeoplePerHour, an external freelancer, agency or whoever, the important bit isn’t just installing the certificate, but you also want someone who has experience of setting up redirects properly, as they’ll need to know how to do a mass redirect (e.g. using .htaccess for WordPress on Linux), and also be able to either use a mass redirect tool or edit your database to update internal links etc etc…
This is such great advice, thanks Dan 🙂
My booking company is on SSL but my website isn’t. Fab post, sent me off running with many questions now.