10 {{ upvoteCount | shortNum }}
10 {{ upvoteCount | shortNum }}

Switching to HTTPS. Press of a button.

by Oliver Lawer
9 replies
  • SEO
    • |
Hi,

Our host has said we're set-up for SSL and all he needs to do is 'push a button'. Essentially, forcing the HTACCESS to force users onto the HTTPS.

I remember reading about the change to HTTPS a while back and if I remember right, it was a damn sight more complicated than this.

But we're running wordpress, so maybe it is just that simple?

I'm assuming we would not need to take any further action? i.e. notifying Google etc? And our rankings would remain what they are now (if not better) with no drop in traffic?

Thanks!
#button #https #press #switching
Avatar of Unregistered
  • Profile picture of the author MikeFriedman
    Originally Posted by Oliver Lawer View Post


    I'm assuming we would not need to take any further action? i.e. notifying Google etc? And our rankings would remain what they are now (if not better) with no drop in traffic?

    Thanks!
    Negative. There is no guarantee that your will rankings will remain. You could see rankings drop, but it would likely be temporary, as Google sorts out your new structure.

    And you won't see an improvement in rankings from changing to HTTPS. Google says it is a ranking signal, but nobody who has tested it publicly has seen a positive effect on rankings.

    You also want to go into Google Search Console and set your preferred URLs as the HTTPS version.
    Signature

    For SEO news, discussions, tactics, and more.
    {{ DiscussionBoard.errors[11230996].message }}
    • Profile picture of the author Oliver Lawer
      Great thank you.

      I found this extensive list of things to do to... seems like a headache I don't need if it won't affect rankings.
      • Start with a test server. This is important because it lets you get everything right and test without screwing it up in real time. Even if you are doing the switch without a test server, there's almost nothing you can do that you can't recover from, but it's still best practice to have a plan and have everything tested ahead of time.
      • Crawl the current website so that you know the current state of the website and for comparison purposes.
      • Read any documentation regarding your server or CDN for HTTPS. I run into lots of fun CDN issues, but it can also be straightforward.
      • Get a security certificate and install on the server. This will vary depending on your hosting environment and server setup too much for me to go into details, but the process is usually well-documented.
      • Update references in content. This can usually be done with a search-and-replace in the database. You'll want to update all references to internal links to use HTTPS or relative paths.
      • Update references in templates. Again, depending on how you deploy, this might be done with Git or simply Notepad++, but you'll want to make sure references to scripts, images, links and so on are either using HTTPS or relative paths.
      • Update canonical tags. Most CMS systems will take care of this for you when you make the switch, but double-check, because that's not always the case.
      • Update hreflang tags if your website uses them, or any other tags such as OG tags for that matter. Again, most CMS systems will take care of this, but it's best to QA it just in case.
      • Update any plugins/modules/add-ons to make sure nothing breaks and that nothing contains insecure content. I commonly see internal site search and forms missed.
      • CMS-specific settings may need to be changed. For major CMS systems, these are usually well-documented in migration guides.
      • Crawl the site to make sure you didn't miss any links and nothing is broken. You can export any insecure content in one of the Screaming Frog reports if this is the crawler you are using.
      • Make sure any external scripts that are called support HTTPS.
      • Force HTTPS with redirects. This will depend on your server and configuration but is well-documented for Apache, Nginx and IIS.
      • Update old redirects currently in place (and while you're at it, take back your lost links from redirects that haven't been done over the years). I mentioned during the Q&A portion of the Technical SEO Panel at SMX West that I've never had a site drop in rankings or traffic when switching to HTTPS, and a lot of people questioned me on this. Due diligence on redirects and redirect chains is likely the difference, as this is what I see messed up the most when troubleshooting migrations.
      • Crawl the old URLs for any broken redirects or any redirect chains, which you can find in a report with Screaming Frog.
      • Update sitemaps to use HTTPS versions of the URLs.
      • Update your robots.txt file to include your new sitemap.
      • Enable HSTS. This tells the browser to always use HTTPS, which eliminates a server-side check and makes your website load faster. This can also cause confusion at times, since the redirect will show as 307. It could have a 301 or a 302 behind it, though, and you may need to clear your browser cache to see which.
      • Enable OCSP stapling. This enables a server to check if a security certificate is revoked instead of a browser, which keeps the browser from having to download or cross-reference with the issuing certificate authority.
      • Add HTTP/2 support.
      • Add the HTTPS version of your site to all the search engine versions of webmaster tools that you use and load the new sitemap with HTTPS to them. This is important, as I've seen traffic drops misdiagnosed because they saw the traffic in the HTTP profile drop, when the traffic in reality moved to the HTTPS profile. Another note for this is that you do not need to use the Change of Address Tool when switching from HTTP to HTTPS.
      • Update your disavow file if you had one for the HTTPS version.
      • Update your URL parameter settings if you had these configured.
      • Go live!
      • In your analytics platform, make sure you update the default URL if one is required to ensure that you are tracking HTTPS properly, and add notes about the change so that you know when it occurred for future reference.
      • Update your social share counts. There's a lot of gotchas to this, in that some of the networks will transfer the counts through their APIs, while others will not. There are already guides for this around if you are interested in keeping your share counts.
      • Update any paid media, email or marketing automation campaigns to use the HTTPS versions of the URLs.
      • Update any other tools such as A/B testing software, heatmaps and keyword tracking to use the HTTPS versions of the URLs.
      • Monitor everything during the migration and check, double-check and triple-check to make sure everything is going smoothly. There are so many places where things can go wrong, and it seems like there are usually several issues that come up in any switch to HTTPS.
      {{ DiscussionBoard.errors[11231001].message }}
  • Profile picture of the author MikeFriedman
    The list is longer than it probably needs to be for most sites making a switch. I would definitely make sure that all internal links, canonical tags, and external links that you control are updated to the new HTTPS version.
    Signature

    For SEO news, discussions, tactics, and more.
    {{ DiscussionBoard.errors[11231019].message }}
    • Profile picture of the author Oliver Lawer
      Ah I see. Thanks.

      So just doing a force HTACCESS redirect won't redirect our internal links too?
      {{ DiscussionBoard.errors[11231030].message }}
      • Profile picture of the author MikeFriedman
        Originally Posted by Oliver Lawer View Post

        Ah I see. Thanks.

        So just doing a force HTACCESS redirect won't redirect our internal links too?
        It will redirect them, but the best practice is to just change them rather than force them through a redirect.
        Signature

        For SEO news, discussions, tactics, and more.
        {{ DiscussionBoard.errors[11231033].message }}
  • Profile picture of the author Oliver Lawer
    Got you. But doing a wide HTACCESS to force to HTTPS is OK?
    {{ DiscussionBoard.errors[11231035].message }}
    • Profile picture of the author MikeFriedman
      Originally Posted by Oliver Lawer View Post

      Got you. But doing a wide HTACCESS to force to HTTPS is OK?
      Yes. You need to do that.
      Signature

      For SEO news, discussions, tactics, and more.
      {{ DiscussionBoard.errors[11231744].message }}
    • Profile picture of the author Mike Anthony
      Originally Posted by Oliver Lawer View Post

      Got you. But doing a wide HTACCESS to force to HTTPS is OK?
      The bigger problem is your sites urls. I've had to bail out a few warriors here after their pages disappeared from the serps. I am sure the few other professional SEOs here have as well.

      Still now that Google has stated they either do or will use it as a ranking factor its now becoming standard and not having it will at some point be an issue for sales etc (when people notice you don't have what everyone else has it becomes an issue).

      Of course some sites have no earthly use for it before Google made their announcement but now that they have its heading to the norm you have to put up with.
      Signature

      {{ DiscussionBoard.errors[11232316].message }}
  • Profile picture of the author jaequery
    If you use Cloudflare, you have a one button click to turn on/off SSL.
    You also get 1-button click to auto-redirect all URLs from HTTP to HTTPS.
    {{ DiscussionBoard.errors[11231365].message }}
Avatar of Unregistered

Trending Topics