This is the second article in our three-part series about how to do a site-wide update without demolishing your search ranking. We’ve previously discussed how to excel when launching a comprehensive redesign; in this post, we’d like to tell you how to successfully migrate your site to HTTPS.
HTTPS is a secure version of the standard HTTP protocol. It was initially made popular to protect sensitive information during online banking, shopping, and logging into websites. Over the past several years, it has spread to websites of all kinds. And why not? There are lots of reasons to enable HTTPS on your website: it’s a known ranking factor, it improves visitor security, and it’s relatively easy to do. But there are always potential risks to search rankings any time you make a major change to a website, and HTTPS is no exception. We want to help you do this right.
This is the second of a series of three articles that will explain how we managed to preserve our rankings in the wake of a site overhaul:
- Part 1: Rebuild Your Site Without Demolishing Your Search Ranking
- Part 2: Your HTTPS Upgrade Could Put Your Search Rank in Danger
- Part 3: Losing Your Social Sharing Counts Could Cost You
Prior Preparation Prevents Poor Performance, Persistently
Remember this section from the last post? Noticing a theme yet? That’s not an accident. The degree to which a site migration will be successful is largely determined by the amount of preparation that goes into it.
Serving insecure content within a secure environment can make everything insecure.
Start your migration to HTTPS by searching through your existing site for insecure content. You might find it in images on the page, embedded videos, and even in the source code, stylesheets, or web fonts. These items are often linked with an “http://” protocol. For example, an image might be at
http://www.yourwebsite.com/puppy.jpg. The easiest way to update insecure addresses like these is to change the
http:// part to a simple
//. That way, when you make the switch to site-wide HTTPS, those items will automatically load correctly.
This is extremely important. Serving insecure content within the secure environment of HTTPS has the potential to make everything insecure. Some browsers ensure security is maintained by simply refusing to load insecure content. The images, scripts, and fonts on your site might not load if they aren't updated, which would make your site look broken.
After you’ve manually addressed insecure on-page content, you can run an automated test to make sure there’s nothing you’ve missed. PowerMapper has a paid product called SortSite that can help you with this, but the ten-page free demo version should allow you to catch many basic issues that might be present across multiple pages.
Sorting Out HTTPS Certificate Choices
Enabling HTTPS on your website requires that you get an HTTPS certificate. Because HTTPS is used for all kinds of websites — from restaurants to banks — there are lots of choices and different grades of security available, and this can be really confusing.
There are three major types of certificate available: Domain Validated (which you'll see marketed on some sites as “DV”), Organization Validated (OV), and Extended Validation (EV). Those are listed in order of trustworthiness, but don't go out and buy a super-trustworthy EV certificate just yet…
- DV certificates are perfect for most companies. Typically, they’re $10–30 per year from a reputable provider, called a “certificate authority”, and require little to no paperwork.
- OV certificates are a step up and, as the name suggests, require some paperwork. The provider will verify the existence and reputability of the company requesting the certificate — that’s you — to assure visitors that any information they submit to the website is actually going to the company associated with that website. These kinds of certificates tend to be a little pricier, from about $50–$200, but they can be worth it if you’re collecting a significant amount of user information.
- EV certificates are only really needed for companies that process financial transactions.
Most hosting providers will help you pick the right certificate for your website and set it up for you.
HubSpot users will have an easier time getting a certificate because they don't need to pick from all of these options or manually install the certificate. It is, however, rolling out in a limited capacity. Instructions for getting secure can be found in HubSpot’s knowledgebase.
Testing HTTPS On Your Site
If you’ve fixed all the existing insecure content on your website, and your hosting provider has installed your certificate, it can be very tempting to route all visitors through the secure version of your site. But wait. In an ideal situation, using the secure site will have no noticeable differences. But in a worst-case scenario, something critical might not load correctly over HTTPS and it could have devastating implications to a page, or your entire site. So it’s best that you explore everything yourself first.
Try browsing your website through HTTPS. Visit every page, and make note of things that aren’t working quite right. Pay particular attention to dynamic elements like parallax scrolling, sticky menus, responsive elements, and tools like onpage calculators. Test in multiple browsers — Chrome, Safari, Firefox, on your smartphone — because errors might be handled in different ways.
As you get ready to make HTTPS the default for your entire site, make sure to update your menus and sitewide links to point to the new addresses.
Making the Switch to Secure
When you’re ready to make the site HTTPS-only, put in a call to your hosting provider or support team to make the switch. If you’d like to do this on your own, make sure you put in place a sitewide redirect from HTTP to HTTPS. A simple htaccess rule will suffice.
Next, tell Google Search Console that you’re now on HTTPS by adding your new HTTPS domain and setting it as the preferred domain. Generate a new XML sitemap on your website and submit it to Search Console to trigger a re-crawl.
Making the transition to HTTPS is a big decision. Your visitors will appreciate your dedication towards security, and Google will reward you. But these steps require time and dedication, and you’re probably a very busy marketer who might not have that kind of time. Luckily, there’s KAYAK. Get started with one of our maintenance plans and we’ll work with you to fix, optimize, and dig into your best options to improve your online marketing strategy.