HTTPS Migration – What You Need To Know & How We Did It

TLDR: If you want to migrate your site to HTTPS, you will find this checklist useful.   From an SEO point of view, you may get a boost to your site’s organic performance, you may not, but it won’t do any harm to make the switch either.   You should also migrate if you want to make the web a better, safer place to be.

After a discussion with Dave, our head of web performance and thoughts about should we or shouldn’t we migrate to HTTPS, Dave did some research and we decided to use ourselves as a test case.

Whilst the notion of migrating a website to HTTPS is not a recent development in terms of technical SEO and potential organic performance benefits (Google stated this as a ranking factor back in 2014) it still hasn’t seen widespread adoption across the web.

Recently at SMX Advanced, Gary Illyes of Google stated that 34% of the Google index is now HTTPS and that webmasters should consider migrating to HTTPS sooner, rather than later.

Looking at the top 20 traffic sites in the UK, the trend is gathering pace with 13 of the 20 running on HTTPS, but if you carry out a few generic searches it’s clear that a number of big name sites are yet to make the switch.  Whilst any serious e-commerce site’s payment gateways always run on HTTPS along with user accounts where sensitive data is stored, sites such as Tesco, ASOS, BBC, eBay, Daily Mail and Guardian are yet to fully migrate.

Obviously migrating on such a large scale is a big job that can’t be taken lightly, but, is it worth heeding the Gary Illye’s advice?  We carried out our own site migration in March to find out.

What is HTTPS?

I will try and keep this brief and untechnical.

When you make a connection to a website via HTTP in order to view a page, your device sends a request to a server, which (more often than not) responds by sending your device the data, such as HTML files and images, required to view the page.

This is normally un-encrypted data meaning in theory anyone (e.g. a hacker) could jump in on your connection and view the data being transmitted.

For a site such as Return On Digital, where the data would just be a blog post or similar, that’s not really an issue in terms of sensitive data.

However, when you are submitting information such as personal data or payment details, you don’t want anyone to be able view this, which is why HTTPS is used instead.

When you access a page via HTTPS the data sent from and to the server is encrypted before being sent (and decrypted when received).

You know you are using a secure connection when your browser displays a padlock icon next to the address:

6-padlock-basecamp

7-padlock-basecamp

HTTPS connections are technically slower than HTTP connections, because there is extra “effort” required between client and server which can slow the connection down and increase the load on the server.

Hence, historically, websites only implemented encrypted connections when required, e.g. on payment pages and “My Account” areas of a site where you needed to log in and amend personal details.

Should I Switch To HTTPS?

From an SEO point of view, Google have said there may be a small ranking benefit in doing so.  However, do note, there are many more important factors at play, so this should really be a “nice to have” element in knowing your site is on the way to an optimised utopia.

That’s really the only reason, and whilst some anti-Google-minded webmasters suggest they shouldn’t be able to dictate how a site is configured, their overall motives in encouraging a secure web can’t really be questioned.  As we become increasingly connected via social media and apps using public connections, there is more sensitive data knocking around, so most sites I think owe it to their users to be secure by default.

From a Click Through Rate point of view, users may be more inclined to click on your site from the search results if they know it’s secure.

 8-secure-result

Further down the line, with the development of HTTP/2 and a faster web, you really should be considering this switch now.  HTTP/2 is a whole other blog post, and which fortunately Smashing Magazine have written, so if you want to know more, check out their blog post.

What Are The Risks of Migrating To HTTPS?

Whilst the domain remains the same, this is essentially a site migration.   And if a site migration goes wrong, you can adversely affect your site’s search visibility, which is why we have put together the checklist below.

As with most site migrations, the URLs need a “301 redirect” from each old HTTP URL to its new HTTPS equivalent, and when it comes to SEO, link equity to a page can be lost/reduced when the linked to page then redirects to another.  So my main concern was that any potential SEO ranking boost would be countered by the implementation of 301 redirects.

However, John Mueller of Google confirmed this was not the case in this Google+ update, where he stated “for 301 or 302 redirects from HTTP to HTTPS no PageRank is lost.”.

Once I’d read that, I felt there was no reason not to make the switch, so we did.

Pre-HTTPS Metrics

Before migration, we took a note of some key metrics to assess how the migration went at a later date.  From Google Search Console we took the following on March 28th (the day of the migration) based on the last 28 days:

  • Search Impressions: 95,145
  • Clicks: 1,851
  • Click Through Rate: 1.95%
  • Average Position: 38.5

From analytics, we measured average site download speed over the previous 30 days:

  • All traffic sources: 5.12 seconds
  • Organic Traffic: 4.67 seconds

Whilst using the Google Mobile Page Speed insights tool, we were able to measure:

  • Mobile Speed: 66/100
  • Desktop Speed: 81/100

And finally, from a keyword ranking position, from a fresh browser (i.e. cleared cached with no browsing history”, we ranked at #5 on google.co.uk for the term “digital marketing agency” which is the most competitive of the phrases our home page ranks for.

We then followed the steps below.

HTTPS Migration Checklist

Pre Migration

  1. Buy and install certificate. You’ll get nowhere if you don’t follow this step.   A number of options are available depending on what level of security you require, whilst your web host will be able to carry out the installation work.
  2. Check HTTPS version works and renders correctly. Once installed, you should be able to view both HTTP and HTTPS versions of your site.  So at this stage, check it works and you are able to view your site on the HTTPS connection with no issues (whilst the CSS styling and formatting may not work, so long as you can see your content and not the warning screen below, you should be ok to carry on)

1-https-error

Pre / Post Migration

The following steps should ideally be carried out before you make the switch, but, you can also carry them post migration if you’re quick:

  1. Ensure all links to site elements such as images and Javascript & CSS files point to HTTPS – any page which links to both HTTP and HTTPS elements will be deemed insecure and a warning generated

    2-css-links

  2. Ensure all your site’s internal links point to HTTPS – check for any absolute URLs that need amending in the site content and templates – we would recommend using Screaming Frog to do this. Once a crawl is complete, you can order your URLs alphabetically so that any HTTP links are listed before HTTPS.   Then use the “inlinks” tab to identify where any rogue HTTP links reside.

    5-sfrog
    How you go about amending all your internal links really depends on the configuration of your site.  In our case, we just need to amend the variable that sets the primary URL in the config file for our main site and blog template files, and for the blog content looked for a plugin that would do a find and replace within our content.For WordPress sites, you can use a plugin such as “Search & Replace” to find all links to HTTP://yourdomain and amend these to HTTPS://yourdomain – you may choose to wait till your make the switch before you do this, which is fine, but if you can find an automated way of amending as many internal links of possible, then do so (but only after backups have been made, obviously).

  3. Ensure all canonical tags point to HTTPS

    9-canonical-https

  4. Generate an XML sitemap for your site where all URLs are listed as HTTPS

    10-https-sitemap

  5. Update all site functionality, such as an internal site search, to ensure HTTPS URLs are generated
  6. Check no issues with 3rd party tools and social share functionality and any other plugins the site uses
  7. Advise relevant parties of the upcoming changes. If you have an internal (or external) party who manages your Adwords campaigns or paid social ads, let them know this change is coming, so they can prepare accordingly.

 

At Migration

Just the one step here:

  1. Implement the redirect from HTTP to HTTPS

Once you are confident your HTTPS is fully configured, it’s time to make the switch.   If your site runs on Apache and uses .htaccess, the following code will cover this switch for you:

RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:~
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* HTTPS://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule .* HTTPS://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you are using IIS, this resource may be of use, whilst Nginx users may want to look here.

Post Migration

Presuming your server didn’t fall over and you can now view your site on HTTPS, whilst an attempt to view any page on HTTP redirects to its HTTPS equivalent, then you should follow the next steps to complete the migration.

  1. Update your Google Analytics settings. Assuming you use it of course, other tracking tools are available (if you use one, you should probably double check if such a setting exists).  If you do, within your Property and View settings, update the default URL to HTTPS.

    3-ga

  2. Set the HTTPS site up on Google Search Console and Bing Webmaster Tools. Once validated submit the HTTPS XML sitemap, upload (where applicable) the disavow from your HTTP property, and when possible update any URL parameters you wish to block (or had blocked on the HTTP property)

    4-gsc

    PRO Tip #1:
    Whilst you need to set these up as two separate properties within GSC, in some instances, the sites are considered to be the same property.  That being, if you try to remove a URL, directory or entire site from the HTTP property, it will also be removed from the HTTPS property.Your HTTPS migration will sort itself out in time, and the HTTP site will naturally fall away from the index.  Don’t assume that requesting the removal of the HTTP site from Google’s index will speed this process up, it won’t (we didn’t do this on this occasion, but found this out the hard way, many moons ago).

    PRO Tip #2: You can create a version of the sitemap that contains the “old” HTTP URLs and submit this, allowing the old URLs to get crawled and for search engines to pick up on the new URLs.

  3. Update your robots.txt. Where applicable, for example, the link the sitemap (belt and braces etc.)

    11-https-robots

  4. Re-crawl site and check for internal HTTP links. Run Screaming Frog again and weed out any HTTP internal links.
  5. Amend Paid links. Presuming you warned your paid teams of this change, they should be ready to put their new ads live.
  6. Update site links on user managed sites e.g. social profiles
  7. Update 3rd party redirects. If you use a 3rd party payment gateway, data capture tool or similar with a call back page, amend the link.
  8. Update email signatures. And pretty much anyway else you can think of where a link you manage still points to HTTP

Analyse data, and fix where required. If you follow the steps above successfully, that should be that in terms of covering the fundamentals.   You should still keep an eagle eye on your site’s performance to ensure you haven’t missed anything.   The main places to start are:

  1. Google analytics – check real time tracking to check people are currently on your site and browsing from page to page.   Check on a daily basis to make sure there are no sudden drops in traffic.
  2. Google Search Console – observe the index levels and search analytics of both the HTTP and HTTPS site as the former drops, and latter rises.  This won’t happen overnight, but you will see this happen in due course.

After The Dust Has Settled

Initially, as expected, we saw fluctuations in organic rankings in period following the migration where Google picked up the new HTTPS URLs, re-indexed the site and dropped the old HTTP URLs from the index.   Most “digital marketing” related phrases dropped/rose 2-4 places over a few weeks.

We also initially saw some spikes in site download speed which we expected due to this new configuration:

chart

Though ultimately, we did not see a drop in traffic or organic performance.   From reviewing the metrics taken prior to migration we see, at time of writing based on the last 28 days:

  • Search Impressions: 116,771 (+21,626)
  • Clicks: 2,097 (+246)
  • Click Through Rate: 1.8% (-0.15%)
  • Average Position: 35.1 (+3.4)
  • All traffic sources: 4.13 seconds (+0.99)
  • Organic Traffic: 4.33 seconds (+0.34)
  • Mobile Speed: 64/100 (-2)
  • Desktop Speed: 81/100 (0)

From those numbers, the HTTPS migration in isolation could claim to have been a success in terms of organic performance whilst site speed has not been impacted.   Of course, with our ongoing content marketing and coverage, it is not possible to say what impact the HTTPS migration may have had organic performance.   The only disappointing metric there is the slight drop in Click Through Rate, which could suggest that when it comes to sites where privacy is not an issue, users are not necessarily inclined to click on a result just because it is HTTPS.

Regards ranking, we currently rank #2 for “digital marketing agency” and can be pretty certain the rise of 3 places is not directly attributable to the migration, but you never know, it may have helped.

Conclusion

Other than lack of resource and expertise to carry out the switch, there is no reason not to migrate your site to HTTPS.

You may see some negligible benefit in doing so, but if done correctly, you should not see any adverse effect on performance.

Depending on your niche, you may see an increase in Click Through Rate, but no matter what you do, you will be able to sleep well safe in the knowledge that, technically at least, your website is likely to be ahead of the game, which always feels good.

About Guy Levine

Guy Levine is the CEO and Founder of Return On Digital, an Agency based in Manchester and London who focus on helping Brands who operate in competitive and disruptive markets acquire new customers, increase order values and reactivate and retain customers.

  • Great migration checklist. Might be of help to you and others, we have a desktop website crawler and an online service that will collect https mixed content issues: https://httpschecker.net/how-it-works

  • Muhammad Kamran

    Great content on HTTPs migration. I guess there is type in this where you mentioned “Ensure all canonical tags point to HTTP”. It should be HTTPS instead of HTTP.

  • Great post, but a lot to be consider while migration