If you’re keeping an eye on news from the web development or marketing world, you’ve probably heard that Google is prioritizing websites using https in a big way.
For one, if a site has any forms on it at all (search, contact, you name it), Google’s Chrome web browser will soon be putting warnings in the address bar every time a site has a form without a security certificate set up to protect the info users might put in it. For another, whether or not you’ve got https in place is a factor when Google decides where to show your site in search rankings.
This is a big deal, with far reaching consequences, and we’ve been eating, sleeping, and breathing https migrations of late to make sure our clients are eased through this change without disruption.
Sometimes people don’t come to us until after they’ve already migrated. And sometimes, whomever conducted their migration missed a few things. Or a lot of things.
The thing is, an https migration is just that — a migration.
While it’s not as involved as relaunching your site with a new design, it nevertheless touches every aspect of the site. If you don’t go into this migration process armed with the necessary foreknowledge needed to make sure everything that could possibly be affected is carefully handled.
Oh, The Things We’ve Seen
Perhaps you’re wondering how a process that’s supposed to boost your site’s rankings could possibly send them plummeting instead.
Let’s start with what it looks like from the web development side of things. Here is the kind of things we’ve seen, sometimes all on the same site:
- No sitemap URL given to Google Search Console, or the one in the account redirects or produces an error
- Crawling the site reveals numerous 404s and 301s
- Not all internal links have been updated to use https
- The SSL certificate doesn’t cover off all domain variants
- The non-www version of the web address doesn’t redirect to the www version (or vice versa, if the site’s canonical URL isn’t www)
- The http versions of the URL don’t redirect to https
- There is no sitemap address in the robots.txt file, or the sitemap address hasn’t been updated to use the https version
- The site files haven’t been updated to link to secure versions of resources (such as a Google Fonts link, a stylesheet link, or a jQuery link)
- Pages or posts have insecure content inside them (such as a YouTube embed using the http version of the video address)
Not good.
But what does that actually mean, from an SEO perspective?
To start with, a good number of the scary things we have seen make it harder for Google to figure out what do with your website, and how to interpret it.
For example, if you don’t have a readily accessible sitemap, Google has to figure out for itself where that might be, and what the most important pages of your website are. So unless you give Google a sitemap, there’s ample room for important pages to get missed entirely. And a page needs to be indexed to rank. Ignoring your sitemap is a big risk, and such a small thing to correct.
The same applies if you haven’t set up your site to bump visitors over to a consistent domain (such as https://www.yoursite.com) no matter what. For this one, it’s worthwhile to remember that computers are incredibly literal-minded. A search engine will treat the following as distinct pages:
http://yoursite.com
https://yoursite.com
http://www.yoursite.com
https://www.yoursite.com
You need to help search engines figure out which one it actually needs to pay attention to, so it can stop splitting its focus. This is also why you need to be consistent about how you write your internal links, and make sure your redirects are directing to the right place!
Similarly, your sitemap must accurately represent your website. Tell Google Search Console (GSC) where your sitemap is located — this also helps Google crawl your site! And, when you submit your sitemap for crawling, it’s important that you update your GSC account if the location changes. Your robots.txt, which is the file that tells search engines what on the site they’re allowed to look at, should also have a line for your sitemap. This needs to be current and accurate too.
As far as 404s and 301s go, 404s are an obvious problem. Search engines can’t index what they can’t find, so if you have a page that resolves in a 404 when it shouldn’t be, you’re missing out. What’s worse, 404s are a signal that your site is lacking quality content, and Google is actively watching for quality when figuring out rankings.
301s are a bit more insidious — they’re generally fine right up until one leads to the next and the next before the user is given a page address that actually loads (this is commonly called a ‘daisy chain’). The more times a user gets redirected before a page load, the more you water down any authority the page may have.
How about that SSL certificate? If you’re going to redirect visitors to one version of the URL anyway, why does it matter if a bunch of versions people are never going to see don’t have a security certificate?
Simple. If someone types the https version of one of those other URLs in their browser, or clicks on a link that directs to it, they’re NOT going to get redirected like they’re supposed to. Instead, that visitor’s browser is going to detect that the SSL certificate doesn’t cover that address, and it will stop everything to display a scary-looking error instead. So now you’ve got a visitor looking at a page with a security alert, instead of the website you’ve spent so much time polishing.
Search engine spiders don’t like seeing that any more than humans do.
Finally, there can be links trying to load insecure content into your website. This prevents the page from fully securing, and is why you’ll sometimes see a page with an https address, but without that reassuring green lock in the address bar. The error happens when your content comes from source that doesn’t use https itself, and can be anything from a Javascript library the site relies on, to a video embed inside a page from a service like YouTube or Vimeo. The end result is a page that’s not as secure as it should be, and search engines will treat it accordingly.
That’s a lot to keep in mind! But, working to avoid these kinds of problems is how you’ll avoid that worse case scenario: a big drop your search rankings and site traffic.
Prevention and Troubleshooting
Now that we’ve covered what a bad migration looks like, let’s talk about what you can do to prevent this whole situation from hurting your company.
Or, if you already suspect you’ve got a bad https migration on your hands, what can you check your site against to figure out what you can improve?
As with so many things, there’s no real trick to this aside from having a plan and being methodical about it. We use a checklist to keep the whole process as systematic and manageable as possible, whether we’re starting a fresh migration or fixing up one that’s already gone live.
We have put together an overview of what we look for in a solid https migration. If you’ve already committed to https but aren’t getting the results you expected, comparing this to your own site can help you figure out where you have room for improvement.
Are you in panic mode already? You know something went wrong, and you just plain want it fixed. Or you’re looking at a long list of items to address, and you’re overwhelmed at the thought of it all. Not everyone has the time or resources to make these kinds of fixes in house, and that’s okay too!
If this is your situation, get in touch — we will get you back on track, and set you up with strategies for the future too.
Before Migration
This part is the most intensive, and hands down the most important. Before you commit to that SSL certificate, addressing these items will make sure your site is in great shape.
- Consider a staging site. If you don’t use a managed hosting service like WP Engine (and even if you do), this should be the first thing you put into place. Why? Because any time you’re making a significant change on a site, things can go wrong. A staging site gives you room to try out your changes in a safe environment before you commit to them live. It’s half due diligence and half peace of mind.
- Make a backup. Whether you’re using a staging site or not, do not be tempted to forgo this step. It’s not possible to take too many backups — you never know when you’ll need to roll back a change in a hurry. You should have a current copy of all your key site files (for example, the whole wp-content directory if you’re using WordPress), and a full export of your database. You can do this manually, use a backup service, or use your hosting service’s backup feature; just make sure you know how to do a restore with your chosen method! We love the plugin WP Migrate DB for database backups, and it’s got another great feature we’ll use later on in this process too.
- Crawl those links. You’ll need to take a good look at your site’s internal links with a program like Screaming Frog. This will tell you whether you’ve got broken links (404s) that need fixing. It will also show you links that redirect (301s), such as links to internal pages using a version of your URL that they shouldn’t be (for example, if your canonical address is http://www.example.com, check for links using http://example.com instead). Fix everything you can now, before you commit to that SSL certificate.
- Take the Before picture. Use Google Analytics and Google Search Console to generate your organic traffic reports. If you’re not already using these tools, now is a great time to start! In Google Analytics, export a copy of your organic traffic landing pages. In Google Search Console, do the same thing, but for the keywords people are using to find your site. Set the reports to cover your most recent three months.
- Check your site files for absolute (hard-coded) links. As soon as you update your site to https, these are going to turn into unnecessary redirects to be a problem, so make sure you know what to watch for and fix as much as you can now. If you’re linking to resources like Google Fonts or jQuery, make sure the URLs use the https form now. If you’re linking to pages on your own site, make a list of what needs to be changed to https at launch, or if you’re using a CMS like WordPress, consider rewriting those links to include a function like home_url() so your site will automatically fill in the correct version.
- Check your pages and posts for content from external resources. This information will be in the crawl you did earlier. If the links don’t use https in the address, update that now. This might be a form you’ve embedded from a third-party service, a YouTube iframe embed, or an image file that’s hosted on another website. If the service doesn’t use https, find an alternative service that does.
- Check your redirects. If your site has any 301 redirects set up, this is the time to prepare them for the change. Depending on your website, they may have been set up directly in your .htaccess file, or with a plugin like Redirection. If the redirects are in your .htaccess, prepare a copy updating your 301s to use https addresses for the destination. If it’s in a plugin like Redirection, confirm you’re not using absolute URLs for your redirects if you don’t have to, or prepare the updates as directed by the plugin’s documentation so it’s ready to go as soon as you need it.
- Check your canonical URLs. These show up in a <meta> tag in your site’s header. If you’re using a CMS like WordPress, check if these will update automatically when you change to https, or ensure you know how to update these if it doesn’t. If you’re not using a CMS, prepare a copy of your site files that will use https.
- Check your robots.txt. Make sure it’s not disallowing anything important, and prepare a copy linking to your sitemap with an https address.
- Check your sitemap. Depending on your setup, you’ll either have to prepare a copy that uses https yourself, or you’ll be using a plugin like Yoast that auto-generates the sitemap for you. Make sure you know which category you fall into and prepare accordingly!
- Check your Google Search Console settings and verify your https domains. You should have a Google Search Console property set up for every version of your site’s domain (both www and non-www, plus now http and https). If you can, make sure they’re all verified now, and that the settings from the http versions are also set up on the https versions.This will help with tracking once you’ve completed your migration.
During Migration
You’ve made it through the preparation stage, and you’re ready to order that SSL certificate — excellent!
- Take a FULL backup of your site. This means a copy of your database plus all your site files (such as the entire wp-content directory, for a WordPress site). The idea is to capture all your pages, media files, themes, plugins, settings, and anything else unique to your site. Don’t be tempted to skip this step, and take as many as you need throughout the process!
- Request and install your SSL certificate. What this involves will vary based on your hosting situation (for example, whether you’re using a managed hosting service like WP Engine, basic hosting with a cPanel install, or any one of a number of other hosting options). Whatever your situation, follow the directions in their documentation, and don’t be shy about contacting their support. You’ll need a certificate (or certificates) that covers all applicable variants of your site’s url. In many cases, certificates from the free service Let’s Encrypt will do the trick, but it’s worth your while to shop around and make sure your specific needs are covered off by whatever certificate authority you choose.
- Apply your site changes live. Remember those updates you made to your site files? Now is the time to apply any updates you made to your theme files, robots.txt and any other files to your live site. This is also the time to update and verify your 301 redirects.
- Set up your https redirect. This is what will make sure visitors to your site are given the https version of your site no matter what. It can be done with some rules written into your .htaccess file, but if you’re using a managed hosting service, or if you have a security plugin like iThemes Security installed, they may have settings to help you put this in place without touching the .htaccess file directly. Again, when in doubt, contact your hosting service’s support for help.
- Test those https redirects. Try out all the versions of your URL (non-www, www, with https, without https, with a / at the end, without a / at the end) and make sure they’re all directing to the same canonical version of the URL. For example, on Kick Point, the canonical would be https://www.kickpoint.ca — no matter what version of that address a person arrives from, they should see that one in their address bar.
- Rewrite your internal URLs. You’ll need to make sure none of the internal links on your site are using anything other than https:// in the URL. This ensures consistency when people browse your site, and prevents unnecessary 301 redirects along the way. If you’re using WordPress, this is where WP Migrate DB really shines. It includes a find and replace function you can use to search your entire database for the non-secure version of your URL and replace it with the secure one. Whatever you use, make sure you backup your database first!
- Crawl, crawl, crawl. Just updated your theme file to get rid of non-https links? Crawl the site. Added in redirects? Crawl. Rewrote links in your pages and posts to use https internal links? You guessed it, crawl. Just like with backups, when in doubt, crawl those links. This will tell you right away if you have any links that aren’t updated, or if you’ve suddenly got a 404 error, or if you’ve introduced a 301 you didn’t mean to. By the time you’re done, none of the internal links on your site should be using http:// in the address.
- Check the status of your SSL certificate. This is as simple as plugging your site’s address into a service like SSL Test. You’re looking for the test to come back Trusted, and ideally with an A rating.
- Annotate your migration in Google Analytics. Google Analytics has a handy little feature that lets you make note of key events right on the report graphs. We use it any time we make a change to a site, like routine maintenance, or — you guessed it — migrating to https. If you get in the annotation habit, you’ll have one more tool at your disposal if you notice any strange changes to your site visits.
After Migration
You’re done the hard part, but there are a few things left to take care of.
- Make sure all of your pages show that little green lock icon next to the address bar. Remember how we checked for content from external resources in the pre-launch? This is because pulling any external content (like images, or video embeds, or stylesheets, or fonts) that aren’t secure into a secure site causes a conflict. In order to make sure your site is fully secure, you’ll need to hunt down every last one of these and fix them. Fortunately, there are services out there, such as SSL Check, that will crawl a website and find the problem spots for you.
- Make one more crawl. Verify there are no more insecure internal links, and you don’t have any fun new 301s or 404s.
- Update Google Search Console. Make sure the https versions of your URL are verified, their settings match the http versions, and the robots.txt is showing correctly. Submit your sitemap.
- Update Google Tag Manager. If you’re using tags or triggers, you might have some set up with full URLs instead of a Google Tag Manager label. Make sure to update all of those to https, or better still, change them over to a label like {{Click URL}} instead.
- Update your ads, affiliates, and any third-party extensions you’re using. These will all need to point to your shiny new https address going forward.
- Monitor your site traffic. You’ll want to watch for big traffic drops. Google Analytics’ custom alerts can help you stay on top of any traffic changes, or you can set up a rank drop alert in a platform like STAT. Keep an eye on these over the next several weeks.
- Monitor the crawl status of your https URL. Keep an eye on its indexation status, visibility, and watch for any errors that crop up on both the http and https site versions. Like with your rankings, you’ll need to check back on this one regularly.
Other Things to Consider
Great, you’ve migrated! But, what about all the places you’re linking to your website? Take this time to check any other resources you have that direct to your site, and decide whether you need to update the web address on them as well.
Depending on your situation, this could include:
- Social media links
- Web ads, such as AdWords, Facebook Ads, LinkedIn ads, or any other ad networks you may have submitted to
- Non-network web ads
- Other third-party traffic like linkbacks
- Print materials, such as brochures, business cards, or anywhere else you may be printing out the full site address
Websites are a Work in Progress
Whether you’re preparing for https, or have already migrated over, these guidelines will help keep your site on track. But, they represent just one part of the larger picture.
Committing to https is important. For many sites, https is about to be non-negotiable. The thing is, while https will help you out, it’s no substitute for a strong content strategy, or solid link building. It won’t help your user experience either.
Just as missing out on one of these steps in an https migration can make the difference between improved rankings and a rankings drop, adding https can fill in a blank spot in the canvas of your overall web strategy.
At the same time, it’s only one piece of the whole. If you’ve committed to https, why not also take the opportunity to step back and see if there are other spots you could improve on by visiting Our Process page?