Since Google’s announcement in 2014 to add a SSL Certificate to give your site a minor ranking boost — a “very lightweight signal” within the overall ranking algorithm, I have had several clients ask me “Should I purchase a SSL Certificate?” At the time I was a bit hesitant to say, since changes like these sometimes come and go like a “fad”. However, with recent findings I feel that it might not be a bad idea to make the move. Let me explain why.
Google’s reasoning for making SSL a ranking factor in Google’s algorithm is for 2 reasons: guaranteeing authenticity of the site you are connecting to, and security of your data transmission. Furthermore, Google has said that they “may decide to strengthen” the signal because they want to “encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.” so that suggests this is not a fading trend and recent articles that have tracked statistics are proving this to be so.
What is SSL and why should I get it
Did you know that ANYONE (of hacker quality) can read your search requests that you send to and from any server? That is because the internet is inherently open and insecure! Same is true with your email and website form transmissions, which is why I always recommend to all my clients NEVER send sensitive information via email or forms AND never place your email address on your website (use forms instead).
Another reason you might consider switching to https is because nonsecure websites that get referred to by a secure site (https-to-http) will result in referral loss in Google Analytics and therefore appear as direct links instead. This is because referral information is missing from the page request as explained in this post: https to https: Secure-to-Nonsecure Referrer Loss. This is not good for SEO if you aren’t able to see all sites that are referring to yours. But if you change your site to https then all referral information will work appropriately regardless of the referral site being http or https, a valuable statistic to have.
And lastly, Chrome has decided to flag clients on their WordPress login pages if they are not secure. While this looks like you have been spammed, it really just means that you have not installed SSL on your website. You may begin to see more and more of these messages as the search engines push forward on this.
Why is SSL important for SEO?
Because Google says it is! But how important is it you say? Well it has minor impacts to your overall keyword rankings, because it is 1 of 200 factors that go into these rankings but IF you are competing with another website for a specific keyword and your rankings are the same, THEN your site will win out! AND Google apparently is going to continue to incentivize people to move to SSL so if you don’t decide today then maybe tomorrow as they pursue it more. So ask yourself whether a ~$50/yr plus setup fees is worth this to you or not. Is your site competing with other sites for a particular keyword that you want to outrank them on? This should help you decide.
How SSL and HTTPS works or doesn’t work
When you add SSL (Secure Sockets Layer) to your website correctly your URL will now change to https vs. just http AND show a lock icon next to your domain in browser (see screenshot left). Then HTTPS (HyperText Transfer Protocol Secure) will encrypt your data communications between browser and web server so ONLY your computer’s browser and web server can see what data gets transmitted, thereby making you more secure! Additionally HTTPS makes sure that you are connected to the correct website, therefore guaranteeing authenticity and Google likes that.
However, if your site is NOT setup correctly with SSL, then you may see just a lock icon with/without a yield sign, a lock overlayed with a red X (in Chrome), or the screenshot to your right. This looks bad to your customers as well as Google, so it is important to get SSL set up correctly by a professional developer. See our setup list below.
How to CORRECTLY add SSL to your website:
There is a wrong way and a right way to setting up SSL correctly and if done wrong it can cause damage to your reputation and therefore have the opposite effect. Below is our full compiled list of how to setup a site with SSL correctly and believe me this is an undertaking for ONLY developers.
- Setup 2048-bit key SSL certificate from your host or registrar. (NOTE: if using the free Let’s Encrypt SSL from WP Engine you must setup on both domains, be sure to setup to Secure All URLs option for primary domain, enable for both WP-Admin and WP-Login as well as Allow HTTPS and HTTP, then update the A record at registrar.)
- In Google Search Console (GSC):
- Create Property Set as explained in this post to see aggregated data all in one site vs. separately.
- Register HTTPS version (with either www OR non-www, whichever is being hosted)
- Use the Fetch and Render function to ensure Google can properly crawl and render your site.
- Check your analytics tracking code on website to make sure is using the latest tracking snippets that handles HTTPS, because older code may not.
- Update your WordPress Address (URL) and Site Address (URL) in your site’s WP-Admin Settings > General.
- Setup your website with relative URLs for both onsite links and images or these may break upon implementation. This can be done with WP Engine’s HTML post processing or via a database search and replace. When using search and replace, make sure to use http://[siteurl] so that no outgoing links are changed. Make sure all website users know to use this link setup for future editing.
- Make sure every element of your website uses HTTPS, including widgets, java script, CSS files, images and your content delivery network.
- Make sure all canonical tags point to the HTTPS version of the URL.
- Make sure to setup separate permanent (301) redirects for BOTH your domains (https://www.domain.com and https://domain.com without www) to point to https://domain.com. If using WP Engine this is already covered through Step 1 above for Securing all URLs.
- Make sure any URL Redirects using http are now setup with https. Avoid “redirect hopping” which means a redirect goes from A to B to C. Make sure it goes from A to C directly. If using WP Engine go to User Portal > Redirect rules. If not using WP Engine, check with your host or use a plugin.
- Make sure your robots file or meta tag is not blocking the https site (sometimes developers do this to prevent search engines from indexing certain pages of a website).
- Update your sitemaps to reflect the new URLs and submit the new sitemaps to Webmaster Tools.
- Check your Webmaster Tools & Google Analytics accounts over the next few weeks to make sure everything is working correctly! Check for “redirect hopping” too!
- Your social sharing links may lose their counts due to 301 redirects. To prevent this, check out this article on How to Maintain Social Shares after a Site Migration
- If using Feedburner for your RSS, migrate to an HTTPS-compatible service. FeedBurner isn’t compatible with HTTPS.
- Prepare changes on any ads, emails, or affiliate campaigns to start pointing to the https URLs.
- Test in Chrome by clicking on lock icon. If you see a “more details” link find out what links need to be secured and fix. Be sure to check both the www and non-www for https to make sure both are showing as secure.