A study conducted in 2018 showed that in that year hackers stole more than half billion personal records. That was up more than 127% from the year before. Internet users are justifiably concerned about protecting their privacy and their data online. One way for users to determine the safety of a website is the presence, or absence, of the green padlock that appears in the browser address bar.
It is HTTPS that provides this important signal of security for internet users. Consequently HTTPS now makes it more likely that users will choose to visit a particular website. As we will see below Google has also declared that they would like to see “HTTPS everywhere” and use it as part of their ranking signal.
Here we’ll explain exactly what HTTPS is and the benefits of the protocol for both end users and website owners. We’ll explain why you should consider migrating from the HTTP to HTTPS. Also included is a simple approach to switching from HTTP to HTTPS for WordPress websites. As well as things to watch out for when making the move.
What is HTTPS?
In order to understand why HTTPS is secure, it’s important to establish a little more about the protocol. HTTP stands for HyperText Transfer Protocol. This is the underlying protocol for the World Wide Web. HTTP defines communication between clients (typically web browsers) and web servers. Browsers send HTTP requests to a web server. The web server then processes the request. The server in turn returns an HTTP response to the browser.
HTTPS, which stands for HyperText Transfer Protocol Secure, is the secure version of HTTP. Data is still sent and received using the same protocol as HTTP. The difference is that with HTTPS the data sent and received is encrypted.
This is where SSL certificates come into play. A website is issued its own SSL certificate. This identifies it as being uniquely that website. This SSL certificate is a data file that binds a cryptographic key to a particular organisation’s details. When this certificate is installed on the server, the HTTPS protocol is activated.
As we outline below, most websites should at a minimum evaluate the benefits of making the switch to HTTPS. For websites that handle personal information such as financial, health and ecommerce websites, making the move to HTTPS is essential. Security for these types of websites is too important to have data flowing unencrypted.
Why HTTPS is secure
HTTPS provides three key protective benefits for both the user and the website owner.
HTTPS ensures that data which is transmitted between the user and the website owner remains confidential. For example, a user might be providing personal health or financial information to a website over Wi-Fi. If a bad player is controlling the Wi-Fi access point, then they could potentially intercept and steal that confidential information. With HTTPS in place the data will be encrypted as it moves between user and the website.
HTTPS protects the integrity of data which is related between the website and the user. This is important because without HTTPS in place it would be possible to alter the way the website appears to the end user. This would allow the malicious actor to add malware, ads or whatever else they want to the website that is displayed in the users browsers.
HTTPS also authenticates that the website the user is being directed to is authentic. Without HTTPS in place it is possible to redirect the user to a fake website, rather than the actual intended destination.
Are https sites safe on public wifi?
One common question people have about HTTPS is are https sites safe on public wifi? The short answer to this is for the most part yes. The data between the device and the HTTPS is encrypted. This should avoid packet sniffing by people who are on the same public Wifi network.
The longer answer is that it is still potentially possible for a determined hacker to gain access to personal data. One approach would be to intercept the users access to the HTTPS website and downgrade it to HTTP and hope they hadn’t noticed. But, unlike with HTTP it is not superficially easier to gain access to personal data with websites that are secured with HTTPS.
Switching from HTTP to HTTPS for SEO
One of the big questions about the protocol is whether switching from HTTP to HTTPS for SEO is worthwhile. Google has publicly announced that HTTPS is used as a ranking signal in the search algorithm. At the Google I/O conference the search engine giant declared that it wanted to see “HTTPS everywhere” on the internet. In essence Google would like to HTTPS become the default choice for websites. In 2014 Google stated that:
“over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”
In July 2018 Google’s Chrome browser 68, now labelled websites that didn’t use HTTPS as “Not Secure”. While in a technical sense this doesn’t necessarily mean that the website is treated differently, it does make it less likely that a user will navigate to the website. In one study it was shown that 28.9% of internet users check for the green address bar for websites that they are planning on visiting. It also reinforces the idea that Google wants to encourage all websites to move to HTTPS.
The statements from Google have been borne out by research. In a study of over one million websites it was found that HTTPS did correlate with higher search engine rankings. HTTPS is included in almost every list of search engine ranking factors including MOZ.
Loading speeds is another way in which making the switch to HTTPS can improve your SEO. Google has officially announced that page loading speed is a ranking factor. HTTPS doesn’t just encrypt data to and from the website, it also helps to improve load speed. You can test the difference between a HTTPS and HTTP website here: https://www.httpvshttps.com/. When we conducted the test HTTPS was 69% faster to load than HTTP.
Load speed isn’t just important for ranking higher. Websites that have a page load speed of two seconds or less have a bounce rate of only 9%. If that number is increased to a load speed of five seconds or longer then the bounce rate increases to 38%. Simply put, if you want to maximise the number of visitors that stay on your website, then every second of page load speed counts.
Overall, moving from HTTP to HTTPS is unlikely to be a game changer for your SEO. There are other aspects of both off-page and on-page SEO which will have a greater impact on your website to rank well. However, in 2020 HTTPS is increasingly becoming considered a bare minimum. If your competition has already made the decision to switch to HTTPS, then your website will be at a clear disadvantage.
Reasons not to switch to HTTPS
There are two main reasons why website owners are typically reluctant to make the switch to HTTPS.
Generally speaking there is a cost involved with making the switch from HTTP to HTTPS. Primarily this is the cost of purchasing the SSL certificate, but it can also include the cost of having the developer move the website to HTTP. The Let’s Encrypt initiative does provide a free means to obtain an SSL certificate. The downside of this approach is that the certificate needs to be renewed every six months. Many hosting companies also now provide SSL certificates free of charge. If purchasing an SSL certificate the cost can vary significantly.
Webmasters are often concerned that shifting from HTTP to HTTPS could potentially cause a loss in search engine rankings. Making the move from HTTP to HTTPS does need to be handled carefully in order to avoid any potential issues. This is why webmasters will often use a developer to implement the change. In the past, the potential disruption and the limited potential upside, meant that many website masters viewed the change as not being worthwhile. Now that HTTP websites are being labelled as a “Non-Secure” this calculation has changed. The potential downsides of not shifting to HTTP, will often outweigh any potential problems caused by making the shift.
Concerns over HTTPS migration are valid
The concerns that HTTPS may be incorrectly implemented are unfortunately valid. In a study by AHREFS which looked at more than ten thousand websites, it was found that only 10% had perfectly set up their HTTPS/SSL. The most common cause of problems was incorrectly setting up 301 redirects.
It is also important to offer a caveat about the SEO benefits of HTTPS. It is potentially possible that by moving to HTTPS that your website may see a temporary drop in search engine in rankings. The reason for this is that the Google search algorithm will treat HTTP and HTTPS as different websites. Even if a 301 redirect has been set up correctly, not all of the link juice will move to the new HTTPS site. It can therefore seem counterproductive to make the move to HTTP. However, it should be kept in mind that the long term SEO benefits of HTTPS will almost certainly make up for short term losses from the move to HTTPS.
Switching from HTTP to HTTPS on WordPress
If your website is built using WordPress then the shift from HTTP to HTTPS is relatively straightforward. Before you can begin you will need to purchase an SSL certificate. As previously mentioned many hosting companies will provide you with an SSL certificate for free. Once the SSL certificate is enabled for your domain name you will be able to begin moving your WordPress website from HTTP to HTTPS.
Switching to HTTPS using a WordPress plugin
The easiest way to make the switch is to use the Really Simple SSL plugin. While this is a premium plugin, it is likely to be a cost effective option compared to using a developer to do the implementation.
Once the plugin is installed and activated you need to visit the SSL setting pages. The Really Simple SSL plugin will be able to automatically detect the SSL certificate. Once the certificate has been detected the plugin will setup the website so that it uses HTTPS. One useful aspect to this plugin, is that it will set up the redirects from HTTP to HTTPS.
HTTPS migration checklist
To help ensure that your HTTPS migration goes smoothly use the following checklist:
- Obtain and enable an SSL Certificate
- Setup redirects from your old HTTP pages to HTTPS pages
- Update images, scripts and downloads to point towards the HTTPS locations
- Ensure internal links are updated to the new HTTPS pages
- Use and SSL certificate checker to ensure everything has been setup correctly
Internet users can help protect their data online, in particular when using public WIFI, by accessing only HTTPS websites. This is something that internet users are becoming increasingly aware of. With browsers now making it easy for users to identify which websites are secured with SSL, HTTPS websites are capturing an ever larger portion of internet traffic.
On top of this Google is clearly favouring websites that have made the shift to HTTPS. Migrating to HTTPS is not without its challenges and the improper implementation of HTTPS can cause serious issues for websites. However on balance the overall benefits of HTTPS will usually outweigh these potential problems. Furthermore they can be mitigated through careful planning and using a professional service to assist with the migration.