October 18, 2016: Do you need HTTPS?
“If you are collecting ANY sensitive information on your website (including email and password), then you need to be secure. One of the best ways to do that is to enable HTTPS, also known as SSL (secure socket layers), so that any information going to and from your server is automatically encrypted. The prevents hackers from sniffing out your visitors’ sensitive information as it passes through the internet.”
There are additional expenses – needs a dedicated IP address which rules out cheap hosting plans. Options include using a fee-based SSL provided by the hosting company, or setting up your own.
- Host with a dedicated IP address
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
Google identifies several reasons to switch to HTTPS in their website migration guide:
Data sent using HTTPS is secured via Transport Layer Security protocol (TLS), which provides three key layers of protection:
- Encryption. Encrypting the exchanged data to keep it secure from eavesdroppers. That means that while the user is browsing a website, nobody can “listen” to their conversations, track their activities across multiple pages or steal their information.
- Data integrity. Data cannot be modified or corrupted during transfer, intentionally or otherwise, without being detected.
- Authentication. Proves that your users communicate with the intended website. It protects against man-in-the-middle attacks and builds user trust, which translates into other business benefits.
Google suggests the following:
- Use SSL certificates issued by trusted Certificate Authorities in order to protect visitors from potential man-in-the middle attacks. The certificate authorities are associated with legal regulations and aim to verify the website as a trusted resource.
- Decide on which type of certificate you need: single, multi-domain or wildcard certificate.
- Use 301 redirects to point both users and search engines to the https pages.
- Use protocol relative URLs to minimize the possibilities of serving 404 pages when a user lands on a URL loaded from a development environment.
- Use a web server that supports HSTS (HTTP Strict Transport Security)
- Test your pages using Qualys SSL/TLS
These are just some of the key steps in the whole process of shifting to HTTPS and simply getting a certificate is not enough to actually provide secure communications. Namely, after choosing the right SSL provider and obtaining the certificate, there is a set of steps that need to be taken on a website in order to ensure Google will index it properly.
- Redirect your server to point to https instead of http.
- Go through your internal links to ensure all pages, images, JavaScript, CSS, etc. are using https. This part may turn out to be quite exhaustive, but it is definitely the most important one in the whole process.
- Set SSL for your CDN.
- Consider setting Google’s SPDY networking protocol to make your site faster.
Lukasz Zelezny of Zelezny.uk notes:
“Do I think HTTPS is necessary? Not really unless you are asking your website’s visitors for confidential information or taking payments through your site. However, in the future it could mean the difference between a page ranking at number 1 or number 2 in search – this makes it necessary.”
- https://support.google.com/webmasters/answer/6073543
- https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/
- https://moz.com/blog/seo-tips-https-ssl (basics, but 2014)
- https://yoast.com/dev-blog/move-website-https-ssl/ (2014)
- https://wpengine.com/support/add-ssl-site/
- https://www.sslshopper.com/how-to-order-an-ssl-certificate.html
- https://searchenginewatch.com/sew/opinion/2420452/the-other-secure-search-issue-when-to-use-https
- http://searchengineland.com/http-https-seos-guide-securing-website-246940
- https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html
- https://searchengineland.com/explainer-googles-new-ssl-https-ranking-factor-works-200492
- https://fourdots.com/blog/why-you-need-ssl-to-rank-better-in-2016-and-how-to-set-it-2169
Site test:
https://www.ssllabs.com/ssltest/index.html
https://www.youtube.com/watch?v=XVPouJPJrp0
SSL certificate costs at hosting with:
- GoDaddy SSL = $69.99/year. With Economy Linux Hosting with cPanel @ $7.99/month.
- Bluehost: A “Pro” hosting account is $23.99/month and includes a dedicated IP and SSL.