In August 2014, Google created ripples in the webmaster community by stating that its algorithms would henceforth treat HTTPS as a ranking factor. Unsurprisingly, this move made numerous site owners rethink their data security practices to fit the context of the new trend and maintain their positions in the search engine results pages (SERPs).
Traffic encryption through HTTPS has since extended its reach far beyond e-commerce and online banking resources that had adopted this model much earlier in line with regulations relating to customer data protection. Zooming out of the search rankings narrative alone, this is an integral component of safe web practices nowadays.
At the dawn of the boom, adding HTTPS to a website was like diving in murky waters. It still is a brain-teaser for many. If you are at your wit’s end figuring out how to implement this technology on your site, this article will point you in the right direction. But first, let’s go over some basics of what role this mechanism plays in today’s Internet ecosystem.
The whys and wherefores of using HTTPS
HTTPS is an acronym for Hypertext Transport Protocol Secure. It is geared toward protecting the privacy and integrity of data that is traveling back and forth between a client and a server.
Aside from the extra “S” in the name, it differs from regular HTTP in that it uses the Transport Layer Security (TLS) cryptographic protocol to set up and maintain a connection between a web browser and a server. In plain words, all user data in transit is encrypted and cannot be mishandled by third parties who may intercept it.
On a side note, TLS is a successor to the Secure Sockets Layer (SSL) technology that was developed in the 1990s and is now retired. Despite this, some webmasters continue to use the now-obsolete term when referring to HTTPS.
Now that you know what HTTPS does and how it makes a difference, let’s highlight the advantages you get from taking the leap.
- Data intactness. When a visitor is interacting with your site by entering their account username and password, providing credit card details, or filling out a contact form, the TLS protocol prevents this information from being sent to the server in plaintext. The fact that the data is encrypted makes it useless to snoops who may pull off a man-in-the-middle (MITM) or other attacks to intercept such traffic.
- Regulatory compliance. The use of HTTPS is an important element of compliance with laws and regulations relating to privacy on the Internet. For example, the EU’s General Data Protection Regulation (GDPR) requires that sites collecting or processing user information have effective anti-leak prevention mechanisms in place. Although it doesn’t specifically mention TLS, it implies data encryption, which is exactly what this protocol does.
- A sign of trust. When you visit a site that uses HTTPS, your web browser will display a padlock symbol next to its URL. Clicking it will trigger an info banner that says your connection is secure. For HTTP sites, there is a red strikethrough over the padlock sign, and it warns you of an insecure connection. This can discourage people from staying on such a resource.
- Better visibility on search engines. As previously mentioned, HTTPS is part of Google’s website ranking logic. Furthermore, the search giant prioritizes the indexing of such pages. To be a successful webmaster, make sure you take this step if you haven’t already.
Switching to HTTPS: the easy and free way
To keep your site competitive and tamper-proof, migrating to HTTPS is a must. If you are ready to implement the big change, the following steps will shed light on the process and show that it is not rocket science at all.
Step 1. Back up your site
Adding HTTPS to a website is a tried-and-tested workflow, but you never know when things may get out of hand. To err on the side of caution, back it up before you start. This will allow you to easily revert to a smoothly functioning version in the worst-case scenario.
Step 2. Get yourself a TLS certificate
If you can’t afford to purchase a TLS certificate, there is a decent alternative. You can get it from Let’s Encrypt, a nonprofit Certificate Authority (CA) trusted by millions of site owners. To get your free Let’s Encrypt certificate, you will need to prove your domain ownership using software based on the Automated Certificate Management Environment (ACME) protocol. Visit their site to learn the ins and outs of this process.
Step 3. Install the certificate
If your hosting provider supports Let’s Encrypt, you can take a major shortcut. They can request and install a free certificate on your behalf. In some cases, you don’t even have to submit any support tickets. Simply going to your web host account settings and clicking a button to install a certificate on your site will do the trick.
If the stars don’t align and your hosting provider doesn’t offer Let’s Encrypt support (which is a rare thing these days), then the ACME client called Certbot is your best bet as long as you have shell access on your server. All you need to do is specify the type of your web server and the operating system it is running – and the site will give you the lowdown on how to implement the certificate. Keep in mind that you should be comfortable with the command line if you take this route.
Step 4. Tidy up your URLs
Having installed a TLS certificate on the backend, you aren’t done yet. There is quite a bit of link vetting and editing on your to-do list. For a start, head to the settings page in your CMS admin dashboard and check if the site address has changed. If it hasn’t, update it by replacing the http:// prefix with https:// and save the changes.
When you visit your just-migrated site using the https:// parameter and click the padlock sign, the web browser may say that the connection is private, but someone on the network might modify the page’s look. This is a “mixed content” warning that means your site contains materials such as images and other media that are still using http://. To address this issue, you may have to go the extra mile updating all image links manually.
Another important step is to implement a 301 redirect so that search engines re-crawl your site and index its pages properly. This is also a prerequisite for avoiding duplicate content, which can be a source for a search engine penalty.
If you are using WordPress, consider installing a plugin called Really Simple SSL. It is a one-stop tool to facilitate the migration by changing all your internal links from http:// to https:// automatically. It will also update your site’s URL in WP settings and add a 301 redirect for you.
By the way, this is an incredibly effective approach to tackle the common issue where browsers may flag your WordPress HTTPS site as not secure, even though the switch appears to be completed successfully.
Step 5. Check if everything went well
At this point, you should verify a few important things. First off, enter your old URL (in the http:// format) in a web browser and check whether it redirects to the new https:// address. Also, click the padlock symbol and make sure the notification says your connection to the site is private and doesn’t mention any caveats.
Step 6. Put the finishing touches on the migration
Audit the list of your incoming links and update them where possible. At the very least, change links in your social media profiles and on other resources you control. Furthermore, be sure to update the default URL in Google Analytics and add the HTTPS version to your webmaster tools by creating a new property. Refreshing your sitemap is a good idea, too. You are now good to go.
Securing your site and its traffic – what else to consider?
As important as it is, HTTPS alone isn’t the silver bullet that fends off all forms of exploitation, undermining online privacy. There are plenty of other loopholes malicious actors can harness to gain unauthorized access and quietly steal sensitive data or even take over your entire website.
Poor authentication hygiene and vulnerable third-party components can turn your site into easy prey. Therefore, keeping your theme, plugins, and CMS version up to date is part of the data integrity equation as well. Also, make sure your admin credentials are strong enough to render brute-force attacks futile.