Should you make the switch to https from http?
Last updated: February 8, 2018
There is a lot of discussion lately on whether or not sites should switch to https. I wanted to write an article to talk about the SEO implications of switching. In some cases sites can make the switch easily with no obvious effects on their rankings and traffic. But, in other cases, the switch can cause serious issues.
My goal in this article is to discuss the potential risks that an https migration can pose to SEO, and also to help you minimize those risks should you make the switch. At the end of this article, I'll talk about the idea that Google may take a whole new, more strict look at your site in terms of quality for pages that migrate to https.
This week, Google sent out a large number of warnings that looked like this:
Starting in October of 2017, every site that collects user information via a <form> in HTML over http will have a warning appear next to the url bar when someone starts to fill out the form:
Eventually, this "Not Secure" warning will appear on all http sites, not just those that are collecting information.
Update: The day is here...Google announced that as of July, 2018, all http sites will receive this warning...not just http sites gathering form information.
Will sites that are not secure get the big full screen warning?
We have all seen those big full screen warnings when we try to visit a non-secure page that looks something like this:
From what I can tell so far, however, this type of ominous warning is not what Google is talking about in their new announcement. Rather, it is just the "Non-Secure" warning in the url bar that will happen.
But who knows if this will be the case in the future?
Is Https a ranking factor?
In August of 2014, Google announced that https is a ranking signal. This caused a spike in the number of websites that made the jump from http to https. If Google tells you something is a ranking signal, then it makes sense to make the change!
However, just a month later, Google's John Mueller said in a hangout, "I wouldn't expect any visible change when you move from http to https, just from that change, for SEO reasons. The ranking effect is very small and very subtle. It's not something where you will see a rise in rankings just for going to https."
He did say that in the future Google may make https a stronger ranking factor, but for now, making the switch to https is not something that is likely to directly help improve your rankings.
In my opinion, https is a tiny, tiny ranking signal at this time.
Why switch to https
I'm by no means a security expert and I'm not about to try and explain the security risks that go along with running a site on http. This post on the Google Developer's blog does a good job of explaining in layman's terms why https matters. I would highly suggest that you read it. If you don't want to read the whole thing, here are the points which I thought were important:
- Https helps prevent intruders from tampering with communication between users and your website. Examples include intruders injecting their own ads into your site or tricking users into installing malware.
- Https is a requirement for many new browser features such as Progressive Web Apps (PWAs).
We also don't know how users will react to the "non-secure" warning. If enough people start abandoning sites with this warning, then this could result in a drop in engaged visitors which possibly could result in a drop in rankings as well.
If you're looking for more information on the security implications of http vs https, I would highly recommend reading through posts on Troy Hunt's website.
I really do think that most sites should make the switch to https. However, there are some potential SEO risks that go along with this switch.
Potential SEO risks when switching to Https
I do a lot of traffic drop assessments for sites that are having trouble ranking as well as expected. One of the common assessments I do is for sites that have seen a drop in traffic after making the switch from http to https. Here are some of the issues that I have seen that can cause a site to perform poorly after making the switch:
Domain level canonicalization issues
When you make the switch to https, you need to make sure that all variants of your site redirect to the correct https version. I have seen some sites where perhaps the http://www version of a site redirects to the correct https page, but if you type in http:// without the www, you'll end up on a non-secure page. It is important to make sure that no matter how someone tries to access your site, they end up on the correct https version.
Failure to redirect urls properly
When you switch to https you need to make sure that each url 301 redirects to its https equivalent. I have seen sites where the home page properly redirects to the https version, but the inner pages do not. If you have links pointing to the http version of a page and you're not redirecting that page to the https version, then you may lose the benefit that comes from those links. Now, in some cases, Google may be able to figure out that the http version is a canonical of the https version and properly attribute the flow of PageRank that should go to the https page. But, as much as possible, we don't want to rely on Google to just figure things out.
If you have both your http and your https pages live, then this can result in duplicate content. If you have a small site, this may not matter too much as Google should figure out which page is best to rank and just rank that one. But, if you have a large site, then this gives Google twice the number of pages to crawl which will eat up your crawl budget and can possibly result in Google not spending as much time crawling your high quality pages.
This also can result in a dilution of the PageRank that flows to your site if you have some links pointing to the http version of a page and some to the https version.
Failure to update canonicals
The canonical tag tells search engines which page is the version that we want indexed. If your https page has a canonical tag that points to the http version, that may end up confusing search engines. Again, Google can usually figure this type of thing out, but not always.
Failure to update internal links
If you make the switch to https, you also need to update internal links so that they point to https versions. Now, if all of your internal links are relative (i.e. /page1 as opposed to https://www.domain.com/page1/) then this step can be skipped. But, if your internal links are absolute links pointing at http pages, then these have to follow redirects before they get to the final page. It is widely believed that every time a redirect has to be followed, there is a slight reduction in PageRank that flows through that link.
However, this may be a moot point as John Mueller from Google recently said that when you redirect http to https there is no loss in PageRank.
Mixed content issues
This shouldn't really result in a loss of rankings, but it still is an important issue. If you have an https page, but you're using images or scripts that are hosted on http pages, then you'll still get the "non-secure" warning. As such, when you switch to https you need to comb through every page of your site to make sure that this is not happening.
Sitemaps need to be updated
When you switch to https, make sure that you create a new sitemap as well. Again, Google can probably figure things out if you don't, but as stated before, we don't want to continually rely on Google to get things right.
Disavow file needs to be loaded to https
Google still treats the https and http versions of a site as different sites and if you're using Google Search Console, you'll need to create a new property for your https version. If you have a disavow file, you'll need to upload that to your https version. If you don't, then you're essentially re-avowing all of the links that you spent hours and hours disavowing.
Make sure your certificate doesn't expire
If your site is running on https and your security certificate expires, then, when Google tries to send visitors to your site they'll get the big full screen warning I mentioned above. This will most definitely turn people away.
Don't keep your https pages hidden
I have seen some sites that have pages that are visible on https but they still haven't fully made the switch to https. This is a not a problem unless Google finds those https pages. So, let's say that your entire site is on http, but someone links to an https page. And let's say that that https page links internally to other https pages on your site. If Google can find https pages, and, if no canonical version is specified, Google will index the https version.
In one example where I saw this, the site had pages that could resolve on https, but they didn't have an active security certificate. When Google found the https pages, they started listing those in the search results. If someone clicked on one of those results, they would end up getting a big red full screen warning that the site was not secure (because the site didn't yet have a security certificate.)
If this happens to you, where you have https pages accessible, but you still want to operate on http for now, the way to fix this is to make sure that your https pages have a canonical tag pointing to the http pages. This will tell Google that the http version is the one that you want to have indexed in search. It would also help to 301 redirect the https versions to the http version.
Or...you could just bite the bullet and get a security certificate and make the https versions the canonical!
Other Non-SEO related pitfalls to switching to https
There are some other possible concerns for sites that switch to https:
Potential reduction in Adsense revenue
If your site makes money from Adsense, you may see a drop in revenue after switching to https. In 2014, when Barry Schwartz switched Search Engine Round table to https he saw a 35% reduction in Adsense revenue.
However, according to Google, this issue has been fixed. In the past, the reduction in Adsense revenue happened because there were a large number of ads that were incompatible with https. Apparently, this is not the case anymore. Google's documentation on Adsense and SSL no longer contains the line that used to say, "please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages."
With that said, however, just recently, in August of 2017, Crunchify saw a 10% reduction in Adsense revenue after making the switch.
If you have an Adsense driven site and you have switched to https I would love for you to leave a comment and let us know whether the switch resulted in a change to your Adsense income.
It is important to note that if you switch from http to https you also need to update your Adsense code or else you'll get the mixed content issues described above.
Potential loss in social shares
It's not uncommon to see a site lose all of their social share counts when switching to https. That fantastic article that amassed tens of thousands of Facebook likes can reset to zero after an https migration. Rae Dolan, who is really good at SEO, has a great article explaining how she switched to https and then ended up losing all of her social share counts.
Facebook's documentation explains a workaround for this that involves setting the meta og:url tags to point that the old http url. However, it says that this only works if the old url returns a 200 response. If we're redirecting http pages to https pages then our "old" pages are going to return a 301, not a 200.
As such, if you switch to https, you may end up resetting all of your social shares to zero.
A switch to https can possibly cause Google to re-evaluate your site in terms of quality
This is my biggest concern in making an https migration. You won't see this written about much, but in my experience in reviewing sites that have dropped after switching from http to https, I think that there is great cause for concern for any site that has potential quality issues.
When we switch to https, Google sees this as a site move. This may possibly mean that all pages on the site get a fresh evaluation in terms of quality.
I would like to share a real life example with you that helps to explain my point. About six months ago I was approached for emergency help for a business that saw their rankings for their main keyword plummet after a switch to https. Other pages were ranking fine, but rankings for any searches containing this keyword were abysmal. After reviewing the site, it appeared that they had done everything correctly. The redirects were correct. Internal links were correct. Canonicals were correct. I couldn't find any mistakes that would cause a ranking drop.
Next, I started to review the site for quality issues. When I read the home page it was extremely keyword stuffed. My first thought was, "How on earth was this page ranking for this keyword before?"
I believe that when the switch to https happened, the home page got a new evaluation in the eyes of the keyword stuffing algorithm. I also believe that Google's quality algorithms are more strict for new pages.
We went to work rewriting this page and were able to cut the keyword use down from more than 200 times to fewer than 20. As the keyword stuffing algorithm is one that reruns each time it evaluates a page, we were hopeful for seeing quick results. We resubmitted the page to the index and within 12 hours it was once again ranking in the first position for their main keyword.
Now, it is possible that the changes we saw were coincidental. It is not uncommon for a site to see a temporary dip in rankings after switching to https. (That dip can last a few days, weeks, or even months if it is a very large site.) However, the fact that the drop seemed to affect just one page for one keyword makes me really think that this was due to Google re-evaluating the page in terms of keyword stuffing.
I believe that this happens for Panda, Penguin and other quality algorithms as well. As such, if you have a site that is potentially on the edge in terms of quality, I think that there is cause for hesitation when considering switching to https.
How would you know if you are "on the edge" in terms of quality?
If you're actively engaged in blackhat SEO methods, or if you know that you are relying on tricks and loopholes in order to rank well, then I'd consider your site to be on the edge in terms of quality. I think that it is possible that a switch to https could trigger a new fresh look at your site from a quality perspective should you switch to https. It is possible that those tricks and loopholes that you used previously no longer work as well after an https shift.
But what if you are not using https? One thing that I would suggest is to have a good look at your Google organic traffic to see if you can find obvious ups and downs that coincide with known or suspected algorithm updates.
To do this, you can go to Google Analytics and then go to Acquisition --> All Traffic --> Source/Medium. Then, click on Google/organic. See if you can find any fluctuations that correspond to the algorithm changes that I've written about in my Google algorithm update list. For example, this site had drops that coincide with core quality updates:
Even if you're seeing drops that are not as exaggerated as the ones shown above, then I think that you have cause for concern when it comes to switching to https. If Google is seeing some quality issues in your site, I believe that it is possible that those issues could be viewed from a more strict standpoint if the pages get a new evaluation because they've switched to https.
Important: It is important to note that this idea that Google re-evaluates sites or pages in terms of quality after switching to https has not been proven. It is a theory that I have based on reviewing several sites that dropped after switching to https despite the fact that they did everything correctly.
Would *I* switch my sites to https?
After saying all of this scary stuff about what could go wrong in terms of SEO when switching to https, I still do believe that most sites should take the leap and migrate from http to https.
If you're starting up a new site, start it on https right away, just like we did with our Wix SEO site.
If you have an eCommerce site, a site that collects credit card info, or a site that requires people to login, I'd make switching to https a priority as well.
Otherwise, my recommendation for most site owners is to start making a plan to switch to https at some point in the next year or two. I feel that the "non-secure" warning in the url is probably not a huge deal right now. But, it's likely going to become a bigger deal. Other than the push to become mobile friendly, we haven't seen Google be this vocal about too many things. Google is pushing strongly to get sites to switch to https and they're going to continue with this push.
I have shared with you the potential SEO pitfalls of an https migration. But, in all honesty, most sites that make the switch do just fine. Https is quickly becoming the norm and in most cases, if you have been doing a good job of keeping up with current practices, you should not see a drop in search engine traffic after switching to https.
I run a site with several thousand pages that I built myself about ten years ago. It's happily running on http right now, but I plan to make the switch to https soon. The site relies heavily on Adsense and has a large number of social shares, so I'll monitor what happens and I'll keep you updated.
Google update newsletter
Want an update when Google makes a big algorithm change or other announcement? Sign up here!