HTTPS Site Migration with SEMrush
•Download as PPTX, PDF•
4 likes•574 views
This document provides recommendations for migrating a website from HTTP to HTTPS. It recommends testing the SSL certificate, setting up Google Search Console access for HTTPS, running HTTP and HTTPS simultaneously, tracking in Google Analytics using Google Tag Manager, checking all templates and mobile versions render correctly, monitoring for mixed content exceptions, setting up a site audit in SEMRush, redirecting canonical tags and sitemaps after testing, implementing 301 redirects, enabling HTTP Strict Transport Security (HSTS), and addressing potential issues like images or embeds loaded insecurely. It emphasizes a gradual, step-by-step approach to ensure minimal risk in migrating to HTTPS.
Recommended
More Related Content
What's hot
What's hot (16)
Similar to HTTPS Site Migration with SEMrush
Similar to HTTPS Site Migration with SEMrush (20)
Recently uploaded
Recently uploaded (20)
HTTPS Site Migration with SEMrush
- 3. Forget SEO, simply put to secure your site – HTTPS is a critical step
- 4. Google knows, that without HTTPS – your data, and the content on your site … might not be what the webmaster intends. Plus … tracking benefits (less direct more attribution!)
- 5. But we aren’t here to talk about cyber security - (though Andy was hacking NASA when he was 9)* *maybe true…
- 6. Just Eat switched to HTTPS at point ‘E’
- 7. Google Recommendations • Decide the kind of certificate you need • Use 2048-bit key certificates • Use relative URLs for resources that reside on the same secure domain • Use protocol relative URLs for all other domains • Don’t block your HTTPS site from crawling using robots.txt • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag. • Use HTTP Strict Transport Security • Use SPDY (deprecated)
- 8. • Wildcard, Multi-domain? • Provided by a trusted organisation • 2048-bit key
- 9. SSL Vs TLS ? SSL was originally developed by Netscape and first came onto the scene way back in 1995 with SSL 2.0 SSL is out of date & insecure, so should be disabled.
- 10. Relative & Protocoless URLs Drop the http:// & https:// ? Start URLs with // or / • Images, (particularly in WordPress posts. ) • JavaScript libraries hosted on CDNs (like jQuery), • CSS (including images or fonts loaded in using CSS), • Form end points (the target of a form) • Embeds such as Facebook, YouTube or other
- 11. Don’t block HTTPS Don’t worry about duplicate content, Google has your back
- 12. Use HSTS http strict transport security
- 13. Use SPDY - nope, go straight to http2
- 16. A Gradual migration A step by step approach to ensure (almost) zero risk
- 17. 1. Test the Certificate – SSLlabs.com/ssltest
- 18. 2. Setup Google Search Console (GSC) access for HTTPS
- 19. 3. Dual run http & https
- 20. 4. Track in GA using GTM
- 21. 5. Fetch and Render (and repeat) All the templates, and for mobile
- 23. A CSP can stop GA from running…. CSPs can dramatically improve security, however …
- 24. Setup Site Audit – SEMRush
- 25. Ready ? Tested ? Happy ?
- 26. 6. Change the canonical tags and Sitemaps
- 27. 7. 301 redirects
- 28. 8. HSTS
- 30. Simple Example 1. Apple ….
- 33. Tracking down the elusive …
- 34. Browse your site with the console open (and buy)
- 36. • Images, (particularly in WordPress posts. ) • JavaScript libraries hosted on CDNs (like jQuery), • CSS (including images or fonts loaded in using CSS), • Form end points (the target of a form) • Embeds such as Facebook, YouTube or other • GTM That quick fire list of places that go wrong
- 37. Some final thoughts • Add the renewal of the certificate to a calendar • URL changes? maintain the old site certificate • When moving to HTTPS don’t use the change of address feature in GSC. • Migrating in sections is ok! • Wordpress plugins – Andy any recommendations ?
- 38. Find out more at takeitoffline.co.uk/https
Editor's Notes
- The best example of why HTTPS is so critical I have seen is where free wifi providers have been inserting scripts to push in adverts. HTTPS alone isn’t enough, but if as a user I feel like if they haven’t managed that part right, then would I trust them to manage the rest?
- Causation, correlation ? I think it is always worth noting that when Just Eat went to HTTPS we didn’t see any drops, we did this in the staged method we will describe. Of course we were also working on many other SEO aspects, but significantly we didn’t see a drop
- Majority of sites span multiple subdomains, If you host blogs, forums or anything similar on a separate sub domain then I would recommend you use an appropriate wildcard. In the past I would have always recommend using a subdomain to load assets, particularly if mobile speed is important Most browsers limit the amount of files they can retrieve from a single host at once, so where files can’t be combined they should be split over multiple hosts. This solution is referred to “Parallelism”, you can also ensure that a subdomain is optimised for static assets (using cookieless and a 304 status header). This changes a little with HTTP2 – which if we have time to get to, we will chat about. For the required organic boost get the best certificate you can, as a minimum I would recommend that the cert has the following criteria; provided by a trusted organisation…. 2048-bit key
- Tom…. Whys it called tls and SSL :D….
- It is critical when loading assets you use https, otherwise they will not appear in some browsers or where they do appear they will be not show the green padlock. There are a number of digital assets tend to present the most issues - Images, particularly where the image was loaded using a page editor such as in WordPress posts. JavaScript libraries hosted on CDNs (like jQuery), CSS (including images or fonts loaded in using CSS), Form end points (the target of a form) Embeds such as Facebook, YouTube or other In the past I would have recommend changing all absolute urls (where it would normally start with http) to being protocoless this means omitting the http prefix, for example ‘http://’ becomes simply ‘//’ . Today however, I would say push for HTTPS for assets rather than worrying about protocoless, After migration I would recommend that urls become exclusively “https” this is simply because I would increasingly recommend pushing towards 100% HTTPS. Further in this discussion we will take you through some tools to test this with …
- Sometimes to ensure that there is no duplicate content web managers would block the HTTPS version of the site. This is less common when it is a single site available on both http and https. If you block anything that stops Google from being able to tell you are on HTTPS, this won’t have the obvious benefit. Typically if you have canonical tags (which I always recommend), these will be pointing to the http version at this point.
- “…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en This is a change to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required. Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
- SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is not an HTTP standard but is widely supported, created by Google and can significantly improve HTTPS page speed, as this is a bit more technical, the best thing would be for you to read the details at - chromium.org/spdy/ Last year Google have deprecated support for Spdy as HTTP/2 becomes a standard. The core developers of SPDY have been involved in the development of HTTP/2. HTTP2 is cool and there are exciting things that are being done here, but this usually does require https in many browsers.
- So what is our best practice for moving to https
- Ideally moving to HTTPS gradually allows you to test along the way, avoiding any issues as you go. This approach minimises any potential for users (or search engines) to experience issues. At this point we will assume you don’t have a separate server for HTTPS, in fact we will assume you are running off one main server with a https cert installed, if this isn’t the case you will need to adapt these recommendations accordingly, (it can complicate the process). Now you have a acquired and installed a certificate the next steps are as follow;
- Test the certificate A quick test of the certificate is available online at SSLLabs.com/ssltest This free online service performs a deep analysis of the configuration of any https web server on the public Internet. This free service gives you a grading, aiming for an A is preferable, but many large companies only attain a C, it does tell you the steps required to improve. You know – before this step, test it in Chrome
- Formerly called Google Webmaster Tools (GWT), Google sees https and http as separate websites so within GSC both need to be authorised to see the complete picture. Depending on the authentication method you are using, simply adding the new site will ‘just work’. If you access has been given to you from another account, unfortunately you would need to ask them to do this.
- Running the site on both HTTP and HTTPS allows you to scan for any issues, checking internal links, giving you the opportunity to resolve any issues before pushing users and search engines to HTTPS. This is the point where you try to make URLs relative if possible.
- You can track who is on HTTP and HTTPS very easily if you are using Google Tag Manager as a built in URL Variable. This allows you to see the proportion of traffic not on HTTPS at a later date. This can either be setup as a content group or a custom dimension by editing the main tracking…
- Use Googles Fetch and Render within webmasters tools to ensure there are no issues with Google crawling the content - google.com/webmasters/tools/googlebot-fetch – EVERY SINGLE TEMPLATE TYPE REPEATEDLY!! Best way to check it is all working and on mobiles
- Chrome and Mozilla support the ability to push mixed content reports out to a 3rd party reporting tool. An excellent tool was developed by Scott Helme (which at time of publish is free). Scott has written an excellent post on “how to”ScottHelme.co.uk/fixing-mixed-content-with-csp/
- When your site is fully tested and you are confident that everything is in place then push organic value to HTTPS rather than HTTP Change the canonical tags across the site to ensure they are pointing to HTTPS Change the XML Sitemap Make sure that traffic on HTTPS stays on HTTPs by crawling it with Screaming Frog This pushes the organic traffic rankings to HTTPS consolidating the link equity and allows for further testing it also gives further time to update any inbound marketing. Within Screaming Frog there is an export called “insecure content” that is invaluable to tracking down where links to http are within your site.
- Redirect all traffic using a 301 (although Google have said that a 302 will carry 100% of the ‘PageRank’ I would absolutely go with a 301 otherwise you are potentially neglecting Bing).
- To improve security, something Google recommend “enable HTTP Strict Transport Security”, this significantly improves security. This is another change to your Content Security Policy (see above) and will enforce HTTPS for all content, protecting your content from injection and cookie hijacking which is one of the main reasons for this push from Google. When you are completely confident you are going to be able to maintain HSTS a final step is to get onto the chrome preload list - https://hstspreload.appspot.com/
- Test mobile versions – logged in versions, logged out … check a different network, a different browser…
- Add the renewal of the certificate to a calendar and make sure you renew it ahead of time (it might be worth making sure there are multiple people who are responsible for this) if you are on the HSTS list and the certificate expires, you can loose all traffic. Any site migrations become more complex with additional certificates required, if a domain name change is done then it is critical that the old site certificate is maintained. When moving to HTTPS you do not need to use the change of address feature in Google Search Console. Migrating in sections is ok! As mentioned above, blogs are sometimes more challenging so migrate the main site first!
- That’s all from Tom, Andy and myself Gerry