This document provides recommendations for migrating a website from HTTP to HTTPS. It recommends testing the SSL certificate, setting up Google Search Console access for HTTPS, running HTTP and HTTPS simultaneously, tracking in Google Analytics using Google Tag Manager, checking all templates and mobile versions render correctly, monitoring for mixed content exceptions, setting up a site audit in SEMRush, redirecting canonical tags and sitemaps after testing, implementing 301 redirects, enabling HTTP Strict Transport Security (HSTS), and addressing potential issues like images or embeds loaded insecurely. It emphasizes a gradual, step-by-step approach to ensure minimal risk in migrating to HTTPS.
The .htaccess file is a configuration file for web servers running the Apache web server software. In this quick tutorial you will see some of the possible uses of the .htaccess file along with examples for each case.
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
Is your web site or web app feeling sluggish? Getting tired of watching your pages slowly render, the long seconds ticking away before your snazzy jQuery doohickey even has a chance to fire? Chances are it’s not that slow bit of code or that clunky database behind the scenes that’s to blame – 80% of the time spent loading most web pages is on the client side! At this talk, we’ll take a look at some of the easiest low-hanging fruit you can go after to help speed up web performance on the front end, from slimming down the size of content to optimizing HTTP requests, and more.
The .htaccess file is a configuration file for web servers running the Apache web server software. In this quick tutorial you will see some of the possible uses of the .htaccess file along with examples for each case.
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
Is your web site or web app feeling sluggish? Getting tired of watching your pages slowly render, the long seconds ticking away before your snazzy jQuery doohickey even has a chance to fire? Chances are it’s not that slow bit of code or that clunky database behind the scenes that’s to blame – 80% of the time spent loading most web pages is on the client side! At this talk, we’ll take a look at some of the easiest low-hanging fruit you can go after to help speed up web performance on the front end, from slimming down the size of content to optimizing HTTP requests, and more.
January 2017 presentation to the Toronto Wordpress group WP Todoers. Explains key steps in choosing an SSL certificate and then implementing it successfully on a Wordpress site. Intended for beginning and intermediate Wordpress users
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case.
There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.
WordPress security & performance a beginners guideMickey Mellen
We will cover how to create a secure WordPress environment, including an overview of security plugins, and backup solutions. We’ll provide numerous tips to help you keep your WordPress environments secure.
We’ll also cover some introductory WordPress performance settings. This will not be a very technical or detailed overview, but will include tips and techniques that most WordPress users can follow to improve their site’s performance.
Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/
Http to Https Get your WordPress website Compliant!Lynn Dye
It's nearly October of 2017 and if your WordPress website does not have an SSL certificate along with the accompanying secure content, updated URL on your website and edited .htaccess file to be in compliance, you don't have much time.
Google has announced that in October, 2017, they will start showing people a big, fat 'insecure' warning when people are using their Chrome browser and trying to fill out a contact form.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
Maximizing SPDY and SSL Performance (June 2014)Zoompf
Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIME
January 2017 presentation to the Toronto Wordpress group WP Todoers. Explains key steps in choosing an SSL certificate and then implementing it successfully on a Wordpress site. Intended for beginning and intermediate Wordpress users
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case.
There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.
WordPress security & performance a beginners guideMickey Mellen
We will cover how to create a secure WordPress environment, including an overview of security plugins, and backup solutions. We’ll provide numerous tips to help you keep your WordPress environments secure.
We’ll also cover some introductory WordPress performance settings. This will not be a very technical or detailed overview, but will include tips and techniques that most WordPress users can follow to improve their site’s performance.
Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/
Http to Https Get your WordPress website Compliant!Lynn Dye
It's nearly October of 2017 and if your WordPress website does not have an SSL certificate along with the accompanying secure content, updated URL on your website and edited .htaccess file to be in compliance, you don't have much time.
Google has announced that in October, 2017, they will start showing people a big, fat 'insecure' warning when people are using their Chrome browser and trying to fill out a contact form.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
Maximizing SPDY and SSL Performance (June 2014)Zoompf
Presented at the Atlanta Web Performance Meetup Group on June 2014, Billy Hoffman from Zoompf shows how to improve the performance of your website using SPDY and SSL and discusses SSL issues such as Heartbleed and CRIME
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)Guy Podjarny
When users use our sites, they put their faith in us. They trust we will keep their information from reaching others, believe we provided the information they see, and allow us to run (web) code on their devices. Using HTTPS to secure our conversations is a key part of maintaining this trust.
If that’s not motivation enough, the web’s giants are actively promoting HTTPS, requiring it for features such as HTTP2 & ServiceWorker, using it for search engine ranking and more. To make the most of the web, you need to use HTTPS.
This deck reviews what HTTPS is, discusses why you should prioritize using it, and cover some of the easiest (and most cost effective) steps to get started using HTTPS
Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS TodayHeroku
Webinar recording here: https://www.heroku.com/tech-sessions/creating-secure-web-apps
Secure internet communication is one of the most important issues facing technology practitioners these days. But for many software development teams, it’s an afterthought. Almost every week there’s a new headline about web security: Google Chrome flagging non-HTTPS sites as insecure, Apple requiring iOS apps’ API communication to use HTTPS, and Google giving search ranking preference to HTTPS.
Join Josh Aas, Executive Director of Let's Encrypt, and Chris Castle, Developer Advocate from Heroku, as they take you on a quick tour of what you, as a developer, need to know about HTTPS today plus show you how Let's Encrypt and Heroku are making it easier than ever for all developers to add HTTPS to their web apps.
SEO Considerations When Migrating to HTTPS by Kenneth SytianGlen Dimaandal
Kenneth Sytian's presentation at PeepCon. This is a guide on how SEOs and marketers can migrate their sites from HTTP to HTTPS for better security and ranking gains.
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Paul Thompson
Discover step by step how to migrate your WordPress site to HTTPS successfully. Covers all the changes necessary ensure all functionality and SEO value is maintained during migration.
HTTP is dead. Here’s why, and what you need to know to migrate to HTTPS.
Delivered to the BigWP Meetup NYC on September 15, 2015.
Detailed guide: https://docs.google.com/document/d/1EJKAoa4Hxc4AyH0znuA_AAplcNeNejEhATFptFX-OME/edit
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things Amazon CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. You will also learn how you can use AWS Web Application Firewall (AWS WAF) with CloudFront to protect your site. Finally, we will share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting an A+ on SSL labs.
HTTP/3 is designed to improve in areas where HTTP/2 still has some shortcomings, primarily by changing the transport layer. HTTP/3 is the first major protocol to step away from TCP and instead it uses QUIC.
HTTP/3 is the designated name for the coming next version of the protocol that is currently under development within the QUIC working group in the IETF.
HTTP/3 is designed to improve in areas where HTTP/2 still has some shortcomings, primarily by changing the transport layer. HTTP/3 is the first major protocol to step away from TCP and instead it uses QUIC.
Daniel Stenberg does a presentation about HTTP/3 and QUIC. Why the new protocols are deemed necessary, how they work, how they change how things are sent over the network and what some of the coming deployment challenges will be.
5 big bets to drive growth in 2024 without one additional marketing dollar AND how to adapt to the biggest shifting eCommerce trend- AI.
1) Romance Your Customers - Retention
2) ‘Alternative’ Lead Gen - Advocacy
3) The Beautiful Basics - Conversion Rate Optimization
4) Land that Bottom Line - Profitability
5) Roll the Dice - New Business Models
Digital Commerce Lecture for Advanced Digital & Social Media Strategy at UCLA...Valters Lauzums
E-commerce in 2024 is characterized by a dynamic blend of opportunities and significant challenges. Supply chain disruptions and inventory shortages are critical issues, leading to increased shipping delays and rising costs, which impact timely delivery and squeeze profit margins. Efficient logistics management is essential, yet it is often hampered by these external factors. Payment processing, while needing to ensure security and user convenience, grapples with preventing fraud and integrating diverse payment methods, adding another layer of complexity. Furthermore, fulfillment operations require a streamlined approach to handle volume spikes and maintain accuracy in order picking, packing, and shipping, all while meeting customers' heightened expectations for faster delivery times.
Amid these operational challenges, customer data has emerged as an important strategy. By focusing on personalization and enhancing customer experience from historical behavior, businesses can deliver improved website and brand experienced, better product recommendations, optimal promotions, and content to meet individual preferences. Better data analytics can also help in effectively creating marketing campaigns, improving customer retention, and driving product development and inventory management.
Innovative formats such as social commerce and live shopping are beginning to impact the digital commerce landscape, offering new ways to engage with customers and drive sales, and may provide opportunity for brands that have been priced out or seen a downturn with post-pandemic shopping behavior. Social commerce integrates shopping experiences directly into social media platforms, tapping into the massive user bases of these networks to increase reach and engagement. Live shopping, on the other hand, combines entertainment and real-time interaction, providing a dynamic platform for showcasing products and encouraging immediate purchases. These innovations not only enhance customer engagement but also provide valuable data for businesses to refine their strategies and deliver superior shopping experiences.
The e-commerce sector is evolving rapidly, and businesses that effectively manage operational challenges and implement innovative strategies are best positioned for long-term success.
A.I. (artificial intelligence) platforms are popping up all the time, and many of them can and should be used to help grow your brand, increase your sales and decrease your marketing costs.In this presentation:We will review some of the best AI platforms that are available for you to use.We will interact with some of the platforms in real-time, so attendees can see how they work.We will also look at some current brands that are using AI to help them create marketing messages, saving them time and money in the process. Lastly, we will discuss the pros and cons of using AI in marketing & branding and have a lively conversation that includes comments from the audience.
Key Takeaways:
Attendees will learn about LLM platforms, like ChatGPT, and how they work, with preset examples and real time interactions with the platform. Attendees will learn about other AI platforms that are creating graphic design elements at the push of a button...pre-set examples and real-time interactions.Attendees will discuss the pros & cons of AI in marketing + branding and share their perspectives with one another. Attendees will learn about the cost savings and the time savings associated with using AI, should they choose to.
Most small businesses struggle to see marketing results. In this session, we will eliminate any confusion about what to do next, solving your marketing problems so your business can thrive. You’ll learn how to create a foundational marketing OS (operating system) based on neuroscience and backed by real-world results. You’ll be taught how to develop deep customer connections, and how to have your CRM dynamically segment and sell at any stage in the customer’s journey. By the end of the session, you’ll remove confusion and chaos and replace it with clarity and confidence for long-term marketing success.
Key Takeaways:
• Uncover the power of a foundational marketing system that dynamically communicates with prospects and customers on autopilot.
• Harness neuroscience and Tribal Alignment to transform your communication strategies, turning potential clients into fans and those fans into loyal customers.
• Discover the art of automated segmentation, pinpointing your most lucrative customers and identifying the optimal moments for successful conversions.
• Streamline your business with a content production plan that eliminates guesswork, wasted time, and money.
Core Web Vitals SEO Workshop - improve your performance [pdf]Peter Mead
Core Web Vitals to improve your website performance for better SEO results with CWV.
CWV Topics include:
- Understanding the latest Core Web Vitals including the significance of LCP, INP and CLS + their impact on SEO
- Optimisation techniques from our experts on how to improve your CWV on platforms like WordPress and WP Engine
- The impact of user experience and SEO
Short video marketing has sweeped the nation and is the fastest way to build an online brand on social media in 2024. In this session you will learn:- What is short video marketing- Which platforms work best for your business- Content strategies that are on brand for your business- How to sell organically without paying for ads.
Mastering Multi-Touchpoint Content Strategy: Navigate Fragmented User JourneysSearch Engine Journal
Digital platforms are constantly multiplying, and with that, user engagement is becoming more intricate and fragmented.
So how do you effectively navigate distributing and tailoring your content across these various touchpoints?
Watch this webinar as we dive into the evolving landscape of content strategy tailored for today's fragmented user journeys. Understanding how to deliver your content to your users is more crucial than ever, and we’ll provide actionable tips for navigating these intricate challenges.
You’ll learn:
- How today’s users engage with content across various channels and devices.
- The latest methodologies for identifying and addressing content gaps to keep your content strategy proactive and relevant.
- What digital shelf space is and how your content strategy needs to pivot.
With Wayne Cichanski, we’ll explore innovative strategies to map out and meet the diverse needs of your audience, ensuring every piece of content resonates and connects, regardless of where or how it is consumed.
Top 3 Ways to Align Sales and Marketing Teams for Rapid GrowthDemandbase
In this session, Demandbase’s Stephanie Quinn, Sr. Director of Integrated and Digital Marketing, Devin Rosenberg, Director of Sales, and Kevin Rooney, Senior Director of Sales Development will share how sales and marketing shapes their day-to-day and what key areas are needed for true alignment.
In this presentation, Danny Leibrandt explains the impact of AI on SEO and what Google has been doing about it. Learn how to take your SEO game to the next level and win over Google with his new strategy anyone can use. Get actionable steps to rank your name, your business, and your clients on Google - the right way.
Key Takeaways:
1. Real content is king
2. Find ways to show EEAT
3. Repurpose across all platforms
The session includes a brief history of the evolution of search before diving into the roles technology, content, and links play in developing a powerful SEO strategy in a world of Generative AI and social search. Discover how to optimize for TikTok searches, Google's Gemini, and Search Generative Experience while developing a powerful arsenal of tools and templates to help maximize the effectiveness of your SEO initiatives.
Key Takeaways:
Understand how search engines work
Be able to find out where your users search
Know what is required for each discipline of SEO
Feel confident creating an SEO Plan
Confidently measure SEO performance
In this presentation, Danny Leibrandt explains the impact of AI on SEO and what Google has been doing about it. Learn how to take your SEO game to the next level and win over Google with his new strategy anyone can use. Get actionable steps to rank your name, your business, and your clients on Google - the right way.
Key Takeaways:
1. Real content is king
2. Find ways to show EEAT
3. Repurpose across all platforms
The What, Why & How of 3D and AR in Digital CommercePushON Ltd
Vladimir Mulhem has over 20 years of experience in commercialising cutting edge creative technology across construction, marketing and retail.
Previously the founder and Tech and Innovation Director of Creative Content Works working with the likes of Next, John Lewis and JD Sport, he now helps retailers, brands and agencies solve challenges of applying the emerging technologies 3D, AR, VR and Gen AI to real-world problems.
In this webinar, Vladimir will be covering the following topics:
Applications of 3D and AR in Digital Commerce,
Benefits of 3D and AR,
Tools to create, manage and publish 3D and AR in Digital Commerce.
Monthly Social Media News Update May 2024Andy Lambert
TL;DR. These are the three themes that stood out to us over the course of last month.
1️⃣ Social media is becoming increasingly significant for brand discovery. Marketers are now understanding the impact of social and budgets are shifting accordingly.
2️⃣ Instagram’s new algorithm and latest guidance will help us maintain organic growth. Instagram continues to evolve, but Reels remains the most crucial tool for growth.
3️⃣ Collaboration will help us unlock growth. Who we work with will define how fast we grow. Meta continues to evolve their Creator Marketplace and now TikTok are beginning to push ‘collabs’ more too.
Digital Money Maker Club – von Gunnar Kessler digital.focsh890
Title One is a comprehensive examination of the impact of digital technologies on
modern society. In a world where technology continues to advance rapidly, this article delves into the nuances and complexities of the digital age, exploring Its implications across various sectors and aspects of life.
Mastering Local SEO for Service Businesses in the AI Era is tailored specifically for local service providers like plumbers, dentists, and others seeking to dominate their local search landscape. This session delves into leveraging AI advancements to enhance your online visibility and search rankings through the Content Factory model, designed for creating high-impact, SEO-driven content. Discover the Dollar-a-Day advertising strategy, a cost-effective approach to boost your local SEO efforts and attract more customers with minimal investment. Gain practical insights on optimizing your online presence to meet the specific needs of local service seekers, ensuring your business not only appears but stands out in local searches. This concise, action-oriented workshop is your roadmap to navigating the complexities of digital marketing in the AI age, driving more leads, conversions, and ultimately, success for your local service business.
Key Takeaways:
Embrace AI for Local SEO: Learn to harness the power of AI technologies to optimize your website and content for local search. Understand the pivotal role AI plays in analyzing search trends and consumer behavior, enabling you to tailor your SEO strategies to meet the specific demands of your target local audience. Leverage the Content Factory Model: Discover the step-by-step process of creating SEO-optimized content at scale. This approach ensures a steady stream of high-quality content that engages local customers and boosts your search rankings. Get an action guide on implementing this model, complete with templates and scheduling strategies to maintain a consistent online presence. Maximize ROI with Dollar-a-Day Advertising: Dive into the cost-effective Dollar-a-Day advertising strategy that amplifies your visibility in local searches without breaking the bank. Learn how to strategically allocate your budget across platforms to target potential local customers effectively. The session includes an action guide on setting up, monitoring, and optimizing your ad campaigns to ensure maximum impact with minimal investment.
Videos are more engaging, more memorable, and more popular than any other type of content out there. That’s why it’s estimated that 82% of consumer traffic will come from videos by 2025.
And with videos evolving from landscape to portrait and experts promoting shorter clips, one thing remains constant – our brains LOVE videos.
So is there science behind what makes people absolutely irresistible on camera?
The answer: definitely yes.
In this jam-packed session with Stephanie Garcia, you’ll get your hands on a steal-worthy guide that uncovers the art and science to being irresistible on camera. From body language to words that convert, she’ll show you how to captivate on command so that viewers are excited and ready to take action.
4. Google knows, that without HTTPS – your data,
and the content on your site … might not be what
the webmaster intends. Plus … tracking benefits
(less direct more attribution!)
5. But we aren’t here to
talk about cyber
security -
(though Andy was hacking
NASA when he was 9)*
*maybe true…
7. Google
Recommendations
• Decide the kind of certificate you need
• Use 2048-bit key certificates
• Use relative URLs for resources that reside on the
same secure domain
• Use protocol relative URLs for all other domains
• Don’t block your HTTPS site from crawling using
robots.txt
• Allow indexing of your pages by search engines where
possible. Avoid the noindex robots meta tag.
• Use HTTP Strict Transport Security
• Use SPDY (deprecated)
9. SSL Vs TLS ?
SSL was originally developed by
Netscape and first came onto the scene
way back in 1995 with SSL 2.0
SSL is out of date & insecure, so should
be disabled.
10. Relative & Protocoless URLs
Drop the http:// & https:// ?
Start URLs with // or /
• Images, (particularly in WordPress posts. )
• JavaScript libraries hosted on CDNs (like jQuery),
• CSS (including images or fonts loaded in using CSS),
• Form end points (the target of a form)
• Embeds such as Facebook, YouTube or other
36. • Images, (particularly in WordPress posts. )
• JavaScript libraries hosted on CDNs (like
jQuery),
• CSS (including images or fonts loaded in
using CSS),
• Form end points (the target of a form)
• Embeds such as Facebook, YouTube or
other
• GTM
That quick
fire list of
places that
go wrong
37. Some final thoughts
• Add the renewal of the certificate to a
calendar
• URL changes? maintain the old site
certificate
• When moving to HTTPS don’t use the
change of address feature in GSC.
• Migrating in sections is ok!
• Wordpress plugins – Andy any
recommendations ?
The best example of why HTTPS is so critical I have seen is where free wifi providers have been inserting scripts to push in adverts.
HTTPS alone isn’t enough, but if as a user I feel like if they haven’t managed that part right, then would I trust them to manage the rest?
Causation, correlation ?
I think it is always worth noting that when Just Eat went to HTTPS we didn’t see any drops, we did this in the staged method we will describe.
Of course we were also working on many other SEO aspects, but significantly we didn’t see a drop
Majority of sites span multiple subdomains, If you host blogs, forums or anything similar on a separate sub domain then I would recommend you use an appropriate wildcard. In the past I would have always recommend using a subdomain to load assets, particularly if mobile speed is important Most browsers limit the amount of files they can retrieve from a single host at once, so where files can’t be combined they should be split over multiple hosts.
This solution is referred to “Parallelism”, you can also ensure that a subdomain is optimised for static assets (using cookieless and a 304 status header).
This changes a little with HTTP2 – which if we have time to get to, we will chat about.
For the required organic boost get the best certificate you can, as a minimum I would recommend that the cert has the following criteria;
provided by a trusted organisation….
2048-bit key
Tom…. Whys it called tls and SSL :D….
It is critical when loading assets you use https, otherwise they will not appear in some browsers or where they do appear they will be not show the green padlock.
There are a number of digital assets tend to present the most issues -
Images, particularly where the image was loaded using a page editor such as in WordPress posts.
JavaScript libraries hosted on CDNs (like jQuery),
CSS (including images or fonts loaded in using CSS), Form end points (the target of a form)
Embeds such as Facebook, YouTube or other
In the past I would have recommend changing all absolute urls (where it would normally start with http) to being protocoless this means omitting the http prefix, for example ‘http://’ becomes simply ‘//’ . Today however, I would say push for HTTPS for assets rather than worrying about protocoless,
After migration I would recommend that urls become exclusively “https” this is simply because I would increasingly recommend pushing towards 100% HTTPS.
Further in this discussion we will take you through some tools to test this with …
Sometimes to ensure that there is no duplicate content web managers would block the HTTPS version of the site. This is less common when it is a single site available on both http and https. If you block anything that stops Google from being able to tell you are on HTTPS, this won’t have the obvious benefit. Typically if you have canonical tags (which I always recommend), these will be pointing to the http version at this point.
“…This mechanism tells the browser to automatically request pages using HTTPS even when the user enters http in the browser location bar. It also tells Google to serve secure URLs in the search results. All this minimizes the risk of serving unsecured content to your users…” https://support.google.com/webmasters/answer/6073543?hl=en
This is a change to your Content Security Policy (CSP) however this should be the very last step as it can create functional problems if something critical becomes blocked, however for the maximum organic boost, this step is required.
Most sites don’t seem to have a CSP at all at the moment, but as this is a fun and interesting part – we should definitely make time to talk about it later…
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is not an HTTP standard but is widely supported, created by Google and can significantly improve HTTPS page speed, as this is a bit more technical, the best thing would be for you to read the details at - chromium.org/spdy/
Last year Google have deprecated support for Spdy as HTTP/2 becomes a standard. The core developers of SPDY have been involved in the development of HTTP/2. HTTP2 is cool and there are exciting things that are being done here, but this usually does require https in many browsers.
So what is our best practice for moving to https
Ideally moving to HTTPS gradually allows you to test along the way, avoiding any issues as you go. This approach minimises any potential for users (or search engines) to experience issues.
At this point we will assume you don’t have a separate server for HTTPS, in fact we will assume you are running off one main server with a https cert installed, if this isn’t the case you will need to adapt these recommendations accordingly, (it can complicate the process).
Now you have a acquired and installed a certificate the next steps are as follow;
Test the certificate
A quick test of the certificate is available online at SSLLabs.com/ssltest This free online service performs a deep analysis of the configuration of any https web server on the public Internet. This free service gives you a grading, aiming for an A is preferable, but many large companies only attain a C, it does tell you the steps required to improve.
You know – before this step, test it in Chrome
Formerly called Google Webmaster Tools (GWT), Google sees https and http as separate websites so within GSC both need to be authorised to see the complete picture.
Depending on the authentication method you are using, simply adding the new site will ‘just work’. If you access has been given to you from another account, unfortunately you would need to ask them to do this.
Running the site on both HTTP and HTTPS allows you to scan for any issues, checking internal links, giving you the opportunity to resolve any issues before pushing users and search engines to HTTPS. This is the point where you try to make URLs relative if possible.
You can track who is on HTTP and HTTPS very easily if you are using Google Tag Manager as a built in URL Variable. This allows you to see the proportion of traffic not on HTTPS at a later date.
This can either be setup as a content group or a custom dimension by editing the main tracking…
Use Googles Fetch and Render within webmasters tools to ensure there are no issues with Google crawling the content - google.com/webmasters/tools/googlebot-fetch – EVERY SINGLE TEMPLATE TYPE REPEATEDLY!! Best way to check it is all working and on mobiles
Chrome and Mozilla support the ability to push mixed content reports out to a 3rd party reporting tool. An excellent tool was developed by Scott Helme (which at time of publish is free). Scott has written an excellent post on “how to”ScottHelme.co.uk/fixing-mixed-content-with-csp/
When your site is fully tested and you are confident that everything is in place then push organic value to HTTPS rather than HTTP
Change the canonical tags across the site to ensure they are pointing to HTTPS
Change the XML Sitemap
Make sure that traffic on HTTPS stays on HTTPs by crawling it with Screaming Frog
This pushes the organic traffic rankings to HTTPS consolidating the link equity and allows for further testing it also gives further time to update any inbound marketing.
Within Screaming Frog there is an export called “insecure content” that is invaluable to tracking down where links to http are within your site.
Redirect all traffic using a 301 (although Google have said that a 302 will carry 100% of the ‘PageRank’ I would absolutely go with a 301 otherwise you are potentially neglecting Bing).
To improve security, something Google recommend “enable HTTP Strict Transport Security”, this significantly improves security.
This is another change to your Content Security Policy (see above) and will enforce HTTPS for all content, protecting your content from injection and cookie hijacking which is one of the main reasons for this push from Google. When you are completely confident you are going to be able to maintain HSTS a final step is to get onto the chrome preload list - https://hstspreload.appspot.com/
Test mobile versions – logged in versions, logged out … check a different network, a different browser…
Add the renewal of the certificate to a calendar and make sure you renew it ahead of time (it might be worth making sure there are multiple people who are responsible for this) if you are on the HSTS list and the certificate expires, you can loose all traffic.
Any site migrations become more complex with additional certificates required, if a domain name change is done then it is critical that the old site certificate is maintained.
When moving to HTTPS you do not need to use the change of address feature in Google Search Console.
Migrating in sections is ok! As mentioned above, blogs are sometimes more challenging so migrate the main site first!