People rarely take SEO recommendations seriously, especially when there are no direct repercussions of not following them on the horizon.
So, when in 2014 Google confirmed HTTPS as a ranking signal – that is, recommended that all websites should migrate to HTTPS for the sake of their users’ security – few website owners took it as a direct instruction.
According to research conducted by Stone Temple Marketing in 2014 which analyzed the security of 200,000 websites, only a tiny minority of 0.3% switched to HTTPS at that time.
For several years after that, the speed of HTTPS adoption was slow, and yet Google kept sending out the message about the need for a more secure web. So, on September 7th 2016 Google made another announcement: beginning in January 2017, they are going to mark all the non-secure websites visited via Chrome browser.
What that meant was that a warning would be displayed on HTTP websites in the following cases:
- If the page had password or credit card input fields;
- If there was an entry field of any kind on the page;
- If the page was visited in Incognito mode.
Keeping its promise, Google implemented this feature in a form of a grey warning message in the Chrome address field. Once the user navigated to a website, they were warned that this website was not secure.
The final step that Google will take is to mark those messages red. This way, the warning is way more noticeable, and sends a clear signal to the user: leave or you risk exposing your personal data.
I’m sure I don’t need to spell out what effect this has on a site’s reputation and bounce rate.
But Google didn’t stop there. For almost a year now, they have been testing a way to mark non-secure websites right on the SERP. This feature was implemented in several locations in the US, and had the effect of a huge red flag on the website’s search snippet.
At this moment, users only see that a website is non-secure when they visit it. But when the new SERP warnings are implemented worldwide, website owners are going to face unmissable CTR drops.
My advice is to take action right now and migrate to HTTPS as soon as possible, before your CTR hits rock bottom. Especially because most websites are already doing it.
First of all, HTTPS benefits user trust. When adapting to modern security requirements, you demonstrate that you are trustworthy, and you work on your reputation. Your users feel safer visiting your website, which works in your favor.
Second is the obvious pro of security and privacy. When your site is secure, there is less chances that your users will lose their data.
The third thing is what concerns the webmasters all around the world — a small ranking boost. There are many opinions on how HTTPS influences rankings, which I will examine in detail later in this post.
And last, but not least is the ability to see referral traffic in Google Analytics. If your website runs on HTTP, all your referral traffic will be seen as direct.
According to a ranking factors study conducted by SEMrush in 2017, 65% of websites ranking for high-volume keywords are already secure. So, with two thirds of websites having migrated to HTTPS, it is very hard to compete for high-volume keywords without it.
In less competitive niches the situation is slightly different: only around half of websites are secure. But if in a high-volume niche it is an obvious necessity, it is a competitive advantage if you rank for keywords with lower volume.
The trend is clear. According to Google itself, more and more websites are migrating to HTTPS each year to protect their users’ data.
Over 75% of Chrome traffic on both Chrome OS and Mac OS is now protected, up from 60% on Mac and 67% on Chrome OS a year ago.
The percentage of sites which adopt HTTPS differs slightly from country to country, averaging somewhere in the region of 70%. In SEMrush Sensor, a tool for tracking daily changes in Google rankings, you can see the average HTTPS adoption rate for websites from the top 10 and top 20 results served.
The overall usage of HTTPS among the top 100,000 websites has increased tremendously since 2014. From 7.6% in 2014 it grew to 31.5% in 2017, making the trend as clear as ever: the secure web is the future.
The speed with which websites are migrating to HTTPS also differs by industries. Among Fortune 500 companies, the Business Services and Finance sectors appear to be the vanguard of the HTTPS migration movement.
The rest of the sectors, in which over 50% of websites are already secure, include Technology, Telecommunication, Transportation and Wholesalers. So, if your website belongs to any of those sectors and you don’t yet have an HTTPS version, you might want to think about catching up.
Although many websites have switched to HTTPS, some still haven’t, and there are numerous reasons behind it. One of them is that migration is a complicated process with a lot of details, and we all know that devil usually hides in there.
As you may have noticed, I mention a lot of SEMrush studies. This is because we trust data, not speculations, and in an industry as full of rumors as search marketing, real data is precious. So, having a great amount of data at our disposal, we regularly conduct research studies that help us better understand the tendencies in today’s search market and perfect our tools.
One of our studies included the most common mistakes of the HTTPS migration. We analyzed 100,000 websites, 45% of which supported HTTPS, and saw the following statistics:
- 9% of the non-secure web pages contained a password input field. Even if those websites already had an HTTPS version, there were still some HTTP pages that collected private information. Pay attention: any page that collects passwords should be encrypted!
- 50% of all pages had issues with mixed content. That means, some elements on the site were not secured by HTTPS (including images, links, iframes, scripts, etc.) As a result, some content on the page can be blocked by the browser, and users will see a warning message.
- 6% had an incorrect domain name in the SSL certificate. Such mistake will result in browsers blocking users from visiting your website by showing them a name mismatch error.
- 2% of websites had an expired SSL certificate. When users try to visit a website with the expired security certificate, they see one of the most annoying warnings in the history of warnings: a red page with a warning sign and a message, which to me reads as “LEAVE ASAP”. Users rarely go any further than that.
- 6% of pages used an old security protocol version. Running an old TSL protocol (version 1.0) is a security risk, so always implement the newest protocol versions.
- 50% of internal links on the analyzed websites lead from HTTPS to HTTP. If any link on the website points to the old HTTP version of the site, search engines can become confused as to which version of the page they should rank.
- 86% of websites had no HSTS (HTTP Strict Transport Security) support
- 8% had no redirects or canonicals to HTTPS URLs
- 5% contained HTTP URLs in the HTTPS sitemap
- And 0.56% had no SNI (Server Name Indication) support.
Detecting those issues is a task for a comprehensive site audit tool.
A secure website version could mean the world to the users, but the true webmaster carrot is the potential ranking boost. Since HTTPS was officially acknowledged as a ranking signal in 2014, there have been a lot of discussions about the strength of this signal and its contribution to the higher rankings.
Search experts agree on the effect HTTPS has on the rankings of the website. As a sole measure of website optimization it won’t make your traffic skyrocket and blow up your servers. Usually, HTTPS migration is just a part of an ongoing SEO optimization, that influences other factors that impact rankings: page load speed, fixing technical issues, on-page optimization etc.
For this reason, it is often hard to distinguish the exact effect HTTPS has on the rankings, though the overall tendency is positive.
But more to the point, not having an HTTPS version is an issue. With an increasing speed of HTTPS adoption and the forthcoming Google updates, the owners of non-secure websites risk a massive decline in click-through rate.
The secure web is here to stay. It will soon become extremely complicated to compete with secure websites in case you don’t have an HTTPS version. So, to prepare your site for migration and to fix the issues that inevitably arise during this process, you might need a tool to assist you.
The functionality of the tools available on the market differs, but their main feature is the ability to detect the issues of migration and help you timely solve them.
HTTPS migration is definitely a change that you will want to make in order to stay competitive on the market. Whatever your niche is, there is a clear trend towards switching to HTTPS. With Google planning to mark all HTTP sites as non-secure, having a secure version is no longer an advantage but a necessity.
Gearing up with the proper set of tools will help you avoid the most common migration issues and prevent your users from seeing those annoying non-security warnings. After all, your main asset is not the rankings, but your users’ trust. Rankings usually follow.