In mid-January we finished migrating all of Detailed Image to HTTPS. We’ve now got the shiny “Secure” badge in Chrome on every single one of our pages:
This project should have been simple, but it sure wasn’t, in large part due to the fractured nature of various organizations on the web and within Google. While the technical implementation is relatively straightforward, the business decision to do so can be downright scary.
A Little Background
When we launched our shopping cart in 2007 (and did major revisions in 2009 and 2013), the consensus was that secure pages were slower and therefore should only be used when necessary, like when collecting sensitive information. For us, that meant primarily our registration and checkout process, but also things like our contact form.
Over the past few years the movement to migrate the entire web to HTTPS had gained tremendous steam, led by the Electronic Frontier Foundation and Google starting in 2014. In addition to HTTPS as a ranking signal, Google really dialed up the pressure a few months ago when Chrome 62 started showing “Not secure” messages when entering data on a HTTP page or when loading a HTTPS page in an Incognito window. Here’s what DI looked like when someone tried to search:
That, my friends, is not a great user experience.
The Huge Problem for Established Sites
Of course, if you’re a new site there’s no decision to make. You buy a SSL certificate and force all of your URLs to be HTTPS from day one.
Officially, Google still treats a HTTPS page migration like any other migration:
If you migrate your site from HTTP to HTTPS, Google treats this as a site move with a URL change. This can temporarily affect some of your traffic numbers.
In my mind, moving from http://www.detailedimage.com to https://www.detailedimage.com should be treated entirely differently than migrating it to say http://www.adammcfarlanddetailing.com. I suspect on the back end that’s not the case, but they haven’t publicly said so. Therefore, you have to proceed with caution.
As of this past summer, Dr. Pete from Moz still had this to say:
Am I telling you to make the switch? No. While I think there are good reasons to move to HTTPS for some sites and I think most of Google’s motives are sincere on this subject, I also believe Google has been irresponsible about downplaying the risks.
Any major change to sitewide URLs is risky, especially for large sites. If you weigh the time, money, and risk of the switch against what is still a small algorithmic boost, I think it’s a tough sell in many cases. These risks are not theoretical — back in May, Wired.com wrote up the many problems they’ve encountered during their HTTPS switch, a switch that they’ve since paused to reconsider.
Like any major, sitewide change, you have to consider the broader business case, costs, and benefits. I suspect that pressure from Google will increase, especially as adoption increases, and that we’re within a year of a tipping point where half of page-1 results will be running on HTTPS. Be aware of how the adoption rate is moving in your own industry and be alert, because I suspect we could see another HTTPS algorithm update in the next 6–12 months.
The pressure did increase from Google with that Chrome update. I also informally checked the top 100 US e-commerce companies and only a handful were still loading their homepage on HTTP. In addition, I checked the 10 sites out of Moz’s top 20 that were serving HTTP back in April of last year. Now? The only two holdouts are the food sites (Allrecipes and the Food Network). The other 8 sites have since migrated, making it 18 of the top 20. The tide has turned in less than a year. If you’re not HTTPS, you’re in the minority.
My Problem with Google
As Dr. Pete alluded to, I don’t think there’s an appreciation from Google or anyone else pushing these migrations for just how large of a business impact this can have. If we lose a substantial amount of Google search traffic over any serious length of time, we could lose a substantial amount of sales. Not just a little bit. On the magnitude of costing people jobs. And why exactly – so that someone can view a blog post or product page with no form or personally identifiable information over HTTPS? Is that really worth the risk? There doesn’t even seem to be a discussion about weighing a minute security gain vs a huge business risk for established businesses like us.
HTTPS everywhere is a great idea. I’m 100% for it. If you were starting the web again today, you’d never even allow HTTP connections. But given where we’re at today, if Google really wants to make it happen they should take away the risk. It wouldn’t take a whole lot to make that happen.
My Proposed Solution
From Google’s standpoint, I guess if everyone is migrating anyway, why change anything? Well, for one they could get everyone there faster.
If I worked for the search team at Google, I’d push for the following:
- Combine Search Console profiles into one. Having separate profiles for HTTP and HTTPS versions of a site is redundant, confusing, unnecessary, antiquated, etc etc.
- Build a migration tool. Provide people with a checklist of the basics (essentially the “HTTP->HTTPS migration FAQs” from their help page). Have us confirm that we’ve done those basics, and then tell Google the official date of the migration (either in advance or the day you’re doing it).
- Assuming that we do everything properly, and page content doesn’t change, guarantee that placement in the search results won’t change because of the migration, and that we may even receive a bonus for the HTTPS signal.
That’s it. Any reasonable site owner who is holding out would have no reason not to move if that was the case.
Why We Migrated Now
Originally my plan was to wait for Google to release a tool similar to that. I just couldn’t justify the business risk. I thought that type of tool was inevitable. A few things changed my mind:
- The Chrome 62 release mentioned above. What if the next version of Chrome acted like the Incognito window? What if there was a red X? That could cripple us. Update 2/13/18 – all of two days after I published this post, Google announced that starting in July they’ll be marking all HTTP pages as “Not Secure” by default.
- What if Google does decide to increase the HTTPS ranking signal? What is they start to use color (green/red) to differentiate HTTPS from HTTP in search results? This too could cripple us.
- The time of year. Our slowest months are January and February. It’s by far the best time of year to do this. Wait another year and any of the above could become a problem and force our hand during our busy season.
- That percentage of sites that have made the migration in the past 6 months. That both comforted me and helped me realize that maybe Google won’t release a tool if everyone is getting there anyway.
Essentially, I felt backed into a corner. I did my research (a LOT of research), crossed my fingers, and dove in. I didn’t really see any other good choice.
How It Went for Us
Everything went perfectly smooth. Well, with the caveat that I did all of that research and had a 8 page list of things to do/check afterward which took me about 10 hours to work through (the paid version of the Screaming Frog SEO Spider probably saved me another 10 hours of work). We did a test section – our Detailing Guide – a few weeks before migrating the rest of the site just in case something went wrong.
The actual day of the migration was Saturday 1/13. Here’s a graph of our HTTPS search traffic steadily increasing in Search Console:
And the accompanying drop off in HTTP search traffic:
Most importantly, our total organic search traffic in Analytics was flat:
Every day more pages displayed as HTTPS in the search results until finally all of our pages were HTTPS in their index. This was erratic for a while. Results would change daily, or even by location when I tested with a VPN. Here’s an example of what you’ll see with a search result for “Detailed Image” now:
Our cart platform had HTTPS capability built in (obviously) because we served so many pages over HTTPS already, so it was just a matter of utilizing that functionality for all pages. Our cart now checks to see if you’re requesting the HTTP version of a page, and if so, 301 redirects you over to the exact same URL but starting with HTTPS. We do have two WordPress blogs, and those were a little less straight forward, but technically it was not a challenge. Just a lot of work.
In talking with others who have been a part of these migrations recently, they all echoed a similar story. Which is why I suspect that Google does in fact “know” when you’re migrating to HTTPS. If you do it correctly – 301 redirect pages from their HTTP counterpart, update sitemaps, etc etc – I surmise that there’s very little risk. Given how many companies have migrated, they’ve probably gotten very good at making it a smooth process.
Official Google Resources
- Secure your site with HTTPS
- What is a site move?
- Overview: Site moves with URL changes – the Migrating from HTTP–>HTTPS section in particular has a lot of good details.
WordPress Migration Guides
- Kinsta: In-Depth HTTP to HTTPS Migration Guide for WordPress
- CSS-Tricks: Moving to HTTPS on WordPress
- Designmodo: How to Move a WordPress Website from HTTP to HTTPS/SSL