Want HTTPS? Migrate Your Website The Right Way
What is HTTPS?
Take a look at Google. See the https:// in front of Google.com? Many people think that HTTPS is needed for pages where you will accept credit cards. However, how many people actually enter a credit card into the search box on Google’s home page? Hopefully, no one. Nonetheless, Google announced in 2015 that its search results favor https websites, and that websites that have https are “more secure.”
The way to create a website address that is https:// instead of http:// is to purchase and install a security certificate (called an SSL) on the website. That means that all data that is transmitted from your website to an external place, such as credit card information, email addresses, or any type of form information will be transmitted securely.
Why Do I Need an HTTPS Secure Website?
Google said as early as 2015 that websites that are https instead of http get a least a 1% boost in search rankings. When Google says to do something to improve search results, it’s wise to listen.
The stakes are even higher now. This month, October 2017, Google will begin showing NOT SECURE warning notices on your website in its newest release of the Chrome browser. This is particularly important on pages of your website that use any type of form. As many companies have an Email Newsletter sign up button on all pages of their website, (if you do not have that, you should!), this means that people will see a Not Secure warning on your website in the most commonly used browser, Google Chrome. Even if you have a search box on your website, anyone entering in a search term will get a warning that the website is not secure.
What Can Go Wrong When Changing to HTTPS?
When you change a website to https:// from http://, 100% of all the pages of your website change URLs. That means that all of the things that need to happen whenever you take a brand new website live need to happen. Ignore that fact and your website’s rankings are likely to drop significantly. Imagine if you picked up your house and moved it to an entirely different address. It’s still the same house, but no one can find it. You need to put in forwarding addresses (called 301 redirects) with the post office (Google), among other things.
What Checklist Should I Follow to Convert My Website to HTTPS?
1. Give a Forwarding Address. Ask your webmaster to put in a 301 redirect for all pages under http:// to go to https://.
2. Check Your Website for Internal Broken Links. Some websites may have used internal links that specified http://. That means they will be broken when you convert to https://. The best way to check your website is with a broken link checker, or to look at the URLs with a free tool like Screaming Frog SEO Spider.
3. Make Sure No Non-Secure Items are On Your Website. For example, certain pages on your website will show as non-secure if the images or links on those pages have URLs that start with http.
4. Submit your new HTTPS Website to Google Search Console for Indexing.
A. Login to the same account as your Google Analytics account.
B. Go to Google Search Console. If you don’t already have a Google Search Console (formerly Google Webmaster Tools) account, create one.
C. Click ‘Add a Property’. Add your website’s new home page starting with HTTPS://.
D. Verify your Property. Once your Domain is submitted, you will receive Verification options. Google will provide its ‘Recommended’ method as well as ‘Alternate’ methods. If ‘Link to Google Analytics’ or ‘Google Tag Manager’ is the recommended method, follow that step. Alternate Verification Methods provided by Google:
a. HTML tag – Add a meta tag to your site’s homepage. Your webmaster needs to do this for you.
b. Add a DNS record – Add a text record to your domains DNS information. Contact your web hosting company to do this.
5. Submit your Sitemap to Google Search Console.
a. Click on ‘Sitemaps’ listed in the left sidebar. Submit your XML sitemap requesting Google to crawl and index your new HTTPS domain. This will assist with getting your website pages into Google search results. In the upper right-hand corner click ‘ADD/TEST SITEMAP’. For most websites, the sitemap will be available under ‘www.yourdomain.com/sitemap.xml’. Verify that your sitemap is available. Click Submit.
b. Once submitted, wait for the status update ‘Complete.’ If you receive anything else, contact your webmaster.
6. Update Google Analytics.
a. Login to your account and navigate to the Administration section.
b. Under ‘Property’ click into ‘Property Settings’ and update your Default URL to HTTPS://
c. Under ‘View’ click into ‘View Settings’ and update your Website’s URL to HTTPS://
d. Watch traffic in ‘Real-Time’ reporting during the initial site move. Expect to see a traffic drop as Google indexes the new HTTPS website. Traffic should return to normal quickly, however, sometimes it may take between 24-48 hours.
e. Make an ‘Annotation’ date of the new site https:// launch.
7. Update External Links– It is imperative incoming links are updated from HTTP to HTTPS. Some platforms are more important than others.
We’ve prioritized them below:
1. Paid Ads in Google, Bing, Social Media platforms and any other online paid campaigns.
2. Profile links from external platforms such as from Google+, Facebook, Pinterest, Twitter, and LinkedIn.
3. External links from directory listings, chamber and visitor bureaus. Request all online partners update links. You can see your major external link referrers in Google Analytics.
4. Update Email Marketing Templates, email signatures, business cards and other marketing collateral, as needed.
5. Continue to update various external links as you come across them. There are many listings on the web about your business, some you may not be aware of.
Blizzard Internet Marketing can assist if needed. Please contact us!
How Can I Be Sure That I Won’t Lose Traffic When Changing to HTTPS?
The basic answer is, you can’t. However, you can minimize the negative effects. Make sure that you have good website, hosting and Google Analytics experts reviewing this process as you do it. Otherwise, the traffic you gain from making this change can be wiped away with lost traffic from a poor transition.
Take your time and make sure it’s done correctly. And, as always, contact us if you need some help!
What is the Checklist for PCI Credit Card Compliance?
What is PCI? PCI stands for Payment Card Industry, and PCI Compliance means that if you accept credit cards, you comply with the rules to keep guests’ credit card info safe.
Some of these new requirements go into effect on February 2018. Check with your Merchant Credit Card Processing company if you are compliant. The rules are complicated, and the amount that you need to do varies. Level 4 PCI Compliance rules apply to companies processing up to 20,000 transactions per year (not dollar volume) and Level 3 is up to 1 million transactions per year. The company you pay for processing your transactions will know what level of PCI compliance you need to abide by, and what you need to do to be compliant.
The “One and Done” List:
1. Business name (DBA) listed prominently
2. Phone, address, and/or email
3. Checkout page secure (https://)
4. Business country
5. Logos of types of credit cards accepted
6. Pricing for each product/service clearly listed
7. Payment and delivery timing listed
9. Review full refund policy in route to the checkout page.
10. Terms on one page and not on a link away form the that page.
11. “I accept” button or checkbox
12. If not clicked, not allow payment.
13. Card should include their secure code (CVV), expiration date, and address verification.
Credits: With gratitude to Ascent Processing, Michael Charalambous and Regina Ebert.
The Ongoing List:
1. Get outside help from PCI compliancy vendors
2. Stay current: with website updates and security patches
3. Monitor: Malware scanning vendors will scan the site regularly
Other resources are available on the PCI Security Standards website.
Is Your Website URL Still HTTP? Here’s Something You Should Know
If your website URL still begins with HTTP, and not HTTPS, in Google Analytics, referral Traffic from a HTTPS site is showing up as direct traffic. In other words, if you receive traffic from https://tripadvisor.com, it will be buried in your direct traffic, and not identified as from Tripadvisor. You can add campaign source codes to track the traffic as a work around, but the best move is to switch your website to HTTPS!