Way back in 2014, Google announced that they want everything on the internet to start using strong security by default, and, to encourage this, said that they’ll give a boost in the search result rankings to sites that do. We have now reached “critical mass” where all sites really need to be SSL, and this is definitely a ranking factor. There are immediate benefits to switching now, and it will better position your site in the future as SSL becomes the norm.
What is SSL?
A quick primer: SSL stands for “Secure Sockets Layer” and, when properly implemented, means that the data sent to and from your website is encrypted and therefore “secure.” Secure website addresses start with
https:// instead of
http://. Technically, the newer protocols are actually called “Transport Security Layer,” or TLS, but the name SSL has pretty much stuck.
Here’s why it’s time to switch to SSL:
1. You will indeed get a bump in your search rankings. It’s not a huge lift, but every little bit helps.
2. It’s cheaper. It used to be expensive to purchase an SSL certificate, with prices ranging from $10/year to over $300/year. Now, Let’s Encrypt offers free certificates!
3. It’s faster. The new HTTP/2 protocol, which is possible only with SSL, enables more files to be downloaded simultaneously, which makes your site load faster.
4. It’s much, much safer. Encrypting traffic as it goes to and from your server means it can’t be “sniffed” or spied upon. That may not seem like it matters too much when, say, viewing a recipe for roasted brussels sprouts, but it matters a heck of a lot when you’re entering your password to log in to your site. Especially if you’re on a public wifi network.
5. It’s easier. Many hosting companies now integrate Let’s Encrypt’s free certificates directly into their control panels – so you may be able to install an SSL certificate with just a few clicks. No intimidating tech-knowledge necessary.
6. Most ad networks have finally caught up, so it won’t kill your ad revenue if you go all-SSL. Here’s Mediavine’s post about it.
7. It’s becoming more obvious which sites are secure, and which aren’t. Recently, Google changed the Chrome browser so they’ll actually show the word “Secure” next to the URL, instead of just a tiny little green padlock icon. More importantly, they’ll now also show “Not Secure” when a site isn’t secure and there are password or credit card form fields on the page. I anticipate that very soon they’ll say “Not Secure” on all insecure pages….and other browsers will follow.
8. It’s better for the world. If only sensitive data is encrypted, then it’s a lot easier for hackers and (evil) governments to know which data to go after. It’s like a target on your data’s back. But if it’s all encrypted? Then the critical stuff gets mixed in with everything else, and as a result we’re all more secure. (Think: journalists reporting from war-torn countries, uprisings overthrowing dictators, banking information, your car’s internet connection…)
But beware of these potential “gotchas” when switching to all-SSL…
First, you’ll need to be sure that all the content on your pages is also requested securely, else you’ll get a “mixed content” warning. That includes your own content (like images), but also any off-site requests, like ad network tags. (Why No Padlock? is helpful for troubleshooting this.)
Second, you should change all your internal links to the new https versions. You can do a Search & Replace in your database to replace all instances of http://www.yoursite.com with https://www.yoursite.com. (Make a backup first, please!)
Third, you’ll need to set up 301 redirects to force SSL connections (redirecting all http requests to https). Without that, people will still be able to browse your site without SSL. And since Google sees http and https URLs as separate sites, you could end up with duplicate content issues.
Fourth, it’s a good idea to add the SSL version of your site as a new “Property” in Google Search Console, and then submit your sitemap for that new property.
Fifth, you’ll want to adjust your Google Analytics settings to the new https URL. (In your analytics account, go to https://. Bonus: Add an “annotation” so it’s easy to remember the date you made the change.)and change the drop-down to
Finally, the social media share counters (“social proof”) displayed on your site will reset to zero, since you’ll be changing URLs. Some social sharing plugins, such as Social Pug Pro and Easy Social Share Buttons, include a “Share Count Recovery” tool to get those numbers back.
Bottom line? SSL is here to stay, and the sooner you switch your site over, the better.
Great article Andrew! I will be using this when moving a site to SSL. I was curious, on the site I’m migrating I see these resources that load, will that cause an insecure content? Do you know of any resources I can reference to alter these?
Some of those may actually fix themselves once you change the site’s address to https (in Dashboard > Settings), depending on how your theme is using them.
If not, they may be “hardcoded” in your theme files or a plugin. Or, they may be entered in a form field somewhere, such as your theme’s options, or directly in a text widget, or via a plugin that lets you add code to your site (such as the “Headers and Footers” or “Genesis Simple Hooks” plugins). If you find the code in one of those fields, simply add the “s” after http and you should be okay. Unfortunately, it can be tricky to track those down, but hopefully the above list gives you a place to start looking!
Andrew, Thank you so much for this great article. This “all-in-one-place” pieces of information helped me greatly in transitioning from http to https..
Great article. In addition to item 5 above, Under ‘View Settings’ should Website URL be changed to HTTPS also?
Hi Cree. Strictly speaking, I don’t think it’s necessary, but it’s probably a good idea to ensure that the default view goes to the correct reports. 🙂
Very informative! Here’s a follow-up question: Is it a good idea to move one’s website from a shared IP to a dedicated IP? I understand that one of the benefits of a dedicated IP is that it helps with SSL and security. True?
Hi Christina! That used to be the case, but I’d say it’s not that important (if at all) anymore. However, you do want to be sure you don’t have a ton of sites on one hosting account — that does have security implications (if one site gets hacked, the others could be compromised, since they’re sharing the same file system).