Last week, in response to the recent news about the NSA snooping on websites and theft of massive numbers of passwords and credit card numbers from various sites, Google announced that they would give a sizable search engine boost to sites that used secure protocol. This news was fairly big in the SEO community, as it's yet another way to gain a competitive advantage in ranking your site above others. And while search engine optimization is a good reason to have a secure website, what's at the heart of this decision?
HTTPS (Hypertext Transfer Protocol Secure) is that funny little acronym you (hopefully) see in front of the web address when you go online and buy your copy of the “Best of Mid-Century Swiss Yodeling” album. On many browsers, you see a lock icon as well, showing that the site is indeed secure. When you’re submitting information onto a website, that information passes through networks and channels (such as Wi-Fi or 4G) that can be intercepted by others. Some of those “others” may have malicious intent. If your information isn’t secured, then your name, password, credit card number – whatever you enter into a web page – can be seen, clear as day.
A secure website encrypts this information. Using the encryption that only that website has the key for, the information is protected and all that someone lurking around can see is gobbledygook. This is much more effective than attaching a “please don’t steal my information” note into the message field on a contact form. I won’t get into the details of how this all actually works, but if you’re interested, you can start at the Wikipedia article on Transport Layer Security. The important thing to know is that any site that is gathering information from users SHOULD be secured.
That’s Google’s stance as well, which is why they’ve chummed the waters a bit for web developers. “Secure your site, and we’ll give you a rankings boost.” And of course, it’s working. It motivated us to make the move, which we really should have done from the get-go (but didn’t for fear of SEO confusion with sites that were linking to us, tracking, etc) and companies everywhere are rushing to make the change.
This is the difficult question to answer, since there are so many variables at play. For one, where is your site hosted, and do they offer security certificates (SSL Certificates) for free or for a cost? If you’re lucky, they offer it as an included service. If you’re slightly less lucky, they’ll charge you a fee to generate a cert and install it for you, and if you’re just flat out unlucky, they won’t offer anything. In that case, you should consider moving to a more customer-friendly host. The first stop is to talk to your hosting provider.
If your site is on a VPS (Virtual Private Server) or you host it from an old laptop in your basement, then you’re on your own as to getting a certificate. But don’t fret, there are tons of great resources! For one, you can get a FREE verified security certificate from StartSSL. It’s a little complicated to walk through, but it is free and verified. Here is a great overview of the step-by-step process if you are going to get a certificate from StartSSL and install it on an Apache server. If you’re an advanced user, go for it – it can be tough but it’s not too terrible. If you’re not really experienced in running server commands, I recommend hiring somebody to help you out. We just so happen to know a guy…
Okay, so let’s assume you are SSL verified and have it running on your server. The next step is identifying the platform your site is built on, and applying all necessary settings. If your site is built strictly as HTML pages and images, you need to set up a redirect in your .htaccess file to forward all non-secure files to their secure versions (basically, forward http://www.yourdomain .com to https://www.yourdomain .com). If you’re running a CMS such as WordPress or Joomla, then it gets a bit trickier as you have things like static plugin address references, various plugin or site settings, and more to worry about. Typically the best route is to find a plugin to handle the HTTPS redirection for you, but even after that, it can be a bit hairy and you’ll have to do a lot of checking to make sure things all work properly. I’d offer a few links to articles and what-not to help you, but since there is a plethora of content management systems out there, and different versions of each one, that would be an exhaustive list. The general rule of thumb is to identify your CMS and what version it is, and then find the most highly-rated and community-supported compatible plugin to achieve what you’re looking to do.
Unfortunately, that was a lot of generalized information. We could write for ages and ages and supply a walkthrough for each system and situation, but the best bet is, if you’re not confident in transitioning to a secure website, find a professional who can. We would be happy to take a look at your website for you and offer insight, or even to handle the transition for you, so contact us or a competent professional local to you that you are comfortable working with. I’d imagine that Google and other companies will become increasingly aggressive in their efforts to have a secure, private internet, and it’s the best policy to protect your customers, so don’t wait!