Everything SEOs Need to Know About Google’s New Stance on HTTPs

SMS Text
What SEOs Need to Know About HTTPs | SEJ

It’s not often that Google tells you exactly what their ranking signals are. In 2014, however, we got to peek into one of the newest algorithm updates — “HTTPS as a ranking signal.”

Here’s what Google said in the official Webmaster Central Blog:

We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

Obviously, when Google makes a change like this, SEOs and webmasters need to pay attention. Here are the top 8 things you need to know about Google’s stance on HTTPS.

The changes that you make, or don’t, will have a significant impact on your site’s future and present success.

1. Google Loves Security

Google loves security, hates spam, and is going to do everything that they can to ensure that the search world lives by those standards.

HTTPS encryption is one such move towards security. The s at the end of the HTTP stands for “secure” meaning that the server is using a SSL/TLS protocol (Transport Layer Security and Secure Sockets Layer) over top of the traditional hypertext transfer protocol. The addition of this layer of security means that all data transferred during a given session is encrypted.

It’s harder for hackers and technology thieves to steal information in such transfers. It gives users the assurance to use their credit card, send confidential emails, or fill out informational forms online.

In other words, it’s all about security. Many webmasters and SEOs groan over the heightened security. Issues like this make it harder for us to mine the data that we use to enhance our websites. For example, Google’s stance on Results (Not Provided) in Google Analytics sent marketers into a tailspin.

This was just one of the early indications that Google was moving toward a more secure web experience for everyone. In the wake of modern security breaches and increased hacker activity, perhaps it makes sense.

2. Google Prefers to Rank Sites With HTTPS Encryption

This is the most obvious takeaway, and is worth repeating. Sites with HTTPS encryption will, assuming all other things are equal, rank higher. It’s hard to know exactly how this trend is appearing currently, but we see suggestions of it in the SERPs.

For example, my query on “conversion optimization software” returned the following two top organic results. The sites are approximately equal in authority and page-specific linkbacks. The second site, in fact, has a domain authority of 69. The first site has https in place, while the second does not.

What SEOs Need to Know About HTTPs | SEJ

Coincidence? Maybe, but this is the type of result we should learn to expect in the SERPs. Secure sites will start to outrank unsecured sites.

3. User Behavior Could Impact Your Rankings

One subtle way in which Google influences the SERPs and users is by indicating which sites are secure and which aren’t.

Google provides this information directly in each search result entry. Any site with a secure protocol layer has https:// in the URL line. Sites without encryption do not have the http:// preceding the URL.

What SEOs Need to Know About HTTPs | SEJ

This isn’t a huge deal as SERPs go. For the safety-conscious user, however, it does make a difference. Remember that Google uses two user-based signals in its search algorithm: dwell time and click-throughs.

By sharing with the user which sites are secure and which aren’t, Google is showing users which sites that they might prefer to click-through and dwell on. Better activity on two factors will, in turn, improve that site’s rankings.

4. Go For Content Improvement

This is straight from Google, and I hear Matt Cutt’s influence behind it:

[The HTTPs signal carries] less weight than other signals such as high-quality content.

Nothing has dethroned content and the emphasis upon quality. If you are cash-strapped and resource low, you may be wondering ‘Do I really need to add encryption to my website?’

It depends. Changing to HTTPs isn’t going to give you a meteoric rise in the SERPs. You would merely be complying with one of Google’s stated preferences. And that’s okay.

The one thing that will move the needle on your rankings is content. If you have to decide between improving security and improving content, go for the content.

5. Consider Switching to HTTPS by the Middle of 2015

Google is probably not going to tell us when (or if) they tighten up HTTPS algo again. It will probably be mixed in with one of the 300+ algo changes they make over the course of a given year. All they said was this:

We [want to] give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

How much time will they give webmaster’s to switch to HTTPS? It’s anyone’s guess. I think they will take at least one year to revisit this specific feature of the algorithm. Since the original HTTPS algo change was rolled out on August 6, I would advise webmasters to have their new encryption in place by about the same time in 2015.

6. Google Doesn’t Mind if Encryption Slows Down Your Site Speed (A Little)

Some webmaster may wonder, “But won’t extra encryption levels slow down the transfer speed for users? Will this affect site speed?”

The answer is: yes, maybe. A TLS handshake imposes several new layers of transfer in the exchange. Here’s what it looks like for a TLS handshake:

Even though we’re talking about a few hundred milliseconds in time difference, those milliseconds do matter when measuring the legion of transfers in a webpage waterfall.

Thankfully, there are ways to enhance your security without sacrificing web performance. The great article from Billy Hoffman at the Moz Blog is a helpful discussion of the issues at play.

The bottom line is that Google will most likely prefer a secure connection over a half-second difference in load time. As long as that extra site speed is for good reason, then you shouldn’t worry. While you should do everything you can to minimize your load time, don’t let this keep you from adding security to your site.

7. Test Your Site to See How Secure It Is

Google recommends that you use the SSL Server Test from Qualys to test your site’s SSL configuration.

You can enter your domain (or the domain of any website), and get results in just a couple of minutes.

What SEOs Need to Know About HTTPs | SEJ

If you’re scoring a C or above, you’re doing okay.

8. Keep Your URLs in Order

Adding that little “s” in your URL changes things. Most notably, it changes your URL. When URLs change, it means that you need to start looking at 301 redirects in order to map all the non-HTTPS URLs over to the new system.

As Volume Nine’s Richard Lesher advised,

“If not done correctly, this update in security can actually have the opposite effect and can negatively impact your site’s search engine rankings.”


Since my focus in this article is on SEOs, I’ve eliminated some of the technical best practices for HTTPS encryption. I recommend giving this information from Google a quick read to make sure you know how to advise developers and webmasters on the encryption process.

The bottom line is Google considers site security and encryption to be important enough to warrant a ranking change. This means we as SEOs must be aware of the influence of security, and take measures to secure our sites if at all possible.

What is your view on HTTPS encryption? Do you think it’s worth investing the time and money to make the change?

Editor Note: Neil was the opening speaker for our SEJ Summit in Santa Monica this year. Want to learn more from speakers like him at our Summits throughout the year: in NYC, Chicago, Dallas, San Francisco, Miami, and London? Sign up for a FREE ticket, covered by our partner, Searchmetrics.


Image Credits

Featured Image: Pavel Ignatov via Shutterstock
All screenshots taken January 2015

Neil Patel
Neil Patel is the co-founder of KISSmetrics, an analytics provider that helps companies make better business decisions. Neil also blogs about marketing and entrepreneurship at Quick Sprout.
Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Alex Cooper

    Good article, Neil.

    While many websites need and should have an SSL certificate my argument over this is that, just as not every door is locked 24 / 7, not all sites *need* an SSL certificate. Websites carry out a range of different purposes and not every website in the world takes credit card numbers, emails, user details, etc. In some cases there is quite a cost involved to be trusted slightly more by Google when there isn’t any benefit to your visitors.

    This is an argument I’ve made at https://www.spiralmedia.co.uk/google-right-warn-us-non-ssl-sites/.

  • Nathaniel Tower

    Neil, this is a good summary of HTTPS for SEOs.

    Looking at point number 2, I don’t buy this as an HTTPS issue. The top result from your search (I actually had a different top result – these sites were the #2 and #3 organic results for me) appears more relevant at first glance (see title tag and URL). Additionally, the first result has a legitimate reason to have HTTPS (it is selling a service). The second result is a blog post from 2012 that lists a bunch of tools (a handful of which are no longer available). I don’t see these sites as equal. Actually, I don’t see either of them as meeting the needs of the query.

    HTTPS is important for ecommerce and any site collection sensitive information. Asking all website owners to use HTTPS seems over the top, especially given the cost.

  • http://www.brickmarketing.com Nick Stamoulis

    Anytime Google is that straightforward about something, we need to pay attention. Just like making your site mobile friendly, it’s a worthwhile investment. Also, it’s just good business sense to make your site secure.

  • http://www.seo-theory.com/ Michael Martinez

    Google is certainly pressing hard for everyone to switch to HTTPS but let’s look at the facts.

    “The addition of this layer of security means that all data transferred during a given session is encrypted.

    “It’s harder for hackers and technology thieves to steal information in such transfers. It gives users the assurance to use their credit card, send confidential emails, or fill out informational forms online.”

    No, it’s NOT harder for the thieves to steal information in such transfers. They continued to use the same tactics in many of the publicly acknowledged Man-in-the-Middle attacks over the past year.

    Furthermore, most private user information is stolen from hacked databases, which HTTPS does not protect (the HTTPS Website UNencrypts your data after it is received).

    “For example, my query on ‘conversion optimization software’ returned the following two top organic results. The sites are approximately equal in authority and page-specific linkbacks.”

    Query results are NOT decided by “authority” and “page-specific linkbacks”. This myth has been debunked so many times I am surprised anyone repeats it in 2015. A query’s results are decided by MANY factors, including filters and penalties that downgrade more relevant sites which have violated guidelines, relevance cues based on freshness and user location, and more.

    “By sharing with the user which sites are secure and which aren’t, Google is showing users which sites that they might prefer to click-through and dwell on. Better activity on two factors will, in turn, improve that site’s rankings.”

    Most surfers have no idea of what HTTPS is all about or why Google thinks it’s important. Searchers continue to prefer convenience of location in the search results over other aspects of listings.

    “Consider Switching to HTTPS by the Middle of 2015”

    Unfortunately, the browser vendors who have to support Google’s initiative are years away from solving all the complexities that moving the Web to HTTPS creates. It will probably happen by 2020. It’s a completely stupid and useless transition because it does not protect users’ data and it certainly does not protect your privacy. The most compelling argument one of the pro-HTTPS people gave me for forcing everyone to move to HTTPS is that he doesn’t want anyone to know where he is surfing. Of course, all the packet envelopes are UNencrypted and so a complete record of where you are browsing to remains in the public data stream.

    The promises made by HTTPS proponents are at best wishful thinking and in some cases complete lies. People should NOT be converting their sites to use HTTPS just for the search engines. But neither should you believe that you are protecting user data (it is only encrypted for MILLISECONDS via HTTPS). If you want to protect your users’ data, encrypt your databases and lock down your servers. HTTPS contributes nothing toward that goal.

  • Randy Ray

    Nice post, Neil. I don’t think it’s worth the time and effort to switch to https–at least it isn’t for me and my sites, right now. Most of my sites are more informational in nature.

    If someone wants to conduct a transaction, they leave my site, and presumably the destination is secure. I think sites where transactions are being conducted are going to be the ones most affected by this change in the algorithm.

    I’m too busy trying to create good content and promote it to worry about https right now.

    I like what you pointed out about “everything else being equal”. Right now, on most of my sites, everything else isn’t equal. I have to stay laser-focused on improving the quality and promotion of my content.

    If Google makes it a more important ranking factor, I’ll reconsider switching to https then.

  • jaspreet

    Hello, quite informative. One thing I like to understand here would be , the url which opens with “https” shall also open with http aswell?


  • http://www.prospekdigital.com/ Zulhilmi Zainudin

    Neil, could you please recommend me a WordPress plugin that can handle 301 redirect from existing posts links (http) to new ‘https’ versions?

    Or, do I need to do it manually one-by-one?

  • http://www.artsassistance.com Nancy Seeger

    Wonderful article but very disheartening and I think Google is out of touch with smaller business and bloggers. It requires some amount of technical expertise to make a site fully HTTPS and there is some expense involved.

    For example if you are just a small business dependent on WordPress you will help installing the SSL Certificate on a server (a server company may charge $50 a do it for you, then you have a yearly charge for the certificate). Then you need the website itself setup to be able to handle HTTPS. The popular WordPress plugin for SSL is very outdated, you can’t rely on that. Many plugins for WordPress are not written to be only HTTPS environments (social media plugins usually are not) and may try to link to HTTP only sources. If the site is relatively small hopefully adapting the images links and other resources will not take long to rewrite so it is HTTPS friendly. That right there is beyond most WordPress user expertise – that is takes knowledge of building websites.

    I think Google is expecting to much for many small bloggers and smaller businesses running on a shoestring to be able to make this type of conversion. And for what, if they are not taking information on their site why do they need HTTPS?

    Sorry but this is overreach in my opinion and a burden for these businesses.

  • http://arthurhwilson.wordpress.com/ Arthur Wilson

    Trying to get a non-SEO company boss to agree to changing is my biggest difficulty!

  • http://mazakmasti.in/ Taleb

    To secure site from spammer, HTTPS encryption is the best way. With the help of HTTPS we can also get rank in Google. Nice article! This tips surely beneficial to secure site with HTTPS.

  • http://www.bizdetail.com Mitch

    Google says jump, we all say “how high?”

    Once again, google is ignoring their small business customers, who don’t have the budget/time/expertise to pull this off.

    Countdown until the robo-calls from companies pretending to be google, explaining how our site is vulnerable to hackers and we NEED TO INSTALL SSL IMMEDIATELY, even though it is lipstick on a pig for the vast majority of SMB sites.

  • Angelos Savvaidis

    Good article but for some reason you didnt mention that HTTPS as a ranking factor is Extremely low. If people are thinking of changing to HTTPS just for the ranking boost then Sorry to say… but it wont be what you think.

    Change because it will help your visitors and you to feel more secured.

    There are ways to make a HTTPS site be awesomely speedy. SPDY….

  • http://syntcorp.com Vince

    Awesome article on https Neil! I have been trying to convince our agency to move to https however they just brush it off since Google doesnt give much importance on this ranking signal. Is it too early to even seriously consider moving the site to https?

  • http://www.designzzz.com Ayaz Malik

    Hi Neil,
    after getting the certificate installed would a 301 redirect from http to https would be enough from SEO point of view ?
    My site is on wordpress, i have a feeling i will require making some changes to wordpress as well, what do you think ?