We recently analyzed the top 10,000 domains to answer one question:
“How well do they use HTTPS to improve their SERP rankings?”
We looked at accessibility via HTTP and HTTPS. We looked at redirects. We looked at status codes.
Today, I’m going to share our findings with you.
- Only 1 in 10 websites has what we consider a flawless HTTPS setup (More on that later).
- A whooping 60% of the websites tested have no HTTPS whatsoever (increasing to over 65% when taking into account websites with errors in SSL setup).
- Almost 1 in 4 domains were missing a canonical HTTPS version.
- Almost 1 in 4 domains were using 302 (temporary) redirects instead of 301 (permanent) redirects.
- Even Google can’t be bothered to use permanent redirects and uses temporary redirects (HTTP status code 302) instead. Then again, they won’t ever find it difficult to rank…
What Is This HTTPS/SSL Thing And Why Should You Care?
So that’s the headlines, now let’s take a look at HTTPS/SSL and why webmasters and SEOs should care about it.
HyperText Transfer Protocol Secure (or “HTTPS” or “HTTP over SSL”) is the internet standard for secure communication between your browser and any webserver.
The internet is inherently open to the point that anyone can read what data you send to and from any server. You’re searching for “STD treatment” on Google and anyone can read this: the government, your neighbor, and even your spouse.
HTTPS solves that problem by encrypting the communication end-to-end: Only your computer and the webserver can see what data gets transmitted. Additionally, HTTPS provides a mechanism to guarantee authenticity: You can be sure you are connected to the right server as long as the green lock icon displays in your address bar.
Secure Sockets Layer (SSL) — or it’s newer form Transport Layer Security (TLS) — is the protocol that HTTPS uses to accomplish this additional security. Although HTTPS and SSL are different beasts technically, you’ll find most people intermixing the words at random — yours truly included.
If you want to learn even more about HTTPS and its effects on your rankings, read Michael Hernandez’ great article HTTP vs. HTTPS for SEO: What You Need to Know to Stay in Google’s Good Graces.
Why You Should Care About HTTPS For SEO
The question “Why should I care about HTTPS?” is an easy one to answer: Because Google says so. According to Google HTTPS is now a ranking signal — among some 200 other factors.
Google’s move to incentivize HTTPS adoption is a reaction to the documents leaked by Edward Snowden describing large scale government surveillance. They put their weight in to make sure your data does not get shared with anyone — but them…
But keep in mind: HTTPS is only a very small ranking signal. It won’t make you suddenly rank #1 for each and every keyword, but if your website and another website tie on every other ranking signal then having HTTPS will make you rank higher. For highly competitive keywords you surely don’t want to get burned by something as trivial as not supporting HTTPS.
Brian Dean’s research from analyzing 1 million search results found “that HTTPS correlated with higher rankings on Google’s first page”.
HTTPS correlates with higher search rankings — but even the big websites don’t get it rightClick to tweet
Apart from the SEO benefit HTTPS will become more important for a different reason: Google’s Chrome browser will display a lock overlayed with a red X in the address bar for ALL pages that do not have a correct HTTP setup in the near future: Your website will look broken in the eyes of your visitors. Mozilla will likely adopt a similar policy in Firefox.
Why Websites Might Choose To Not Support HTTPS
There is one overwhelming reason why websites might opt to not implement HTTPS: cost.
Whether in the form of engineering hours, SSL certificates, or additional hardware, encrypting the transmissions between your browser and the server costs money.
The costs of an SSL certificate can range from free (Let’s Encrypt is an initiative to spread the use of HTTPS by giving out free SSL certificates) to $1,499/year (Granted, Symantec isn’t exactly known for being cheap).
It might seem irrelevant, but encrypting the transferred data — and especially the initial handshake to enable encryption — does cost bandwidth and CPU cycles. For large websites these minor costs might add up to a substantial amount.
What The Perfect HTTPS Setup Looks Like
I will talk about the different errors you can make in setting up HTTPS shortly, but first I want to describe the perfect setup.
The perfect setup for SEO purposes looks like this:
- HTTPS is enabled, meaning you can type in https://www.reddit.com and you’ll see the website — d’oh!
- The other HTTPS URL — in this case https://reddit.com — as well as both HTTP URLs (http://reddit.com and http://www.reddit.com) all redirect to https://www.reddit.com ensuring there is only one canonical version of the content available
- Every redirect leads directly to the canonical version of the content. It redirects
A --> B, not
A --> C --> D --> B
- Every redirect uses the HTTP status codes for permanent redirects (301 — or less supported 308) instead of temporary redirects (302 or 307)
Reddit perfectly implements this protocol by redirecting everything to https://www.reddit.com.
Why You Should Have Only One URL Serving Content
You get the most link juice when people link directly to the content on your website — without any redirects (even permanent ones reduce the link juice, more on that later). People normally link to you by doing the following:
- Go to your website
- Copy whatever content is in their address bar
- Paste that content into WordPress
By having just one URL serve content you ensure that 95% of all links point directly to the right content.
By having every other URL redirect to the canonical version you ensure that you receive at least 90% link juice for the remaining 5% of links.
Make Sure You Use Permanent Redirects (Almost) Everywhere
The most common error we discovered in our research was the widespread use of temporary redirects. Almost a full quarter (23.02%) of surveyed websites used a temporary redirect.
This is bad practice. When you redirect your pages, make sure to use permanent redirects almost exclusively. They are the only reliable way to pass along link juice.
Permanent redirects are redirects that employ the HTTP status code “301 Moved Permanently”. It tells the search engines that “Yes, we’ve moved to a new address. Going forward you will find us at our new location”.
In contrast a temporary “302 Found” redirect tells the search engines “We still live here, but there was water leaking from the ceiling. The workers are in and fixing things up. We’ll be back here the next time you come around, but meanwhile you can find us at this address.”
To see whether your website uses temporary redirects, you can use our SSL SEO Checker or you can do it manually in your browser. Here’s how you do that:
- Open your browser — I’m assuming Google Chrome
- Open the developer tools by going to the “hamburger menu” and selecting “Tools” –> “Developer Tools”
- Switch to the “Network” tab in the Developer Tools
- Type the test URL into the address bar and hit return
- At the very top of the list look for entries with a “Status” of between 300 and 399 (codes in the 3xx-range are redirects).
If any 302 redirects show up this is where the link juice is leaking. Replace them with 301 redirects where possible.
You can also inspect the entries in more detail by clicking on them. In the details look for the “Response Header” section. There is a line starting with “Location:” which tells you where that particular page is redirecting.
If you’re running an Apache web server and are somewhat technical you can redirect all pages on a domain by placing the following code in the
.htaccess file in the root directory:
<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^(.*)$ https://your-domain.com/$1 [R=301] </IfModule>
This rule isn’t as complex as it seems at first glance. All it does is to redirect all pages (e.g. http://www.your-domain.com/pricing) to a new location (e.g. https://your-domain/pricing). Notice the
[R=301] which tells the server to use 301 redirects.
If you’re using WordPress and are not quite as tech-savvy, you can use the Redirection plugin which works crazy good.
There are not many circumstances where a temporary redirect is what you want, so when in doubt use a permanent one. One example is where users are already on your page (e.g. https://www.google.co.uk), but you want to append a query parameter to the URL: https://www.google.co.uk/?gws_rd=ssl. This is totally OK as the link juice got passed on to https://www.google.co.uk/ and the new redirect doesn’t make a difference.
All Redirects Go Directly To The Relevant Content
Even using permanent 301 redirects you will lose some link juice on the way: Google never passes along 100% of the link juice to the new location — it’s more like 90%.
What happens when you stack redirects up?
http://www.wordpress.com/ redirects to
https://www.wordpress.com/ which redirects to
They use 301 redirects — which is great — but two redirects means they lose more link juice than with just one redirect.
Additionally, this makes your website load slower: Instead of making two requests (one for the redirect and one for the content) your browser now needs three requests (two redirects and one for the content). Site speed is another ranking signal for Google, so you get doubly penalized.
Furthermore, slow websites have lower overall conversion rates. Additional redirects thus hurt both your SEO and your sales.
You can spot this easily with your browser following the steps above. Just look for entries at the top with a status in the 3xx-range. Multiple pages with redirects in a row point to a problem on your website.
There is a super form of redirect chains: redirect loops. It’s when your redirects go on forever and ever, e.g.
A --> B --> C --> A --> ....
Most browsers (AND Google’s robot) don’t detect redirect loops as it is a hard problem to solve — there could be a loop consisting of 100,000 URLs. Instead they follow redirects up to 5–30 levels deep and if they hit yet another redirect they call it quits.
We’ve followed the same strategy and I have to report in sheer terror: 3.32% of websites in our “State of SEO-friendly HTTPS adoption” survey make this same mistake. Redirect loops result in the website not being accessible and too many redirects throws of the search engine’s crawlers so your website won’t be indexed. Please don’t make that same mistake.
After analyzing the top 10,000 websites I can say one thing: HTTPS is the neglected step-child of SEOs and administrators alike.
If you had asked me before this study what percentage of the top websites supported HTTPS, I would have guessed at 70 percent or more. Imagine the look on my face when I learned that almost 70 percent DO NOT support HTTPS.
I find this shocking, but with Google pushing ever harder — both with Chrome and their search engine — for websites to adopt HTTPS I can only see the HTTPS adoption rate go up.
However, setting up HTTPS is not too complex. It will yield results both from better rankings and an improved user experience. If you have not enabled HTTPS for your website, Google will provide more and more incentives in the future.
What’s your stance on HTTPS? Have you enabled it for your website? Did you see your rankings improve?