We Analyzed the HTTPS Settings of 10,000 Domains and How It Affects Their SEO — Here’s What We Learned

Christoph is the maker of LinksSpy - a CRM for getting inbound links. He loves doing extensive research on a variety of SEO-related topics and playing World of Tanks

Article stats

  • Referring domains 134
Data from Content Explorer tool.

    We recently analyzed the top 10,000 domains to answer one question:

    How well do they use HTTPS to improve their SERP rankings?”

    We looked at accessibility via HTTP and HTTPS. We looked at redirects. We looked at status codes.

    Today, I’m going to share our findings with you.

    Key Findings

    1. Only 1 in 10 websites has what we consider a flawless HTTPS setup (More on that later).
    2. A whooping 60% of the websites tested have no HTTPS whatsoever (increasing to over 65% when taking into account websites with errors in SSL setup).
    3. Almost 1 in 4 domains were missing a canonical HTTPS version.
    4. Almost 1 in 4 domains were using 302 (temporary) redirects instead of 301 (permanent) redirects.
    5. Even Google can’t be bothered to use permanent redirects and uses temporary redirects (HTTP status code 302) instead. Then again, they won’t ever find it difficult to rank…

    ssl-infographic

    What Is This HTTPS/SSL Thing And Why Should You Care?

    So that’s the headlines, now let’s take a look at HTTPS/SSL and why webmasters and SEOs should care about it.

    HyperText Transfer Protocol Secure (or “HTTPS” or “HTTP over SSL”) is the internet standard for secure communication between your browser and any webserver.

    The internet is inherently open to the point that anyone can read what data you send to and from any server. You’re searching for “STD treatment” on Google and anyone can read this: the government, your neighbor, and even your spouse.

    HTTPS solves that problem by encrypting the communication end-to-end: Only your computer and the webserver can see what data gets transmitted. Additionally, HTTPS provides a mechanism to guarantee authenticity: You can be sure you are connected to the right server as long as the green lock icon displays in your address bar.

    01_HTTPS lock in address bar.png

    Secure Sockets Layer (SSL) — or it’s newer form Transport Layer Security (TLS) — is the protocol that HTTPS uses to accomplish this additional security. Although HTTPS and SSL are different beasts technically, you’ll find most people intermixing the words at random — yours truly included.

    If you want to learn even more about HTTPS and it’s effects on your rankings, read Michael Hernandez’ great article “HTTP vs. HTTPS for SEO: What You Need to Know to Stay in Google’s Good Graces”.

    Why You Should Care About HTTPS For SEO

    The question “Why should I care about HTTPS?” is an easy one to answer: Because Google says so. According to Google HTTPS is now a ranking signal — among some 200 other factors.

    Google’s move to incentivize HTTPS adoption is a reaction to the documents leaked by Edward Snowden describing large scale government surveillance. They put their weight in to make sure your data does not get shared with anyone — but them…

    But keep in mind: HTTPS is only a very small ranking signal. It won’t make you suddenly rank #1 for each and every keyword, but if your website and another website tie on every other ranking signal then having HTTPS will make you rank higher. For highly competitive keywords you surely don’t want to get burned by something as trivial as not supporting HTTPS.

    Brian Dean’s research from analyzing 1 million search results found “that HTTPS correlated with higher rankings on Google’s first page”.

    11_Use-of-HTTPS_line

    The correlations in Moz’s latest Search Ranking Factors survey leads to the same conclusion.

    Apart from the SEO benefit HTTPS will become more important for a different reason: Google’s Chrome browser will display a lock overlayed with a red X in the address bar for ALL pages that do not have a correct HTTP setup in the near future: Your website will look broken in the eyes of your visitors. Mozilla will likely adopt a similar policy in Firefox.

    Why Websites Might Choose To Not Support HTTPS

    There is one overwhelming reason why websites might opt to not implement HTTPS: cost.

    Whether in the form of engineering hours, SSL certificates, or additional hardware, encrypting the transmissions between your browser and the server costs money.

    The costs of an SSL certificate can range from free (Let’s Encrypt is an initiative to spread the use of HTTPS by giving out free SSL certificates) to $1,499/year (Granted, Symantec isn’t exactly known for being cheap).

    It might seem irrelevant, but encrypting the transferred data — and especially the initial handshake to enable encryption — does cost bandwidth and CPU cycles. For large websites these minor costs might add up to a substantial amount.

    What The Perfect HTTPS Setup Looks Like

    I will talk about the different errors you can make in setting up HTTPS shortly, but first I want to describe the perfect setup.

    The perfect setup for SEO purposes looks like this:

    1. HTTPS is enabled, meaning you can type in https://www.reddit.com and you’ll see the website — d’oh!
    2. The other HTTPS URL — in this case https://reddit.com — as well as both HTTP URLs (http://reddit.com and http://www.reddit.com) all redirect to https://www.reddit.com ensuring there is only one canonical version of the content available
    3. Every redirect leads directly to the canonical version of the content. It redirects A --> B, notA --> C --> D --> B
    4. Every redirect uses the HTTP status codes for permanent redirects (301 — or less supported 308) instead of temporary redirects (302 or 307)

    Reddit perfectly implements this protocol by redirecting everything to https://www.reddit.com.

    Why You Should Have Only One URL Serving Content

    You get the most link juice when people link directly to the content on your website — without any redirects (even permanent ones reduce the link juice, more on that later). People normally link to you by doing the following:

    1. Go to your website
    2. Copy whatever content is in their address bar
    3. Paste that content into WordPress

    By having just one URL serve content you ensure that 95% of all links point directly to the right content.

    By having every other URL redirect to the canonical version you ensure that you receive at least 90% link juice for the remaining 5% of links.

    Make Sure You Use Permanent Redirects (Almost) Everywhere

    The most common error we discovered in our research was the widespread use of temporary redirects. Almost a full quarter (23.02%) of surveyed websites used a temporary redirect.

    This is bad practice. When you redirect your pages, make sure to use permanent redirects almost exclusively. They are the only reliable way to pass along link juice.

    Permanent redirects are redirects that employ the HTTP status code “301 Moved Permanently”. It tells the search engines that “Yes, we’ve moved to a new address. Going forward you will find us at our new location”.

    In contrast a temporary “302 Found” redirect tells the search engines “We still live here, but there was water leaking from the ceiling. The workers are in and fixing things up. We’ll be back here the next time you come around, but meanwhile you can find us at this address.”

    To see whether your website uses temporary redirects, you can use our SSL SEO Checker or you can do it manually in your browser. Here’s how you do that:

    1. Open your browser — I’m assuming Google Chrome
    2. Open the developer tools by going to the “hamburger menu” and selecting “Tools” –> “Developer Tools”

    02_open-developer-tools-in-google-chrome.jpg

    1. Switch to the “Network” tab in the Developer Tools
    2. Type the test URL into the address bar and hit return
    3. At the very top of the list look for entries with a “Status” of between 300 and 399 (codes in the 3xx-range are redirects).

    04_detect-302-redirect-in-chrome.jpg

    If any 302 redirects show up this is where the link juice is leaking. Replace them with 301 redirects where possible.

    You can also inspect the entries in more detail by clicking on them. In the details look for the “Response Header” section. There is a line starting with “Location:” which tells you where that particular page is redirecting.

    If you’re running an Apache web server and are somewhat technical you can redirect all pages on a domain by placing the following code in the .htaccess file in the root directory:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(.*)$ https://your-domain.com/$1 [R=301]
    </IfModule>
    

    This rule isn’t as complex as it seems at first glance. All it does is to redirect all pages (e.g. http://www.your-domain.com/pricing) to a new location (e.g. https://your-domain/pricing). Notice the [R=301] which tells the server to use 301 redirects.

    If you’re using WordPress and are not quite as tech-savvy, you can use the Redirection plugin which works crazy good.

    There are not many circumstances where a temporary redirect is what you want, so when in doubt use a permanent one. One example is where users are already on your page (e.g. https://www.google.co.uk), but you want to append a query parameter to the URL: https://www.google.co.uk/?gws_rd=ssl. This is totally OK as the link juice got passed on to https://www.google.co.uk/ and the new redirect doesn’t make a difference.

    All Redirects Go Directly To The Relevant Content

    Even using permanent 301 redirects you will lose some link juice on the way: Google never passes along 100% of the link juice to the new location — it’s more like 90%.

    What happens when you stack redirects up?

    For example http://www.wordpress.com/ redirects to https://www.wordpress.com/ which redirects to https://wordpress.com/.

    They use 301 redirects — which is great — but two redirects means they lose more link juice than with just one redirect.

    Additionally, this makes your website load slower: Instead of making two requests (one for the redirect and one for the content) your browser now needs three requests (two redirects and one for the content). Site speed is another ranking signal for Google, so you get doubly penalized.

    Furthermore, slow websites have lower overall conversion rates. Additional redirects thus hurt both your SEO and your sales.

    You can spot this easily with your browser following the steps above. Just look for entries at the top with a status in the 3xx-range. Multiple pages with redirects in a row point to a problem on your website.

    05_detect-redirect-chain.jpg

    There is a super form of redirect chains: redirect loops. It’s when your redirects go on forever and ever, e.g. A --> B --> C --> A --> ....

    Most browsers (AND Google’s robot) don’t detect redirect loops as it is a hard problem to solve — there could be a loop consisting of 100,000 URLs. Instead they follow redirects up to 5–30 levels deep and if they hit yet another redirect they call it quits.

    We’ve followed the same strategy and I have to report in sheer terror: 3.32% of websites in our “State of SEO-friendly HTTPS adoption” survey make this same mistake. Redirect loops result in the website not being accessible and too many redirects throws of the search engine’s crawlers so your website won’t be indexed. Please don’t make that same mistake.

    Conclusion

    After analyzing the top 10,000 websites I can say one thing: HTTPS is the neglected step-child of SEOs and administrators alike.

    If you had asked me before this study what percentage of the top websites supported HTTPS, I would have guessed at 70 percent or more. Imagine the look on my face when I learned that almost 70 percent DO NOT support HTTPS.

    I find this shocking, but with Google pushing ever harder — both with Chrome and their search engine — for websites to adopt HTTPS I can only see the HTTPS adoption rate go up.

    However, setting up HTTPS is not too complex. It will yield results both from better rankings and an improved user experience. If you have not enabled HTTPS for your website, Google will provide more and more incentives in the future.

    What’s your stance on HTTPS? Have you enabled it for your website? Did you see your rankings improve?

    Christoph is the maker of LinksSpy - a CRM for getting inbound links. He loves doing extensive research on a variety of SEO-related topics and playing World of Tanks

    Article stats

    • Referring domains 134
    Data from Content Explorer tool.

    Shows how many different websites are linking to this piece of content. As a general rule, the more websites link to you, the higher you rank in Google.

    Shows estimated monthly search traffic to this article according to Ahrefs data. The actual search traffic (as reported in Google Analytics) is usually 3-5 times bigger.

    Get notified of new articles

    46,636 marketers are already subscribed to Ahrefs blog. Leave your email to get our weekly newsletter.

    • Just did an audit today that made ALL of these mistakes in their implementation of HTTPS. What a timely, extremely useful article. You cannot emphasize enough the need to eliminate “redirect chains” when moving to HTTPS. Great stuff.

    • FrankLuska

      Funny you should talk about incorrect implementation, firefox shows the little caution symbol on this page. Firefox has blocked parts of this page .…..

    • Well thank you so much for sharing this. I have created a new website and this article can really help a lot.

    • The 302/301 issue is no longer and issue says SERoundtable… https://www.seroundtable.com/google-302-redirects-pass-pagerank-21575.html

      • Gerry White

        That’s what Google say but I’d go for a 301 anyhow, there are other search engines… 

      • news to me 🙂 thanks Ryan 🙂

    • Bas

      What is your take on stepping over from http to https on a big ecommerce site? Do you see drops in traffic? Would you advice to do it in the less important months of the year?

      • I would advise it strongly for any ecommerce sites. It creates a sense of trust amongst buyers as they know that their info will stay safe just because you have HTTPS implemented plus they will more than likely return.

        And Google takes this also into account when ranking your site.

        • Bas

          I understand that it’s better on the long run. But whats your opinion about the traffic drop. For example a big e-commerce sites has his high season in april. Would it be smart to switch to HTTPS right now because of inconsistent traffic drops you read on some blogpost?

      • Christoph Engelhardt

        Thanks for your questions. I’d really encourage switching to HTTPS with an ecommerce website. It’s about keeping your user’s data private, foremost.
        SEO is an afterthought in that case.

    • Tom Armenante

      Firstly great article!

      However just wanted to clarify, out of all the site what percentage were ecommerce or transactional? If 90% of them were blogs then I’d be less surprised by the findings. 

      Tom

      • Christoph Engelhardt

        Hey, Tom. That’s an interesting question. I didn’t look at it in-depth but the gut feeling from examining the top 200 websites is 25% porn and the rest mainly transactional/ecommerce.
        I kid you not about the porn.

        • xtopher66

          Worth researching then 🙂

          • Christoph Engelhardt

            It’s a shame, but it took me 4 days to realize your “for research” hint. 🙂
            Great one. Maybe I’ll look into it — purely for science of course.

    • Try this one 

      RewriteEngine On

      RewriteCond %{HTTPS} off

      RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

      • Thanks Amit. Just tried that and I get the same double redirect unfortunately. Http&non-www –> https&non-www –> https&www. Appreciate your reply though 🙂

        • FrankLuska

          Check with your host, it can / will be different depending on server setup.

    • Butler

      Slightly inaccurate information. The problem with 302 redirects isn’t the loss of link equity, it’s indexation issues due to Google’s inability to handle them properly.

    • You are only fully compliant if you have no insecure elements on the page, even those loaded externally. If external fonts or other elements are not on https then you are not https compliant.

    • Nice article Tim 🙂 we’ve implemented https on several client’s sites with good success.

    • Just to clarify — (this is less about https) if you’re changing a url for SEO purposes 9 times out of 10 it’s still better to 301 redirect than starting a fresh page correct? Regardless of loss of link juice?

      • Christoph Engelhardt

        Hi Jared, what do you mean by “changing a URL” ? A page on the website or complete domains?

        • Hi Christoph! Just pages on websites — same domain.

          • Christoph Engelhardt

            Yes, I think that in most cases a 301 redirect is the way to go

      • xtopher66

        Of course, because its already indexed and ranked. Most CMS have some module for SEO management, so you‘d do the redirect in that. Some like to piss about with .htaccess but whats the point unless you like overlong syntax typing.

        • Good to confirm — picking up most of this as quickly as I can. 🙂 Thanks for the answer!

    • This is a great post and very relevant in the agency world. We just did an HTTP -> HTTPS migration for one of our clients and found a bunch of sh*t wrong. Specifically, too many un-necessary redirect hops and they also forgot to change the canonicals for the entire migration. Thanks again for writing this!

      • Christoph Engelhardt

        Hi Gaetano. Thanks for your comment. How did you get rid of the redirect hops?

    • Ashley Faulkes

      Interesting findings indeed Christophe. What I am wondering (and I know Moz got interesting results on this) is what is the gain from https vs the loss from the redirections. So if I was to swap over on my blog, is it reaaaaalllly worth it? Given I am not a super rich man with a big company (yet :>)

      • Christoph Engelhardt

        Great question, Ashley! 

        I wonder how one would test that. Any ideas?

    • Thanks For Sharing such huge information of SEO ! I bookmark it

    • Slashable

      I just moved my site to https, and redirected 301 and further more I avoided multiple redirection as you stated. I will update with my ranking change in few days. 

      Great article btw, Thanks

    • Malachi

      Ok, this post is about HTTPS and that the email linked to this HTTPS page. But then.. several items on this page however are NOT secure… could this be fixed please? 🙂

    • mark wilton

      Another brilliant piece of analysis from the Ahrefs team. These articles are excellent to highlight the areas we all need to focus on.

      • Actually, we can’t take credit for this one — the (awesome!) analysis was done by @christophengelhardt:disqus from https://www.linksspy.com/

        • Christoph Engelhardt

          Thanks, David!

          Although to put credit where credit is due:
          Ahrefs/David did
          — publish it and let me reach a wider audience
          — edit my article (thanks for that! Always good to have an excellent editor for us non-native speakers)
          — create cool infographics!

          So again (and this time publicly): Thanks for having me, David, Tim and the Ahrefs team!

          • you presumably wrote some scripts to test for different scenarios — could these be reused to test xyz.tld? would be really useful service (possibly adding checks for all in-page content being over https and proper in-site links)

            • Christoph Engelhardt

              Yes, I did and it is linked in the article above (just search for “checker”).
              Sorry, but I can’t post a direct link in the comments. I tried but it got deleted

    • Adil Malick

      Very good analysis.

    • 301 Moved Permanently”. It tells the search engines that “Yes, we’ve moved to a new address. Going forward you will find us at our new location”. I like this senteces 🙂

      Please, All SEO folks get understood this status about 301. I have lots of question about 301. The sentences above is definitely define what is 301 meant.

    • Thanks for it, it is very interesting

    • Michael Cottam

      I think your example of redirecting all pages to https is going to cause an infinite loop. You need a RewriteCond that checks to see if it’s http (or port 80). But a great article nonetheless! 🙂

      • Daniel Brady

        This is my code. Is it better?

        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    • I had the same thing happen to my site. It turned out the solution was I needed to place the code at the very top of the htaccess file. Originally it was below a caching plugin’s code and that is what was messing it up.

    • We’ve been calling up a lot of our customers at MeetCalvin(.com) to help them move over the HTTPS. A lot of our customer base are eCommerce stores using WooCommerce so the process was relatively easy. 

      When done right I don’t think there is any downside and only area to gain. With the site migrations we’ve done they’ve all been pretty successful with almost no loss in rankings or traffic. 

      I think what has been helpful for us is using Cloudflare to handle everything. They kinda fix up all the redirect issues we’ve found with certain sites and make it seamless to do. 

      Great article Christoph — the industry needs more like this.

    • Christoph Engelhardt

      Hey Charles,

      the problem here might be that you need to check that HTTPS is turned off before redirecting (else you’ll have an redirect loop). 

      Insert this line right before the line starting with “RewriteRule”:
      RewriteCond %{HTTPS} off

    • Great post! i like your explanation for seo.

    • Putting https everywhere for small websites may be an overwhelming tasks, whereas it should be mandatory for any well established company out there.
      Hopefully, open source initiatives like Let’s Encrypt make it now a no-brainer to definitely switch to https. No more excuses !

    • I have url that is redirecting three times. How do I fix that? I am using WP and running Really Simple SSL plugin. Is it ok to use the redirect plugin also?

    • Great article on proper https:// setup. Thanks, Im in the midst of switching over all my clients to SSL

    • Yes I am going to add ssl certificate to my website soon, is their any free ssl services are there.

    • Dave

      HTTPS is pretty easy with Cloudflare. They have a flexible setting so you don’t even need a certificate. Then you just need to make sure all your internal site links are changed from http to https if applicable. 

    • Nicely done!

      TVC.Net is another host who is just taken up the HTTPS for free cause as well. A good year for free stuff.

    • huge amount of info. I will take a look later!

    • Nathan Eames

      I set up https at the beginning of Feb and I dropped like a stone for all of my keywords. From SERP 17–25 to 48–120!!! indescribable pain!

      • Christoph Engelhardt

        Hi Nathan,

        that sounds terrible, but might happen at first, because Google has to re-learn the value of your website. This shouldn’t take more than a month or so. 

        With this in mind: How are your rankings after 4 months?

    • Hi Christoph, first of all thank you for this amazing guide, it was really helpfull!

      I’ve one question for you:
      I’m going to setup a SSL certificate on an ecommerce website using wp + woocommerce. We are going also to start a plan with Cloudflare and I’ve see that they offer SSL certificate for 10$/mo. Do you think this will be enought for better ranking and security? And do you think that a WildCard SSL will be better? Thank you!

    • Sele

      Hi, great article! I have one question that nobody could answer so far. I have the following Situation:

      I moved from joomla to wordpress. Because of that I had to redirect 301 all urls since joomla had a .html at the end. Now when I switch to https, how should I do the redirect? Redirect all old joomla urls to the new https version? Otherwise it would be a double redirect?

      • Christoph Engelhardt

        Hi Sele,

        yeah. Ideally you redirect straight to the new version

    • Sachin Sharma

      I have pure HTML static websites. Do I need to get SSL to boost SEO ranking?

    • Unibus

      nice article, thanks!

    • Awesome article with useful information. Thanks