How to Enable SSL on your Site without Losing Search Rankings

    Sumit Pore
Listen to this article

move-https-maintain-rankingLast week, our team had an “official meeting” about moving our site to HTTPS. Well, the talks had begun, ever since Google made an announcement, that ‘HTTPS would be a Ranking Signal’, but this was the first real discussion. Personally, I’d have wanted to enable SSL for our site (which is basically moving to HTTPS), a long time ago. But there are other factors which come into play, such as Search Engine Rankings. With hundreds of people visiting the site everyday, you do not want that affected.

But let’s not get ahead of ourselves. Let’s start with the basics. Even though this whole hoopla about shifting to HTTPS started after Google’s announcement, it’s always better to understand what all of this actually is, and why is it important to enable SSL for your website.

What is SSL? How is SSL Related to HTTPS?

What is SSL

SSL (Secure Sockets Layer) is an encryption method. Basically it encrypts the connection made between a browser and your domain, thus making it secure for data transfer. Communication which happens with this added level of security is basically said to be an HTTPS connection.

To enable SSL for your domain, you need an SSL Certificate which is issued by a Certificate Authority. This Certificate basically tells any browser trying to connect to your domain, that a secure, trusted, connection can be made. The SSL Certificate is like an ID proof. You have it on you (as in your domain), to tell the world, that you are a trusted website, and not a spammy one.

I’m not Really Convinced. Do I really Need SSL?

Have you noticed banking websites? For that matter any financial websites? They all have SSL enabled. And, the reason for that is, SSL ensures data security. You do not want such sensitive data to be stolen or tampered with. It’s like this. If money is sensitive data (because let’s face it, data on your site is valuable). SSL is like the armored car used to transfer this money.

So logically, if you have an eCommerce store, you must move to HTTPS, if you want to handle transactions on your site. Or if you handle sensitive data, like Insurance related or Legal data, have a Government website, or want to instill trust in the minds of your visitors, you’d want to move to HTTPS.

SSL: Pros v/s Cons

But of course there is a cost involved. The SSL certificate needed, incorporates a financial cost. But, a visitor’s browser has to also check the validity of the certificate to establish the secure connection, thus affecting the load time of a page. But if you weigh the pros and cons, the pros out-weigh the cons by a lot.

And finally, (and this should be the primary motivating factor for you, if you are not yet convinced) Google has said that it will give a ratings boost to secure sites. And even if they say, that “For now it’s only a very lightweight signal… But over time, we may decide to strengthen it”, should be understood as “We want you to switch to HTTPS, whether you like it or not”.

That’s fine… But what will Happen to my Search Rankings?

If you directly move to HTTPS, without taking care of any URL redirection, you’re site will suddenly disappear from the face of the web. Well, not literally. But it will collapse. The several HTTP hyperlinks in your site, and external links to your site will return an error. Search engines will consider your site to be a new site, due to the change in URLs, and your ranking will dramatically drop.

So, then what do you do? How do you safely port your website to HTTPS without affecting search rankings?

Don’t Worry! WisdmLabs Has a Guide for SSL Configuration Best Practices

Below, we have consolidated a list, which will not just help you retain your search rankings when you port your site to HTTPS, but will also help you correctly configure SSL and your server. I mean if you are making the move, you might as well make it right. Your SSL configuration can improve performance of your website.

Change the URLs and Redirect Linkschange-urls-redirect

After moving to HTTPs, you should update all links in your site to ‘https://”. This would mean changing URLs of your pages, JS and CSS files and images. Helps if you were using relative paths for files. But you still need to scan through all your files, and check for any links, and update them. Make sure to check your database as well for any links. Additionally, you need to redirect all your links so that links from external websites are still able to find your site.


Deploy the Chain-of-Trustcertificate-chains

When you get an SSL certificate, you get several other certificates with it (a certificate bundle). These certificates validate not just your domain, but the certificate authority as well, and anything in between. When a browser checks if your certificate is valid, it checks the bundle as well. So you need to ensure that you install all the certificates on your server, so as to speed up browser validation.


Use a Secure Protocolsecure-protocols

There are five protocols in the SSL/TLS family. TLS v1.2 should be your main protocol. Do ensure that you disable TLS compression.



Secure Your Cookiessecure-cookies

This should be done when configuring your web application. It is optional but recommended. HTTP and HTTPS cookies should be different. This is because HTTP cookies can be changed by an external JS, but secure cookies cannot be changed.


Use Secure Cipher Suitessecure-cipher-suites

This is a server side configuration. A cipher suite is an encryption method, which is used to create the secure connection. Some cipher suits offer better security than other, so better choose a reliable method.



Enable OCSP Staplingocsp-stapling

Every time a browser connects to your domain, it asks the Certificate Authority for validation. With OCSP Stapling, the validation result is cached, and sent to the browser, so that the browser does not have to make an additional request to the CA.


Caching Done Rightcaching

You should cache all public resources (such as CSS, JS, Images) and disable caching of sensitive content (such as pages which include transactions, etc should not be cached). You could implement xCache which is server side caching, to further reduce execution time.


Deploy HTTP Strict Transport Security (HSTS)hsts-security

What this does, is ensure that once your domain has been verified as secure, all further requests are sent over as HTTPS, even if they initially started out as HTTP.


persitent-connection-sessionsMaintain a Persistent HTTPS Connection and Sessions

Ensure that you keep a live connection (or one time connection) for all files (CSS, JS and Images), to reduce load time. It’s also recommended to save and resume user sessions.


Use Latest OpenSSL softwarelatest-open-ssl

Since there was some vulnerability to Heartbleed, BEAST attack, CVE-2014-0224, it’s best to use the latest OpenSSL software version.


Encrypt Your Entire Website

HTTPS for everything. Period.


That was a Piece of Cake……. Right?

I get that you may not have understood all of the above stated all at once. And that’s okay. You need to do a lot of research before going forward with such configuration and set up. So I’ve tried to help, based on my experience of porting client sites to HTTPS. If you have any questions for me, feel free to leave them in the comment section below! Oh yes, and soon, you should find SSL enabled on our site as well 😀

Sumit Pore

Sumit Pore

Leave a Reply

Your email address will not be published. Required fields are marked *

Get The Latest Updates

Subscribe to our Newsletter

A key to unlock the world of open-source. We promise not to spam your inbox.

Suggested Reads

Join our 55,000+ Subscribers

    The Wisdm Digest delivers all the latest news, and resources from the world of open-source businesses to your inbox.

    Suggested Reads