Best SEO Practices for Website Security

Google first indicated that they’d start prioritizing sites with valid security certificates years ago, and soon after rolled out with a significant ranking boost to sites that offered HTTPS certificates. Many sites are still using the older, less secure HTTP protocol and losing out on a valuable way to improve SEO and reach more visitors. Just creating an HTTPS site isn’t as effective, though. Use the best practices to choose your security certificate, set up and roll out your site to get the largest possible boost from the change.

HTTP Versus HTTPS

Hyper Text Transfer Protocol (HTTP) is the way messages are sent and received on the Internet. Originally, the information transferred wasn’t encrypted and was more susceptible to being taken and used by a third party. Hyper Text Transfer Protocol Secure (HTTPS) was introduced to fight this danger. When someone accesses your site, a Secure Socket Layer (SSL) certificate is transferred to the viewer; the SSL certificate contains the information the user’s browser needs to validate that your website is the one they’re trying to access and that you’re receiving any information they choose to input. The information is also encrypted so only someone with the right certificates is able to decrypt it.

Another benefit to offering HTTPS is that your Webpage viewers, people who spend money, or those who input information on your site can trust that the information is secure, that no one can intercept it and that they’re viewing the site to which they meant to navigate.

Secure your site with HTTPS – Google 

Choosing Your Certificate

When choosing a security certificate provider, go with a Certificate Authority with a good reputation who uses the latest technologies to protect your viewers and their information. For example, Digicert, VeriSign and Comodo are providers with good reputations that offer up-to-date technology and customer support. There are many other Certificate Authorities to consider, however, and you can use merits like customer service, location or cost. More established companies may offer higher prices, but also more customer service hours or different certificate packages.

When it comes to security, more is always better. Google recommends a 2048-bit key over a less secure 1024-bit key. A 4096-bit key offers an even more secure connection in theory, but neither 2048-bit or 4096-bit keys have ever been cracked, so both are considered equally secure for now. So choosing a 2048-bit key is as good as choosing a 4096-bit key until the industry is able to hack the 2048-bit key and everyone has to migrate to the next, more secure encryption.

There are different certificate setups to consider, too. For example, someone with a basic, one-domain site might only need a single certificate. If you have a multi-domain website (for example, one that has local domains for different countries), a multi-domain certificate might be the better fit. If your site has dynamic subdomains, a wildcard certificate is what you need. The cost will vary, but choosing the right one will protect your Webpage and make sure you get the best SEO boost for all your domains and pages.

Site moves with URL changes – Google

Setup

After you’ve purchased the certificate to convert your site to HTTPS from a trusted Certificate Authority, you need to set it up correctly using the best practices for SEO. First, instruct the person updating your site to use server-side 301 redirects, which tells a search engine that the page has been moved to a new Web address. It’s the best way to maintain your ranking while you migrate to a new site.

Once you’ve updated the Website to HTTPS, Google recommends making sure your site supports HSTS, which switches the Website viewer to the secure HTTPS page even if they specifically request the HTTP page. Put HSTS headers out low max-age, and then increase the max-age slowly over time, making sure the change isn’t negatively impacting your performance. Google also offers HSTS preloading for Chrome, which you can request from Google once you know your page supports HSTS with no problems. You have to change the HSTS headers on your page to the ones that allow preloading before the change can take place, which prevents a third-party from adding your site to the preloading request list.

Troubleshooting

When your site is set up with HTTPS, make sure you’re regularly performing a security and wellness check to make sure nothing is negatively affecting your SEO ranking. First, your certificate will expire at a certain point and won’t be valid anymore. Stay aware of your expiration date so that you can set up a new certificate or extend the one you already have. Next, make sure that every certificate you set up is registered to the proper domain name. A syntax or spelling error can prevent your site from using the certificate and keep search engines from recognizing that your security is up-to-date.

Your robots.txt file needs to be set to allow crawling. If it isn’t, search engines can’t crawl your page, compile information and return your site in search results. In the same token, your site needs to be open to indexing; using the noindex meta tag will drop your SEO ranking.

As you update your site, ensure that all the information is migrated to the HTTPS page. Having an HTTP page with more information than your new, secure page will have a negative SEO impact. All site elements should be HTTPS as well. For example, a payment module that isn’t HTTPS secure will lower the security ranking of your entire site.

Keep in mind that Google treats switching from HTTP to HTTPS as a site change, as if you’d switched your page over to a new URL. It can impact your SEO ranking temporarily. Make sure all your old links are updated to have the best possible results with your change.

As long as you stay on top of having the best security protocols, you’ll be sure to get any available SEO boost. Moving from an HTTP site to an HTTPS site that is set up correctly will be a positive signal to a search engine’s ranking algorithm, making it well worth the time and expense of acquiring a security certificate. Google even says that it may further increase the boost that HTTPS pages receive in the future.

What Should You Do With Your 404 Pages?