Make sure you get SSL certificates for your domains

Thanks to the use of the HTTPS protocol, it is possible to exchange data on the Internet in a secure manner, as the data will be encrypted using SSL (Secure Socket Layer) technology.** When we visit a website, the data exchanged between our browser and the server on which the site visited is hosted can be intercepted, during transmission, by a third party who would become aware of the data transmitted and received. To avoid this, https and SSL technology are used, which allow, through the use of an SSL certificate issued by a certification body, to encrypt the information transmitted, making it effectively non-interceptable.

SSL stands for 'Secure Sockets Layer', a protocol that allows information to be transmitted securely by protecting sensitive data and preventing cybercriminals from reading and modifying the information transferred. To establish a secure connection to your website you must have a protection key issued by a certification body in the form of a certificate.

An SSL certificate associated with your domain certainly makes it more authoritative in the eyes of the visitor. In addition, you can be sure that the data exchanged between your site and the visitor is encrypted and cannot be intercepted. If your domain contains user registration forms, informative e-mail forms, electronic payment forms, you certainly need an SSL certificate to protect the exchange of this sensitive data. Furthermore, the search engine Google has openly declared that it rewards, in terms of ranking, sites that will be exposed on the Internet via a secure HTTPS connection.

See SSL for your domain

How to implement a security certificate

Newly created sites can benefit from SSL/TLS encryption from the start. But even for existing websites, the transition to SSL/TLS is not that complicated. The first step in both cases is the same: obtain an SSL certificate for the relevant domain.

The SSL certificate is a kind of identity card for a website. The Certificate Authority (CA), literally the official body where the certificate is acquired, has previously verified the identity and is responsible for the correctness of the data. SSL certificates are deposited on the server and called up each time the user visits a website migrated to the HTTPS protocol. There are different types of certificates, which differ in the type of identification:

These are the certificates with the lowest level of authentication. Here, the CA only checks whether the applicant is in possession of the corresponding domain for which it would like to acquire a certificate. The company's information is not checked in the verification, so a residual risk remains with domain validation. Due to less effort for authentication, the certificate is generally issued quickly by the CA and is also the most cost-effective of the three SSL certificate types, often totally free, as in the case of Let's Encrypt.

DV certificates are suitable for websites, where trust and credibility play a secondary role and there is no risk of phishing or fraud.

This type of verification is more comprehensive and therefore more secure than a domain validation. In addition to the domain owner, the CA also verifies relevant information about the company, such as its registration in the commercial register. The information verified by the CA is visible to the website visitor, which reinforces trust in the website and the company. Due to the more demanding verification process, the Organisation Validated SSL certificate is more expensive than the Domain Validated certificate, but offers a higher degree of security.

This certificate is suitable for websites where no transactions with sensitive data take place.

This is the certificate with the highest and most comprehensive level of authentication. Compared to the OV certificate, company information is verified in even greater detail by means of strict allocation criteria. Furthermore, this certificate is only issued by the authorised CA. The detailed verification of the company guarantees the highest level of security and thereby strengthens trust and credibility on the website. At the same time, the Extended Validation certificate entails the highest cost. This certificate is suitable for websites that, for example, deal with credit card information or other sensitive data.

With the following graphic, one can better understand which certificates are valid for certain websites:

How to verify that you have correctly implemented the security certificate

Be sure to back up your local data and database before making any changes. This action gives the possibility, if necessary, to restore an earlier version of the data.

Backups can be restored at any point, either manually or using specific tools in a few clicks.

Once the SSL certificate has been activated and the website is reachable at the https address, then all that remains is to redirect all existing http URLs to the corresponding new http URLs, and not only to the homepage. For the redirection, a 301 Redirect should be relied upon, since this means that the contents present on the old URLs will be available on the new http URLs in a stable and lasting manner. Avoid the use of other status codes and pay attention to the redirection both to the www variant of your website and to the variant without www. Through the htaccess file, you can obtain the redirection of all URLs using the following command:

URL with www:

```RewriteEngine On``

```RewriteCond %{SERVER_PORT} !^443$``

URL without www:

```RewriteEngine On``

```RewriteCond %{SERVER_PORT} !^443$``

Alternatively, if you use a CMS, you can also use plug-ins. For WordPress, for example, there is the free 'Redirection' plug-in.

Internal links can be changed by searching and replacing them. In static HTML/PHP files, search for http://www.yourwebsite.com/ using an HTML editor, such as Phase5, and replace it with https://www.yourwebsite.com/. If you are using a CMS with a database, then you can replace the URLs via the UPDATE command. On which table the UPDATE command should be used, you must find out from your provider. Please also note that in a CMS, not only the internal links via the database must be changed, but also the domain in the configuration files, template files and scripts. In the case of WordPress, this is the wp-config file and the respective Theme files.

Changing particularly important external links (e.g. a link to an information site such as the Daily Fact) serves to ensure that both visitors and search engines do not have to go through the old link before being redirected to the new URL. In fact, in addition to wasting time, a redirect also partially damages the prestige of the website in the eyes of Google's search engine, which on the internal ranking of the algorithm ends up slightly diminishing its relevance. This is why it is important to ask the respective webmaster to quickly correct the links.

In order to avoid redirect chains, both redirects and canonicals must be modified. The Google bot, for instance, follows up to a certain number of redirects, then gives up. Long redirect chains may thus lead to your pages not being registered in Google's search index. You can detect redirect chains on your website with the paid tool ScreamingFrog. Existing redirects should be found in the htaccess file, directly in the CMS or, for example, directly in the server configuration settings (NGIX, Lighttpd, IIS, etc.).

In the header section of the website there are all types of call-outs, within which new URLs must be inserted equally. Please pay attention to the following header entries:

Should you use structured data directly in the source code of your page, e.g. Breadcrumb navigation recognition with JSON-LD, then the URLs contained within these structured data must also be replaced with their https variant.

In order to ensure that, even with the new https version of your website, the search engines follow the indications given by you in the robot.txt, this same file must be adjusted correctly if you use absolute URLs. This will not be the case if you use relative URLs.

The sitemap should also be updated with new URLs to ensure that new URLs are quickly registered in the search index and, again, to protect the Crawl Budget despite the replacement of old URLs. For this reason, it may also be appropriate to submit the new sitemap to the relevant search engines, such as Google or Bing, via their respective search consoles or webmaster tools.

The various tools and services, such as Ranking Checker, Search Console (for which a disavow file must also be reloaded for new https URLs), Adwords, etc., must not and cannot be left out. In most cases, a quick adjustment of the URLs will suffice.

No unsecured connection should take place on an https page, otherwise a warning message will pop up on the visitor's browser that is not exactly comforting to see. Therefore, it must be checked whether own content (e.g. images, CSS files, internal searches, order processes, forms, JavaScript libraries, etc.) as well as external content (advertising, tracking code, etc.) are connected via http. If this is the case, then it will be necessary to ask the individual providers whether the same content is reachable via https.

Once you have completed the conversion to SSL, you should aim to do one last but thorough check. First of all, you can check the SSL certificate connection by means of an Online SSL Check. Log files should also be checked in turn, to establish that the crawler is using the correct URLs. Check your ranking on a daily basis, so that you are able to react promptly to any problems that may arise. Monitor both http URLs still in operation and new https URLs. A deterioration or fluctuation in ranking is a phenomenon that often occurs in connection with such a conversion. Wait a couple of days until the ranking has stabilised again. In addition, it is advisable that you independently review the pages of your website by means of an external tool (e.g. Screaming Frog) and check for errors.

Updating of all elements where there is a link to the old http site.

Below you can see how unsafe and secure websites are returned by the search engine: