In December of 2015 Google announced a change to their search ranking algorithms. They are starting to index secure (HTTPS) pages over insecure (HTTP). If you do not provide users with a secure, encrypted connection then your site may rank lower than your competitors. Let’s take a look at some of the simple security best practices you can use to secure your users and your SEO ranking.
Get a Security Certificate
First you will want to setup a security certificate, ideally you'll want a TLS 2048-key encrypted certificate. A security certificates serves two purposes. It authenticates your site to users and encrypts all traffic between your site and your users. Without a security certificate you cannot provide a secure connection; for which, Google may dock your SEO ranking. Security certificates are available from a wide number of certificate authorities. Small, non-commercial sites can get a free certificate from startssl.com
Serve only Secure Pages
Redirecting users through insecure connections breaks your security and could also affect your ranking. To prevent this, you want to make sure that users are always using and accessing secure pages. Be sure to set up 301 redirects from all insecure urls to their secure counterparts. If your server supports it then enable HTST headers. Once a secure connection has been made the HTST header tells a browser to only connect to your site using HTTPS.
Relative & Protocol URLS
Google also wants to make sure that once a user has a secure connection to your site, that they remain secure. For any internal links use relative urls (‘/some/other/page’). For external links to other sites use protocol urls (“//someothersite.com”). The browser will then decide what protocol to use. If you provide a secure connection then the browser will assume all relative and protocol urls should use a secure connection.
Will implementing these security practices jump your site to number one on Google? Not likely, but they may give your site that slight nudge it needs over your competitors. But you should not be implementing security best practices just to increase your Google rank. Providing users with secure, encrypted and trusted connections is just the right thing to do.
I do realize the current hypocrisy of this post, as I have yet to put in place all these practices. This is more of a “do as I say, not as I do” (for the time being).