Kind of scary for a site that already ranks well. Should this be done incrementally?

No, not incrementally. You simply do a full redirect in apache for any page lookup on port 80 over to the new IP on port 443, same address. It's like a half dozen lines in apache.

Hypothetically it shouldn't make any difference because you're only changing the protocol used to transmit the page. you're not changing the page address or the content. So it shouldn't impact your rankings unless Google specifically makes it so - and I don't know why they would.

The goal is to rank and make money, not argue with Google.

Pretty much my mantra.

Kind of scary for a site that already ranks well.

Not really, not any more than moving one from www to non-www (or vice versa) and maybe less. I've done tons of those, and a handful of http to https redirects, and as long as you know what you're doing (or find someone who does) and are careful and don't make mistakes (yea I've done that too) it's pretty easy, and I for one have never had a problem that lasted more than a couple weeks. (And that was my fault)

@wheel I disagree it is so simple and cut and dried. Perhaps for a static html site, but there can be several issues.

1. Your Adsense income could crater. See [support.google.com...]

2. Issues with paths and URLs, see this thread [webmasterworld.com...]

3. There will be horror stories:

[productforums.google.com...]

[productforums.google.com...]

P.S. You will need to cut and paste the https URLs in this message as it appears the forum here cannot handle them - yet ;o)

It's actually only 3 lines of code and it's very simple.

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$ [OR]
RewriteCond %{HTTPS} ^off$
RewriteRule .? [example.com%{REQUEST_URI}...] [R=301,L]

Any site that already canonicalizes to www or non-www via mod_rewrite can simply add the [OR] to the right side of the first condition, add the second condition above to check for HTTPS, and add an s to the http on the right side of the rule and it's done.

If they don't already canonicalize, and they have mod_rewrite access then they'd have to add the full ruleset after any other redirects and prior to any internal rewrites.

Kind of scary for a site that already ranks well. Should this be done incrementally?

No, not incrementally.

Question though, is there anything against doing it incrementally? If so, what is the downside to doing it incrementally / upside to doing it all at once?

Question though, is there anything against doing it incrementally? If so, what is the downside to doing it incrementally / upside to doing it all at once?

John Mueller of Google has said that the HTTPS ranking algorithm runs on a "per-URL basis" (unlike Panda or Penguin, so that would suggest that making the change incrementally shouldn't hurt, and there's something to be said for testing the waters before taking a swan dive.

...except moving everything to SSL is, as noted above, about three lines of code. Move incrementally, page at a time, and I guarantee you will 'f' that up. Way too error prone IMO, and I still fail to see the benefit to doing it incrementally, or the drawback to doing it all at once.

As others have, I've done this two ways. One, did it and screwed up everything. Fixed, and was back in in no time. Second way, did it right. No changes or problems with rankings.

I suppose anything can go wrong, but practically and generally, just move the whole site over. If you do it right or hire an expert (as I did), I wouldn't expect any problems.

Move incrementally, page at a time, and I guarantee you will 'f' that up.

Yup, it's way more difficult to "get right" incrementally than it is to "just do it" -- I've been working with mod_rewrite for a decade now and last I checked I still have some posts under a different user-name listed in the Apache library here and I would/will always go with a "blanket switch" when it's my option to make the call, because it's way easier to implement correctly the first time.

---

The first site I "switched over" also switched from extensions to extensionless at the same time and there wasn't even really a "hiccup" in traffic... As new URLs on https with the same content and no extension were found by Google they replaced the original URLs nearly seamlessly, so IME, it's really not that big of deal to make the change.

Note: We actually made the change for visitors well before Google's announcement, but basically a simple change of where the site canonicalized to was all it took -- I should probably also say any other redirects preceding canonicalization should be changed to point to https rather than http to avoid "chained" redirects, but with a find/replace in a text editor that's simple to do in an htaccess, httpd.conf, or even PHP file.

Note 2: Stripping the extension does require a bit more complex code than I posted above to implement, but with the URLs exactly the same, less the .ext, along with the move to https, there doesn't seem to have been any noticeable difference in traffic level -- Both the switch in canonicalization to https and the switch to extensionless URLs don't seem to have made a difference in traffic level, but in the situation I'm referring to, both seemed to be good adjustments for visitors in how we handle things and the level of "professionalism" we presented to them onsite, so I think it was a good move.

...except moving everything to SSL is, as noted above, about three lines of code. Move incrementally, page at a time, and I guarantee you will 'f' that up.

Depending on your setup, hosting, etc., there may be other possibilities between the extremes of "all at once" and "one page at a time."

Not technically -- People should really know more about the technical side of things before they reply or spread FUD that will likely be read by a number of people, imo, because as far as I'm concerned, when someone really, obviously doesn't have a clue about what they're posting or how to do things and subsequently leads others astray it's is far from cool, right, or helpful.

There's no opinion involved in what I posted to change things over from http to https. It's fact, definitive, accurate. Period.

I have a client that has eCom site. Products are http, but the shopping part is https. The site has security certificate in the footer which, when clicked, shows a valid certificate.

I am wondering how is this seen by Google - do they treat the site http or https? Or do they do it on URL by URL basis?

I have several ecommerce sites that are https only for the cart, and Google seems to treat it by URL, but it's hard to know for sure.

Nowadays, for a new site, I'd just start off with the whole site as https (and yes, I'd definitely advocate moving them all over at once)

Just think of it like ripping off a bandaid (ork ork)

URL by URL it seems, this might be of help:
[seroundtable.com...]

Can anyone think of any concerns I should have with migrating a penguin-affected site to HTTPS?

Does this mean that SPDY works for Apache 2.4 now?
[github.com...]

No one here picked up on my comment on the risks at this time of doing the HTTPS swan dive, in a previous post in this thread:

1. Your Adsense income could crater. See [support.google.com...]

Barry Schwartz has commented on this today, saying some publishers' income fell by as much as 35% since changing over to https.

"So I was all excited migrating over this site to SSL and my corporate site but despite very little ranking changes, both negative or positive thus far, AdSense earnings seem to have taken a hit somewhat."

[seroundtable.com...]

You my need to cut and paste the HTTPS urls as WebmasterWorld appears not able to be able to connect to https websites.

Well I guess I understand how that happens. Next step will probably be for AdWords to start pushing the advertisers into SSL, then.

@mromero; well pointed out. It seems that Google are quite clear about it:

please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.

So yep, sites carrying adsense need to think twice about the shift.

Well I guess I understand how that happens. Next step will probably be for AdWords to start pushing the advertisers into SSL, then.

So more and more advertises go SSL, more availability means prices drop even further, publishers switch back to HTTP ..........

What a complex world we live in.

I do not like how SSL sites are presented in Google search results at all. I think they don't help build a brand. For example compare:

[example.com...] (this is what appears when website uses SSL)

vs.

example.com/ OR www.example.com/

It would be better to add maybe a small padlock or something so that the https:// part is removed and doesn't confuse visitors (it's enough that some of them are confused with the 'www.' part already). Now user has to read the extra 'https://' to read your brand name (ie. domain name).

...except moving everything to SSL is, as noted above, about three lines of code. Move incrementally, page at a time, and I guarantee you will 'f' that up. Way too error prone IMO, and I still fail to see the benefit to doing it incrementally, or the drawback to doing it all at once.

First off it's not three lines of code but that's not the real problem. It's more to do with the philosophy behind testing a change.

If I change ten URLs to SSL as a test and it doesn't work as expected then I can revert back and think again, no real damage done. And I can let the change "settle down" without major financial impact to really test the effect of the change. If it does work I might be tempted to revert back those ten URLs and then make a site wide change.

A quick glance at this forum, other forums and even Gs own documentation indicates to me that a change to SSL may suit some sites but be disastrous for others. I want to know which result will apply to my site before I make a site wide change.

The way I interpret what I've read here and elsewhere, there are a large number of factors (many of which I don't yet understand) which can effect a change to SSL.

I'm talking from the point of view of someone who runs two Adsense ads on almost all pages I publish. My site sells nothing and the only sensitive data it collects is general location (not address) and email address, both entirely optional.

Maybe commerce sites and informational sites should be treated differently as far as SSL is concerned and it's not a case of one solution fits all. The same might apply to sites that do or don't run Adsense?

First off it's not three lines of code but that's not the real problem.

Depending on how you have your site setup it really is. As JD pointed out above if you are doing non-www to www or vice versa (as everyone should) then you can do this easily. All of my sites, off the top of my head, would be fine doing exactly as he stated... in my case adding an OR and an s to my existing code.

If I change ten URLs to SSL as a test and it doesn't work as expected then I can revert back and think again, no real damage done. And I can let the change "settle down" without major financial impact to really test the effect of the change. If it does work I might be tempted to revert back those ten URLs and then make a site wide change.

Unless you understand what you are doing with these 'test' pages then I would not recommend this. You could easily end up with some dupe content issues, wrong links, etc if this is not done properly. It would be MUCH easier to do everything OR nothing assuming your structure and linking in the site is the same throughout. Again, in my case I use relative links everywhere... if I wanted to make a switch to all https all I need to do is change two lines of code in my htaccess file after the cert is setup for the domain. There may be a few php/js files which use full urls but that is simply a replace all of http/https.

It would be better to add maybe a small padlock or something so that the https:// part is removed and doesn't confuse visitors (it's enough that some of them are confused with the 'www.' part already). Now user has to read the extra 'https://' to read your brand name (ie. domain name).

That might happen at some point, but maybe they're waiting to see how implementation goes. Or not. Google doesn't care very much about how brands are represented; all AdWords display URLS are required to have www, even on domains that are non-www. I'm still pissed about that one.

please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.

That's an opportunity if you think about it.

I'm trying to move one website to https and I've noticed browser warning about blocked mixed content: an external javascript and few images loaded from a non-https CDN.

Assuming https is (or will be) a ranking signal, do you think this warning could be a problem with rankings?

Short answer, fix it so everything is being pulled from https.

Whether or not it's a problem with rankings, it's not something you want your users to see, so like wheel says, fix it.

please be aware that because we remove non-SSL compliant ads from the auction, thereby reducing auction pressure, ads on your HTTPS pages might earn less than those on your HTTP pages.

If i understand this, it means that switching to https would probably reduce earnings for sites which get all of their income from Adsense. So for people who have a purely informational static html site, in most cases wouldn't this reduction in Adsense earnings more than offset any potential gains from the supposed ranking improvement that Google has announced for sites that do make the switch? In other words, for this type of site, wouldn't you be better off not to make the switch, especially since there's no other reason to do so anyway.

In other words, for this type of site, wouldn't you be better off not to make the switch, especially since there's no other reason to do so anyway.

Yet another reason I'm not jumping into it right now.

There may be a few php/js files which use full urls but that is simply a replace all of http/https.

Already the three lines of code are ballooning. I was in the computer software testing business for 15 years and nothing struck more fear in me than a programmer saying "it's only a one line change .....".

In other words, for this type of site, wouldn't you be better off not to make the switch, especially since there's no other reason to do so anyway.

Absolutely right at this point in time. Don't get fooled into thinking that coding is the only thing that needs to be considered. There's a whole pile more than that to consider. Wait, watch and read lots, before taking the plunge.

so out of the traps we come and then G says perhaps they're not ready in adsense and neither in webmaster tools...

this is another case of not wanting to be first at the waterhole only to discover it's cyanide in there, not water.

won't even consider this till Christmas when I've trawled through all the "omg, site visits down 74% since https switch" threads on here. I already do non-www to www in my htaccess so when I do take the plunge, it's a two minute job.

Just not yet....