Technical SEO·Beginner·8 min read

HTTPS and SSL for SEO. The baseline you cannot afford to skip in 2026.

HTTPS has been a Google ranking signal since 2014. Most Australian sites are on it now. The ones that are not, or that bodged the migration, are quietly losing rankings every month. Here is the honest version.

Oliver Wood
By · Founder & Managing Director
Reviewed by Harrison Sharrett · · Last reviewed

What HTTPS actually is

HTTPS is the secure version of the HTTP protocol that browsers use to fetch web pages. The "S" stands for "Secure" and refers to an encryption layer that sits underneath HTTP. The user's browser and your server exchange a cryptographic handshake, agree on encryption keys, and then send the actual page data inside an encrypted tunnel that intermediaries (your ISP, the WiFi network, anyone snooping) cannot read.

The encryption is provided by a digital certificate issued to your domain by a Certificate Authority. The certificate proves to the browser that the server it is talking to actually owns the domain name in the URL. If the certificate is missing, expired or mismatched, the browser shows a warning page that scares almost every visitor away.

Two terminology notes. The original encryption protocol was called SSL (Secure Sockets Layer). It was replaced years ago by TLS (Transport Layer Security), but the name "SSL" stuck so deeply that we still say "SSL certificate" when we mean TLS certificate. For SEO purposes the difference does not matter. When people say "install an SSL", they mean install a TLS certificate that enables HTTPS.

Why HTTPS still matters in 2026

Five reasons it still matters, even though the migration era is mostly behind us.

One. Google confirmed HTTPS as a ranking signal in 2014. They have never walked it back. The signal is small (Google describes it as a tiebreaker) but it is real and it compounds across thousands of queries.

Two. Browsers now actively flag HTTP pages as "Not Secure" in the address bar. Chrome shows a warning. Safari shows a warning. Firefox shows a warning. Visitors see "Not Secure" next to your URL and the bounce rate climbs. The conversion rate damage is larger than the ranking damage.

Three. Many modern web features only work over HTTPS. Service workers, the Geolocation API, push notifications, payment integrations, modern authentication flows. If your site needs any of these and you are still on HTTP, the features simply do not work.

Four. AI engines and other crawlers preferentially fetch HTTPS URLs when both versions exist. Mixing HTTPS and HTTP in your indexed URL set creates duplicate-content questions that should not need answering.

Five. Certificate Authorities and browsers are deprecating old cipher suites and TLS versions on regular cadences. A site set up with TLS 1.0 in 2017 may start being flagged as insecure in 2026 even if it currently works. Ongoing maintenance, not just initial setup, matters.

100%
of competitive Australian SERPs now have HTTPS-only top 10 results for commercial queries. HTTP is no longer competitive at the high end. It is barely competitive anywhere.

How to migrate from HTTP to HTTPS without losing rankings

The standard migration playbook. Twelve steps, mostly mechanical.

  1. Pick a certificate. Let's Encrypt (free, auto-renewing, supported by most hosts) is the default. Cloudflare's free tier includes a free certificate too. Paid options exist for organisations that need extended validation or wildcards.
  2. Install the certificate. Most hosts have a one-click setup. The certificate has to cover every variant of your domain you intend to serve (www, root, subdomains).
  3. Test the certificate. Run an SSL Labs test (free). Aim for an A or A+ rating. Fix any cipher suite warnings or chain-of-trust issues before going live.
  4. Update site config to serve HTTPS. Force HTTPS by default. Configure HSTS (HTTP Strict Transport Security) so browsers will not even attempt HTTP after the first visit.
  5. 301 redirect every HTTP URL to its HTTPS twin. Catch-all rules are fine here because the mapping is one-to-one: http://example.com/anything redirects to https://example.com/anything.
  6. Update internal links. Find-and-replace every internal link in your database from http://yourdomain to https://yourdomain. Skip leaving them as 301 hops.
  7. Update canonical tags. Every <link rel="canonical"> on the site has to use HTTPS. The chapter on canonical tags covers the patterns.
  8. Update XML sitemap. Regenerate the sitemap with HTTPS URLs throughout. The chapter on XML sitemaps covers what belongs in.
  9. Update robots.txt. The sitemap declaration inside robots.txt has to use HTTPS.
  10. Verify the new HTTPS property in Search Console. The HTTPS site is technically a separate property. Verify it, submit the new sitemap, and watch for crawl errors.
  11. Update structured data. Any URLs hard-coded inside schema markup need updating.
  12. Audit for mixed content. Run a Screaming Frog crawl after the migration. Look for any resources (images, scripts, stylesheets, iframes) that still load over HTTP. Each is a mixed-content warning waiting to happen.

Most of these are one-time changes. Done properly, the rankings recover fully inside four to six weeks. Done badly (no redirects, half the internal links missed, sitemap not updated), the recovery drags on for months and some pages never come back.

Mixed content and other gotchas

Mixed content is the most common post-migration problem. The page is served over HTTPS but pulls in resources (a hero image, a third-party script, an old YouTube embed) over plain HTTP. Modern browsers block the insecure resources outright or display a warning that erodes trust. For SEO it matters because blocked scripts can break the JavaScript that loads your content. The fix is updating every resource URL on the page to HTTPS, or using protocol-relative URLs (//example.com/image.jpg) that inherit the protocol from the page.

Three other gotchas worth knowing.

Certificate expiry. Certificates do not last forever. Let's Encrypt certificates last 90 days and renew automatically if configured. Paid certificates often last 12 months and require manual renewal. Set up monitoring so you do not find out the certificate expired by reading customer emails about scary browser warnings.

Outdated TLS versions. TLS 1.0 and 1.1 are deprecated. TLS 1.2 is the current baseline and TLS 1.3 is the modern choice. If your server still negotiates the old versions, modern browsers will eventually refuse the connection. Disable TLS 1.0 and 1.1 in your server config.

HSTS preload mistakes. HSTS tells browsers to use HTTPS forever for your domain. Submitting your domain to the HSTS preload list is even stronger: browsers ship with your domain in their preload list and will not even attempt HTTP. Useful, but also irreversible quickly. If you preload then later need to roll back HTTPS, browsers still refuse HTTP for months. Preload only when you are absolutely committed.

Common mistakes

Do
  • Use Let's Encrypt or your host's free certificate unless you have a specific reason not to.
  • 301 every HTTP URL to its HTTPS twin during migration.
  • Update internal links, canonical tags, sitemap and structured data after the migration.
  • Run an SSL Labs test quarterly to catch creeping cipher issues.
  • Monitor certificate expiry. Set up an alert that triggers 30 days before expiry.
Do not
  • Leave HTTP URLs working alongside HTTPS without redirects. Duplicate content waiting to happen.
  • Forget to update internal links. Every HTTP-to-HTTPS hop costs crawl budget and a small amount of authority.
  • Pay for a certificate when a free one would do the same job.
  • Submit to HSTS preload before you are confident the migration is stable.
  • Skip the mixed-content audit. It is the most common post-migration regression.

Tools and checklists

  1. SSL Labs Test. Free. Pastes a URL, returns a full certificate and cipher audit. The reference tool.
  2. Why No Padlock. Free. Diagnoses mixed-content issues that prevent the secure padlock from showing.
  3. Screaming Frog. Free up to 500 URLs. Crawls and flags mixed-content resources, HTTP internal links, and HTTPS redirect chains.
  4. Search Console Coverage. Watches for crawl errors during and after migration. The HTTPS property needs to be verified separately from the HTTP one.
  5. Our free SEO audit tool. Surfaces HTTPS and certificate issues alongside the broader audit. Run a free audit.

For sites where the migration is a meaningful project (large catalogues, multiple subdomains, legacy infrastructure), the website audit service covers pre-migration audits and the SEO retainer handles the ongoing monitoring.

Perth and WA context

Most Perth and WA businesses are now on HTTPS. The two patterns we still see often.

The half-migrated site. A business that flipped to HTTPS three or four years ago but never went through and updated internal links. Every internal click goes through a 301 hop. Page speed is slower than it should be, crawl budget is wasted, and Search Console occasionally surfaces the HTTP URLs as "Page with redirect". The fix is a database find-and-replace plus a fresh sitemap regeneration. A morning's work for a developer who knows what they are doing.

The legacy CMS holdout. A small Perth business running an older custom CMS or hosting setup that never made the HTTPS move. The owner has been told for years to migrate. The site still works but every visitor sees "Not Secure" in the address bar. The fix is straightforward: install a Let's Encrypt certificate via the host, configure redirects, update links. The blocker is usually finding someone with the host login credentials. We have seen this on Bunbury, Busselton and Esperance sites still on legacy hosts. The trades industry pattern overlaps here too.

One pattern across both. HTTPS is not a hard project anymore. It is a project that needs an owner. The reason it has not happened is usually that nobody internal has been told it is their job.

Frequently asked

Is HTTPS still a Google ranking factor in 2026?
Yes. Google confirmed HTTPS as a lightweight ranking signal in 2014 and has never walked it back. In practice the signal is small but the second-order effects are large: browsers warn users about non-HTTPS sites, conversion rates drop, mixed-content issues block resources. HTTPS is now baseline.
What is the difference between HTTPS and SSL?
HTTPS is the protocol. SSL was the encryption layer underneath it. Modern HTTPS actually uses TLS, the successor to SSL, but the term SSL stuck. When someone says SSL certificate they almost always mean TLS certificate. For SEO purposes the distinction does not matter.
How do I migrate from HTTP to HTTPS without losing rankings?
Install the certificate, set up 301 redirects from every HTTP URL to its HTTPS equivalent, update internal links to use HTTPS, update canonical tags, resubmit the sitemap in Search Console, and verify the HTTPS property in Search Console. The migration is one of the most tested in SEO and rankings recover within four to six weeks if the redirects are clean.
What is mixed content and why does it matter?
Mixed content is when an HTTPS page loads resources (images, scripts, stylesheets) over plain HTTP. Browsers block the resources or warn users. For SEO it affects rendering: blocked scripts may break the JavaScript that loads your content. Fix by updating every resource URL on the page to HTTPS.
Do I need a paid SSL certificate?
For most Perth businesses, no. Free certificates from Let's Encrypt, Cloudflare or your hosting provider are technically identical to paid certificates. Paid options add things like wildcard support and warranty but Google does not treat them differently for ranking purposes.

301 vs 302 redirects

HTTPS migration depends on clean 301 redirects.

Canonical tags explained

Canonicals need to be updated to HTTPS.

XML sitemaps explained

Sitemap URLs need to be updated to HTTPS.

Site migration checklist

HTTPS migration is a sub-case of the broader playbook.

Core Web Vitals pillar

TLS handshake latency feeds into LCP.

Why SEO matters in Australia

Trust signals matter especially for AU commercial queries.
See how your site stacks up

Get a free SEO audit of your site.

30 seconds. Real Lighthouse scores, real keyword data, real backlink profile, AI-generated quick wins. Free, no sales pitch.

Get a Free SEO Audit

Or call 0435 462 205