The truth about SSL and SEO

47 thoughts on “The truth about SSL and SEO”

  1. My site currently uses a Let’s Encrypt free SSL certificate. I’m not sure if it’s dissuaded anyone from visiting my site as I’ve yet to hear about it being a non-trusted site.

    However, regardless of SSL or how secure a blog is, I agree with you that content is key and should be the main focus when trying to grow a site.

  2. That was quite an explanation. It hasn’t been something that I spent too much time thinking about before reading this post, but knowledge is power. I’m sure I’ll be hearing and reading more about it in the future, and I’m glad you laid out a trusted assessment! Thanks for this.

    Mrs. Mad Money Monster

  3. I only can think of one place on a typical blog I might place SSL, the admins login page. That’s about keeping a hacker from sniffing your user name and password when you the owner login to WordPress. I don’t think that risk is worth the five dollars a month or so for a certificate though. There are after all easier ways for hackers to get in then sniffing the admin password.

    1. Yeah, the admin page does require the username and password, but I agree, there are other ways that hackers typically use to gain access to the admin console or the database itself!

  4. Very informative post, Steve! You and I have already talked outside of your site, but I think you pretty much nailed it. I switched my site over a number of months ago, but that’s because I had nothing to really lose at the time since my site’s still relatively new. In other words, if it affected Adsense, I really didn’t notice.

    Personally, I do think that eventually the Internet will be all SSL. The reason for it’s importance being the encryption and the ability to keep “conversations” between clients and servers from being snooped. This is obviously most important for forms or any place where private data is going to be transmitted. Although this usually isn’t something bloggers need to worry about as much as financial institutions, for instance, I still think it’s going to grow and become the de facto over time.

    However, I don’t know how long that time will be. I would imagine that we’ll start to see more web host providers making this available through projects like Let’s Encrypt and possibly starting to make SSL the default over time.

    But you made probably the most important point that a lot of people probably don’t understand – setting up SSL does basically nothing to protect your site from being hacked. That’s the big thing that people need to understand.

    Great post!

    — Jim

    1. I think you might be right, Jim – but, my feeling is encryption will eventually be a “built-in” kind of thing, where the need for SSL certs will be a thing of the past. Meaning, if an encrypted means of communication is THAT important, there probably won’t be a way for people to simply “opt-out”.

      I’m looking forward to the day where SSL certs are “soooooooo last decade”. 🙂

      1. SSL/TLS is already transparent from the client-side; however, for it to be transparent from the bloggers perspective, web hosts will need to supply them by default.

        SSL/TLS certificates provide two main components: identity and encryption. A certificate’s digital signature verifies that the website you are visiting is what you asked for. After your browser verifies the website’s identify, it then contains enough information to create an encrypted session, usually using RSA (sometimes Diffie-Hellman which is actually more secure).

        This type of system will most likely ever go away. We’ll have to deal with certificates for a long time. Honesty, they aren’t particularly complicated, just something you pay for to look more legitimate. As more sites use encryption, the need to use it on yours will also increase, regardless of the static or dynamic content your website displays, and the impact to SEO or AdSense revenue

        1. Thanks for your thoughts – we will see how things trend out. I’m not all that convinced yet that SSL is the wave of the future, but hey, you never know…and I have been wrong before.

  5. Thank you for this! It’s on my long list of blog to-dos. I hadn’t done much research, just read here and there that ssl is recommended for SEO, but after reading this, I’m going to mark it off the list until there’s more conclusive evidence. Thanks again!

  6. Thank you for making this important and not obvious to most people point: SSL does nothing to protect the data at rest of your website. Before you think about SSL you should have your backup and restore story nailed. That is much more likely to be of use to your blog. The idea of encrypting blog pages and comments is just seems silly.

  7. THANK YOU for addressing this. I, too, got swept away in the panic once the announcement came out. Luckily SEO is part of my day job so I quickly realized it’s kiiiiinda BS.

    At the end of the day, you shouldn’t aim to “trick” search engines with tick-marked to-dos like adding an SSL. It’s about the actual user experience and your content.

    I completely agree: unless your blog contains sensitive information (like a payment portal), you don’t need an SSL. Don’t waste your money trying to play Google’s games. <3

  8. This was a very nice write up. I had seen the SSL notification but hadn’t researched it fully. That is a shame about the adsense revenue fluctuations. Hopefully that gets straightened out if it hasn’t already. Thanks for the great read!

    1. You’re welcome! It is possible that the AdSense is no longer an issue, but I’m not sure. If it IS still an issue, then I’d think anyone who monetizes their site with AdSense would be hard-pressed to go the SSL route.

  9. Steve,

    This is a great article on SSL and SEO. Being new to blogging world, SEO, Adsense, etc., are all concepts I am currently learning about. I had zero idea about SSL affecting those. Thank you very much for doing that research.

    I presume you would agree with me that being vigilant of phishing attacks and strong passwords are exponentially more important to cyber security than SSL. More often than not, most sites that get hacked are due to user error and/or deceptive tactics used by the attacker.

    Unfortunately, social engineers like to prey on the uninformed and utilize the human weakness of wanting to trust others to access important information rather than traditional “hacking” techniques.

    Strong, unique passwords (passphrases preferably) and education of scamming/phishing techniques, to me, are more vital than any other cyber security tools.

    All the security in the world does not matter if the bad guys have a key to the front door.

    1. Very true, IH! Security really does start with us. The foundation is important to master before we begin looking into enhancements to that foundation.

  10. Thx for sharing your opinion. Just today at work I insisted that our new public site would be a SSL one… Needed? Maybe not.

    As the overall offering contains transfers of personal data, we need it at some point t anyway.

    For my blog, I go with whatever WordPress will do. As you said, blogs In general do not transfer sensitive data and security is so much more

    1. In the end, I think we all need to do what’s best for our individual web sites. Nothing wrong with going the SSL route – even if it doesn’t *need* SSL – especially for a company with lots of resources. 🙂

  11. This is great Steve! I use SSL on my blog because I was able to get it set up for free through cloudflare. I’m also hosting an app with login credentials and logging your financial transactions though, so SSL actually makes sense for me. For the rest of the blogosphere though, you just saved a whole bunch of money and headaches!

    1. I’ve read about that, but truthfully, that doesn’t bother me. The majority of users won’t know what that means anyway, just less care whether or not a blog is “secure”. The large majority of the time, users aren’t logging in to our blogs anyway, so most users probably won’t even notice. 🙂

  12. Great blog, but I think you are off the mark on this one. It’s fine if you decide not do get a certificate yourself, but to proclaim that its not important for most blogs is taking it a bit far.

    – As others have mentioned there are plenty of free ways to get certificates like letsencrypt and cloudflare. Even if you were to buy it they can easily be obtained starting at about $9 (, so claiming $60 is the going rate is not accurate. Price is really not a concern here, the main obstacle is probably getting it configured depending on your hosting setup can be a range of complexity from point and click, to chatting with hosting support.
    – Not having ssl on the admin page of your blog is definitely a security risk for intercepting your admin login info
    – SSL helps verify the identify of your site and prevents random scripts from getting injected into it
    – You do collect peoples email address and you also have a search function on your site, so those are two pieces of personal info that are common to many blogs and can be intercepted when you’re not using https

    Claiming that https doesn’t prevent hacking is true, but proponents of https aren’t suggesting it does that either so I think it’s a decision that requires much more consideration than is being suggested here.

    1. Appreciate your thoughts, Dan! When a web site doesn’t encrypt communication, a lot of things are “possible”. I think it’s up to us, as bloggers, to determine whether or not those things are worth the risk or not. Nice insight!

  13. Just one further point 😀

    “One common misconception about HTTPS is that the only websites that need HTTPS are those that handle sensitive communications. Every unprotected HTTP request can potentially reveal information about the behaviors and identities of your users. Although a single visit to one of your unprotected websites may seem benign, some intruders look at the aggregate browsing activities of your users to make inferences about their behaviors and intentions, and to de-anonymize their identities. For example, employees might inadvertently disclose sensitive health conditions to their employers just by reading unprotected medical articles.”

    1. Hey Ravi – check out this article:

      Basically, I’ve seen very little impact, but I wanted to test it just to make sure. I was curious enough after reading so many negative reports on the switch that I wanted to experience it for myself. In my experience, switching over to HTTPS/SSL was actually quite simple because my web hosting provider supports Let’s Encrypt. A flick of a button, and a small change to the .htaccess file, was all that was needed. But, I haven’t personally noticed much difference in terms of SEO – at least yet.

Leave a Reply