2017 was a year of webmasters finally making the migration from an insecure HTTP site to a secure HTTPS site. A primary impetus was Google’s continued push for security, along with all of the massive large-scale hackings that took place throughout the year. Of course, SSL has been a search ranking factor since 2014, albeit a minor one.
It was also a year of website owners seeing ranking drops or no change at all, deciding that the issues they had with SSL weren’t worth it, and reverting the changes. In my mind that’s a mistake – and in fact, some of my sites saw a ranking boost switching to SSL – but I get that every site is different.
Reasons You Might Want to Revert
There are a lot of different reasons why you might want to revert the change from HTTP to HTTPS. Let’s talk about them for a moment. I bet at least a few of you are jumping the gun, or at least making a hasty decision.
#1: My rankings dropped! This is certainly a concern, particularly when the entire reason you’re making the change in the first place is that Google says it’s a ranking factor. Thus, your rankings should increase, right?
Well, experienced SEOs know that there’s a bit of a dance whenever you make a major change to your site. Google takes some time to crawl and analyze the new version of the site versus the old. During that time, rankings can decrease temporarily. This is particularly true of SSL; you’re changing your URLs, and that’s a big issue with Google.
Now, generally, you’ll see a bit of a drop in rankings for a few days or weeks after switching to SSL, after which Google will recognize the change for what it was and will stabilize. Generally, you will stabilize at or above where you were before. The only possible cause of a more lingering issue is a misconfiguration. If you have both HTTP and HTTPS versions of your page, it can trigger duplicate content issues. If your SSL is broken and is warning users about an insecure page, you can be penalized.
#2: I haven’t seen any improvement in rankings. This one is really tough to argue against. The fact is, some sites simply will see no difference in switching to SSL.
If you think of all of the search ranking factors as having point values, I can give you an analogy. Imagine for a moment that having good meta descriptions is a +20 point modifier. Keyword stuffing is a -20 point modifier. Duplicate content hits you for -100 until you fix it. High quality content published regularly adds +5 for every new post. You get the idea.
In this kind of scenario, switching your entire site to SSL will give you something like a +1 point bonus across the board. That’s a bonus! It makes your number go up! But if the difference between your site and the site above you in the search rankings is 50 points, switching to SSL isn’t going to make a difference.
In fact, switching to SSL is such a minor search ranking factor right now that all it really does is pushes you ahead of a hypothetical identical site. It gives Google more trust in your site, it gives you the benefit of the doubt if someone scrapes your content, and that kind of thing. They’re intangible effects that you can’t necessarily measure with your analytics.
It can be frustrating to endure the Google dance and the temporarily depressed rankings only to find you settle back exactly where you were. It seems like a lot of effort for nothing.
I agree with you, I really do. The thing is, is it really better to remove SSL and go through that all again, or just leave it? Google promises that over time, SSL will be more and more important. We’ve already seen the importance of security increasing over the last few years. It’s just smarter to take the minor boost in SEO now, with the promise of more boosts later, than to take away the chance at that boost because of the work involved.
#3: I’m having issues embedding cross-site content. This is perhaps one of the few actually legitimate issues with SSL that I’ve encountered. A full site on SSL will throw a fit if you’re trying to embed content in an iframe, Flash window, or from a CDN that is not itself secure. Embedding insecure media will throw an error and the user will never see it.
There are, however, ways to fix the issue. Rather than removing SSL, why not actually figure out what the problem is and fix it? If you’re operating a CDN, you can switch that CDN to SSL itself. In fact, any source of embedded content you control, you can switch to SSL. You might have to dig into the documentation or consult a service provider to help you, but it’s possible.
For everything else, you have three options. First of all, you can just wait. More and more sites are adopting SSL, and sooner or later the source you want to use will switch. Of course, that doesn’t help you in the here and now. The second option, then, is to find an alternative source for that content. Maybe someone else has rehosted it somewhere. You can find and use that source instead.
Another option is to use a plugin to solve most of the issues for you. Something like SSL Insecure Content Fixer will fix most of your data sources, and can help you troubleshoot the rest.
#4: SSL is expensive for little value for my site. This issue is another where patience can help. Yes, SSL is expensive, though it doesn’t always have to be. If your question is about the value of that expense, you have to consider the trust that both users and Google gives you. You have to consider the purchases made that wouldn’t otherwise be made, the reputation you gain, and the growing value of SSL for SEO in the coming years. I wouldn’t be surprised if SSL becomes increasingly important throughout the next five years.
Before You Begin
If you’ve decided that, despite all of the above, you still want to migrate back to HTTP and remove SSL from your site, you can. I won’t stop you. I don’t even know who you are while I’m writing this. Just be careful when you do it. There are a lot of potential issues you can run into.
First, just like you had a ranking shuffle when you implemented SSL, you’ll have one when you remove it. You’re doing the same thing again, after all, but in the opposite direction. Plus, this time you’re removing a (minor) positive ranking signal. The loss might be more visible to your ranking than the gain had been, particularly if your competition is also implementing SSL at the same time.
Second, make sure that you don’t remove SSL from parts of your site that need it. I understand that an informational blog doesn’t always need SSL, but you still want it for any membership portal, and it’s required for any purchase page. Some elements always need to be secure regardless.
Third, if you have no further need of an SSL certificate, make sure you actually cancel the certificate. There’s no sense in paying for it if you’re not using it, right?
The Easy Option
If you have a WordPress site, you have an easy option for reverting away from an SSL site. That easy way is Force Non-SSL, the plugin.
In order to use this plugin, you first need to prepare your site. Go through your existing plugins and make sure that if any of them are implementing or requiring SSL themselves, you disable and remove them. Make sure this doesn’t break anything on your site, though you’ll probably see a lot of security errors right away. Next, remove any code you manually added to your .htaccess file. This is generally where you put server instructions to refer to SSL and full-site redirections, so remove it if you have any code added.
Then you can install the plugin. This essentially adds a site-wide redirect from HTTPS to HTTP pages, adds tweaks and code where necessary, and allows you to configure specific exceptions to the rules as you need them. You can add exceptions on the general settings page, each on its own line.
Those of you who have followed this site for a while know I tend not to recommend plugins that haven’t been updated in over a year, let alone over four years like this one. The reason I’m okay with recommending this one is two-fold. First of all, using older plugins has a way of opening up security holes in your site. Anyone concerned with security should strive to keep their plugins up to date. With this plugin, though, you’re explicitly removing security. The whole point is to open up a security hole, so why not go all-in with it? I’m not saying this plugin will make your site any less secure than just removing SSL manually, but security isn’t your primary concern if you’re looking for this kind of instruction.
Secondly, it’s really a very simple plugin. It doesn’t tweak or access things in a way that could be used by an attacker to gain access to your site. You’re removing a layer of security, but you’re not doing it in a strange way that can hurt your site. Removing SSL is really pretty simple, just as adding it is simple, so this plugin is unlikely to cause those kinds of issues.
The Manual Way
If you’re not using WordPress or don’t want to use that plugin to do the work for you, you have to go about things manually.
First of all, as above, look through your site for any plugins or active scripts that are forcing the HTTPS URL to be the loaded URL. Remove those plugins and scripts.
Next, find your .htaccess file and remove any code relating to forcing SSL URLs to be the valid URLs. You generally have to add an entry to implement SSL; ideally you can just reference your certificate documentation to find out what that was and disable it, if you don’t remember it. In some cases you can basically just clear or delete your .htaccess file and have the server remake it, but that’s risky for some sites. Never straight delete a file; save a local copy first in case your deletion breaks your site.
Next up, you will want to implement code to redirect from HTTPS to HTTP. Just because you’re removing SSL doesn’t mean you can flaunt all of Google’s rules; implement a proper 301 redirect or you’re definitely going to lose a lot of ranking. You can read more about that here, just reverse the code so you’re redirecting in the other direction.
You’ll then want to use a tool like Screaming Frog to crawl your site and find all internal links. Make sure these point to your HTTP version rather than your HTTPS version, so users aren’t forced through a redirect every time they click an internal link.
You may want to implement canonicalized URLs, if you haven’t already done so. This will tell Google that any lingering HTTPS versions of pages that are still accessible are meant to be HTTP versions, and to adjust their index accordingly.
Finally, do your cleanup. Make sure your redirects work by testing an HTTPS URL. Make sure to cancel your SSL certificate subscription. Remove any other lingering code that fails to process non-SSL links.
Oh, and you may want to bookmark a few of the “how to properly implement SSL” guides for a year or two from now, when you decide that it’s an upgrade you really should have stuck with and want to do it again. Make sure you do it properly!