Friday, September 27th, 2013

A Wolf in Panda’s Clothing – How An Expired SSL Certificate Could Impact Organic Search Traffic

Summary: How I helped an ecommerce retailer recover from Panda in eight days, when it was never Panda in the first place.

Expired SSL Certificate Impacting SEO Traffic

A few weeks ago, I had a business owner reach out to me about a potential Panda hit.  His initial email to me was similar to many others I have seen.  He noticed a large drop in Google organic search traffic on a specific date.  And that specific date lined up with an alleged Panda update.  In addition, it was an ecommerce site, which can be susceptible to the wrath of Panda for several reasons.  For example, duplicate content, thin content, technical problems causing perceived content quality issues, etc.

Shortly after receiving the email from the business owner, I also received a call from him.  Yes, he was eager to get moving on recovering from Panda.  It wasn’t long before our call took a left turn, and it was a path this business owner would end up liking.  In addition, it emphasizes an incredibly important point about SEO, Panda, Penguin, and other algorithm updates.  Read on.

It Sure Looks like Panda, But…
Yes, the date of the traffic hit lined up with Panda, but is that enough to clearly say the site was indeed hit by our cute, black and white friend?  Sure, he ran a relatively large ecommerce site, which can open itself up to getting by Panda for several reasons (some of which I mentioned earlier).  But, there are a few points that I firmly believe when it comes to algorithm hits:

1. You need to make sure you know which algorithm update hit your site, or if you were instead hit by a manual action.

2. A thorough SEO audit should be conducted to identify the various problems that could be impacting the site from a Panda, Phantom, or Penguin standpoint.  To me, thorough SEO audits through the lens of an algo update are worth their weight in gold.

So, I asked for the domain again and was planning on performing some checks while we were on the phone.  I wanted to make sure this truly looked like a Panda hit.  One important thing I’ve learned over the years… you never know what you are going to find once you dig in.

Analyzing the Site… Wow, That Was Quick!
I entered the domain name in Chrome and BOOM, I saw the red screen of death.  You know, the one that flags an expired SSL certificate.  It’s scary enough that most people won’t venture any deeper.  I quickly asked the business owner if he was aware of the situation.  He explained that he wasn’t technical, but he knew there was some type of issue with the certificate.  He said his developer had been looking into the problem, but that nothing had changed.

An expired SSL certificate warning in Chrome:
Expired SSL Certificate Warning in Chrome

An expired SSL certificate warning in Firefox:
Expired SSL Certificate Warning in Firefox

So, I checked in Firefox, and BOOM, the same scary message showed up.  I asked if the SSL certificate problem started recently.  He explained that the problem first showed up about the same time he saw the drop in organic search traffic.  So I stopped reviewing the site immediately and explained that we might have just found a “Wolf in Panda’s Clothing”.

The expired SSL certificate was throwing a serious security barrier between his prospective customers and his website.  And the red screen of death is nothing to sneeze at.  The message warning users about the SSL certificate could very well be stopping visitors in their tracks.  And that is what could be impacting the site’s traffic from organic search.  That was my theory anyway.

A Note About SSL Certificates (Along With Expert Information and Advice)
If you run an ecommerce site, then it’s important to understand what an SSL certificate is, and how it can impact your business.  SSL certificates activate the padlock in a web browser when visiting secure sites, and it’s what allows data being sent between the server and the browser to be encrypted.  You can actually view a website’s SSL certificate by right clicking on the padlock and clicking “View Certificate”.  So, if your certificate is expired, the browser is going to warn the user about this.  And that warning could send them running from your website faster than you can say “identify theft”.

Example of an SSL Certificate for JCrew

To explain more about SSL certificates, I asked Brad Kingsley from ORCSWeb for some information.  Brad runs ORCSWeb, which is one of the best hosting providers I have seen in my 18+ years of digital marketing work.  Brad pointed me to Terri Donahue, a Senior Support Specialist and IIS MVP.

Here is a direct quote from Terri:
“An SSL certificate is used to encrypt sensitive data that is being transferred over an insecure network such as the Internet. Without an SSL implementation, when data is transmitted between your server and the recipient of the requested data, it is visible at each ‘hop’ along the way. With an SSL implementation, the data is encrypted until it reaches the destination computer that requested it. This protects the data, such as your credit card number, and ensures that only the requesting entity can decrypt the data for actual viewing.”

“There are a number of trusted Certificate Authorities (CAs) that issue SSL certificates. When purchasing an SSL certificate, these CAs verify the identity of the requestor before issuing the certificate. SSL certificates can be purchased with varying lengths of validity. The shortest term is 1 year with some CAs offering up to 10 years.”

“There are certificate chains that are included in every SSL certificate. The CA has a root or top-level certificate and intermediate certificates that chain to the actual issued SSL certificate that a user purchases. If any of these intermediate chains are not installed on your web server, visitors receive an error when accessing the secured pages of the website. Each vendor is different in the way that these intermediate certificates are obtained. To ensure that all necessary certificate chains are installed, you can check your implementation using this site. This will verify that your certificate is valid and display the full certificate chain.”

SSL Certificate Checker

And here is some important information from Terri regarding SSL certificate expiration (which is exactly what was impacting the business owner I was helping):

“Certificate expiration is handled differently by each CA. Some send notifications to the email address used when the certificate was purchased, while others do not provide any notification. If the CA does not provide notification of expiration, there are multiple ways to handle this. Here is a blog post that refers to a script that can be used to check the expiration of an SSL certificate and send an email when the threshold before expiration is reached. Another way to do this would be to create a database that is maintained with the SSL name and expiration date, which is then monitored, and sends an email at a set period prior to the expiration date.”


Based upon the information Terri provided, you can see that SSL certificates are pretty important.  And since each Certificate Authority (CA) handles expiration differently, expired SSL certificates can throw a wrench into an ecommerce operation pretty quickly.  Now back to our Panda, I mean SSL, problem and how the business owner at hand worked to rectify the situation.

The Quick Fix & The Panda Has Been Exiled
I explained to the business owner that he should address this problem ASAP (like right after we get off the call).  I explained that he should contact me once he renews his SSL certificate, so I could take a quick look to make sure the problem was fixed, and that the red screen of death was gone.  Then we could see if his Google organic search problem turns around.

I received an email from the business owner two days later, and low and behold, his problem was gone.  The mighty Panda had been exiled!  OK, maybe not, but at least the website was humming again with Google organic search traffic.  And that meant revenue was returning to its correct levels.  And yes, this was incredibly important since holiday season was quickly approaching.  The red screen of death would not be good for holiday sales, even if it was red and white like a candy cane. :)

Key Points About SSL Certificates and SEO:
Before I end this post, I wanted to provide some key learnings based on this case study.  If you are an ecommerce retailer, the following bullets could save you from the pain that this business owner felt while his traffic plummeted.

  • Although some business owners aren’t technical, you must understand the ins-and-outs of ecommerce.  That means understanding more about SSL certificates, how they work, when they expire, and other problems that could occur that would inhibit customers from reaching your site.
  • Work with your hosting provider and developer(s) to make sure there are periodic checks of your SSL certificate.  That could nip any serious issues in the bud.  And this includes checking the site across browsers and devices to ensure all is ok.  Avoid the red screen of death at all costs.
  • Keep a master document with information about your SSL certificates, including the certificate authority (CA) that granted the certificate and the expiration date.  Set reminders so you don’t get caught at the last minute (or after the fact).  And you can use the techniques Terri listed above to automate the process of knowing when your certificates will expire.
  • From an SEO standpoint, make sure you know which algorithm update hit your site (or if one hit the site at all).  I worked with this specific business owner to guide his efforts (which led us to the SSL issue without the need for a full-blown Panda audit).  There are times that SEO problems aren’t really SEO problems.  Technical issues that appear at the same time algorithm updates hit can be confusing.  Don’t waste your time, money, and resources tackling the wrong problems.

Summary – Recovering From Panda in 8 Days Can Only Happen If It’s Not Actually Panda
I wish Panda victims could recover in just eight days.  Unfortunately, that’s not the case.  There’s a lot of work that needs to be done to recover from Panda or Phantom.  Luckily for this business owner, Panda didn’t impact his website.  Instead, it was an ecommerce gremlin that attacked his SSL certificate.  And that gremlin was a lot easier to get rid of than a Panda.