At the start of this year, Google Chrome started showing warnings for any website that collects login or credit card information that wasn’t secured by HTTPS, showing a “Not Secure” image in the address bar. This is only the beginning of the change that Google and other key players in the industry are pushing for, however. Eventually, all non-HTTPS websites will be marked insecure.
“A web with ubiquitous HTTPS is not the distant future. It’s happening now, with secure browsing becoming standard for users of Chrome” – Google
There are other benefits to moving to https beyond the security and privacy of your users. For a while now, Google have used HTTPS as a ranking signal, with search results prefering secure connections over non-secure ones.
You can find out more about the benefits of HTTPS, and how to move your website over, using this handy guide.
For the first time this year, HTTPS websites became the majority of sites on the internet, with over 50%, up from 40% this time a year ago. The trend is pushing towards secure connections, and it’s now a must-have for any e-commerce site.
At The Hosting Folks, we offer a range of value HTTPS certificates as add-ons to all our shared hosting packages, from simple validation certificates to Standard and Extended SSL certification. Finding the right certificate for your site will depend on the type and size of site you are running, but here are some tips for picking the right certificate and migrating the correct way;
Decide on the right SSL for your site
Whichever certificate you choose, make sure to consider Google’s recommendations when selecting an SSL:
- Use robust security certificates
- Ensure a high level of security by choosing a 2048-bit key, or upgrade if you already have a certificate with a weaker key
- Double check to make sure you’ve registered your certificate to the correct host name.
- Old OpenSSL versions are vulnerable, which means you’ll need to ensure you have the latest and newest versions of TLS libraries.
Gather current website URLs
Put together a list with all your current website URLs, both from your main site and any other existing subdomains. This will come in handy for when you need to check to ensure all URLs redirect correctly to HTTPS after the move.
Use a crawler to get all your URLs. We’d also suggest exporting all your URLs from Google Analytics just in case you have pages that the crawler isn’t able to find.
Before you start the process of moving to HTTPS, we recommend you do all updates on a dev area. This allows you to double-check everything before going live with HTTPS. At the same time, you’ll be able to minimise and perhaps even eliminate the impact of the HTTPS migration.
Install your SSL on the server and verify that your installation is correct
First, you’ll need to check and see if your web server supports HTTP Strict Transport Security (HSTS) and make sure that’s enabled. HSTS tells the browser to request pages using HTTPS automatically, even if a user enters HTTP into the browser. This also tells Google to serve secure URLs in the search results. Using HSTS is important because it minimises the risk of serving unsecured content to your users.
When you’ve decided on the SSL certificate and provider you’re going to use, next you’ll need to use OpenSSL to generate a certificate signing request (CSR) and private key. OpenSSL is usually installed under /usr/local/ssl/bin. If you have a custom install, you will need to adjust these instructions appropriately.
Run the following command at the prompt:
openssl req -newkey rsa:2048 -nodes -keyout www.mydomain.com.key -out www.mydomain.com.csr
You will now be asked for your information, which will be included in your certificate request. It’s critical that the Common Name field matches the name that you want to use your certificate with. Also make sure that all of the other fields accurately reflect your business details.
This will generate a
.csr file. The
.key file is your private key so make sure you keep it safe. You’ll need to send the
.csr file to your SSL Certificate provider when you request your SSL certificate.
You will need to copy and paste your CSR when submitting your certificate request to your certificate provider.
Now you are ready to buy and install your SSL certificate:
If you’re on our shared cloud hosting platform:
- Purchase the SSL for the website of your choice.
- Check your firstname.lastname@example.org email (it’s always sent to admin@) for the link.
- Click the link, and your SSL certificate is automatically installed on your hosting package. That’s it!
If you have a VPS or Dedicated Server:
- Purchase the SSL for the website of your choice.
- The SSL email is usually sent to email@example.com (however very occasionally this can vary so please contact our support team if you don’t get an email through).
- Click the link, and your SSL will be passed to our support team who will check if you want to install it yourself or want them to do it.
- Your SSL certificate is then installed!
If you want to check and make sure you’ve installed everything properly, you can try these tools:
Consider improving speed
You can further optimise your website’s speed by adopting HTTP/2 which only works with HTTPS.
HTTP/2 is the latest update to the Hypertext Transfer Protocol and it’s based on Google’s SPDY protocol, which was developed to improve the speed and performance of browsing on the web. It works by making one connection to the server, then “multiplexes” multiple requests over that connection to receive multiple responses at the same time. This way the data is interwoven more efficiently on that single connection.
Change your URLs to HTTPS
Based on the CMS you’re using, there are different options:
- You can use protocol relative URLs
- Search and replace in the database
- Use an SSL plug-in
Make sure all canonical and hreflang URLs also point to the new HTTPS location.
Find all subdomains that use your main domain as well, and ensure they’re served through HTTPS too. You can’t link to the subdomains if they’re left on HTTP as you will still have unsecure URLs on your website.
It’s better to replace http with https URLs even if you do a server-side redirect. You don’t want to load all those redirects in your pages as that will slow down your pages’ loading time.
Have a look at any plug-ins or modules that might need updated HTTPS URLs as well based on your website’s configuration.
Update internal resources to HTTPS
All your images, scripts and CSS files should also be retrieved from HTTPS locations. Ideally even external scripts and resources should be pulled from secure URLs.
You can use a tool like SSL Check to check and ensure you haven’t missed anything. However, the most reliable approach would be a full crawl of your website. We recommend combining crawlers such as Screaming Frog and Xenu so you don’t miss anything.
Create 301 redirects from HTTP to HTTPS URLs
To make sure you haven’t missed a thing, it’s better to do 301 redirects from your server’s htaccess or config file. You don’t have to create a redirect for each URL but rather use a rule that forces HTTPS. This guide from Geekflare explains how to do HTTP to HTTPS redirects on various platforms.
You should also minimise redirect chains. For example, if an old page (A) redirected to a new page (B) and the new page now redirects to https (C), you can get this redirect chain A-B-C. You can update the old page (A) to redirect to https directly (C), skipping the new http middle redirect. This way you get these redirect pairs A-C and B-C.
Update sitemaps and robots.txt files to reflect the new URL structure on HTTPS.
This one should be fairly obvious, but can be overlooked. When doing your 301 redirects, make sure that anything in your robots.txt that has an http is switched to https.
Verify the new HTTPS property with Google Search Console
We also recommend doing a fetch and crawling all URLs to help Google discover your URLs faster. Now, if you’ve previously submitted a disavow file for your HTTP website, make sure to submit a copy of it in your HTTPS profile as well.
Update your Google Analytics profile with the new HTTPS URL
If you have Google Analytics, you’ll need to make sure that you’ve put in https as your default URL.
Update social and PPC URLs to the new HTTPS
Make sure you replace PPC landing pages with the HTTPs version URLs so it doesn’t affect the landing page score.
To migrate social shares to the new URLs you’ll need to:
- Get the HTTP version of the current page/post URL.
- Pass the URL to your plugin to tell it the URL it should use rather than the one the plugin auto-generates.
This post from Search Engine Watch explains how you can maintain social shares after a site migration, and which tools to use.
Update incoming links
Ideally you should contact websites linking to you to let them know your URL is now HTTPs. This can also save them from loading a redirect on their pages and point to your new URLs. If this doesn’t work, you should at least update the incoming links you do have access to.
Update your CDN URLs if you’re using one
If you’re using a content delivery network to speed up your page loading time, such as BootstrapCDN or CloudFlare, make sure that the files you pull in are also from https connections rather than http.
After going live with HTTPS, monitor everything to ensure all traffic levels are unaffected (GA), your CTR is in limits (GSC), your social accounts still work as expected and users can still like, tweet and share.
Common problems you might have
Here are the most common mistakes that happen during a HTTPS migration:
- Blocking Google from crawling your HTTPS URLs – make sure you’re not blocking this from robots.txt or a page-level noindex tag forgotten from your testing area.
- Creating duplicate content due to lack of HTTP to HTTPS permanent redirects.
- Not replacing all on-page HTTP URLs with their HTTPS counterpart.
If you avoid making these mistakes and follow the recommendations in this post, your migration should be smooth with no noticeable impact on traffic or ranks. However, if you think you’ve done everything correctly but still notice issues, Moz has a great article on recovering your organic search traffic and tracking down mistakes done during a search migration.
So, are you ready to move to HTTPS?