Web News & Insights

Complete Guide – How to Migrate from HTTP to HTTPS

With the performance benefits you now get from HTTP/2, there has never been a better time to thinking about moving your site to HTTPS; not to mention the additional security and SEO advantages. Follow our guide below on how to migrate your site from HTTP to HTTPS.

Why Should You Migrate from HTTP to HTTPS?

As you know Google is pushing hard for HTTPS everywhere so that the web is a safer place. While being more secure is always important, there are some additional reasons why you might want to consider moving to HTTPs.

1. Performance and HTTP/2

Content delivery networks and web hosting providers are starting to roll out HTTP/2. In a session at Velocity, Load Impact and Mozilla reported that internet users can expect websites optimized for and delivered over HTTP/2 to perform 50-70 percent better than sites over HTTP/1.1. To take advantage of HTTP/2 performance benefits you have to be running over HTTPS because of browser support.

http1 vs http2

Source: HTTP/1.1 vs. HTTP/2: A Performance Analysis

2. SEO and Rankings

Back in 2014 Matt Cutts announced that HTTPS is now a lightweight ranking signal and that over time Google might strengthen this signal. So running HTTPS can help benefit your SEO rankings.

According to the latest data from BuiltWith, around 6.3% of the top 100,000 websites are using SSL by default, up from 4.3% in November 2014.

websites using SSL

SSL by default

3. Better Referral Data

A third reason why it is good to migrate is because HTTPs to HTTP referral data is blocked in Google Analytics. So for example, lets say your website is on HTTP still and you went viral on Reddit and YCombinator. Both of these sites are running over HTTPS. The referrer data is completely lost and the traffic from both of those sites could end up under direct traffic which is not very helpful. If someone is going from HTTPS to HTTPS the referrer is still passed.

4. More Secure

A fourth reason why it is important to be running over HTTPS is of course because of security! For eCommerce sites, the reason you need an SSL certificate is because they are processing sensitive credit card data. For other sites the biggest reason for this is your WordPress login page. If you aren’t running over an HTTPS connection your username and password are sent in clear text over the internet. You can see an example in this article on how to actually sniff and capture WordPress logins over unsecured connections using these free tools. Many people will argue that blogs and informational sites don’t need to be running on HTTPS, but how important are your login credentials?

5. SSL Builds Trust and Credibility

A fifth reason why SSL is important is due to building trust and credibility with your visitors. According to a European survey from GlobalSign, 77% of websites visitors are concerned about their data being intercepted or misused online. By

28.9% look for the green address bar. – GlobalSign

By adding an SSL certificate and showing the green padlock this instantly adds credibility and what we like to call “SSL trust.” It is important to let your visitors know you are secure and that their information will be protected.

ssl trust address bar

Follow the steps below on how to migrate your site from HTTP to HTTPS. Some of the steps use WordPress and KeyCDN as examples.

HTTP to HTTPS Migration Index

  1. Buying an SSL Certificate or Using Let’s Encrypt
  2. Installing your SSL Certificate
  3. Update all Hard-coded Links to HTTPS
  4. Update Custom JS, AJAX Libraries to HTTPS
  5. Add 301 Redirects to New HTTPS URLs
  6. Update your robots.txt File
  7. Install SSL Certificate on CDN
  8. Update Origin URL on CDN
  9. Enable HTTP/2 Support on CDN
  10. Update all Hard-coded CDN Links to HTTPS
  11. SEO: Google Search Console, Sitemaps, Fetch
  12. SEO: Resubmit Your Disavow File
  13. Update Your Google Analytics Profile URL
  14. Misc Updates

1. Buying an SSL Certificate or Using Let’s Encrypt

To begin, you will need an SSL certificate. SSL certificates are small data files which bind a key to a specific organization’s details. When installed it activates the HTTPS protocol, allowing secure connections between a web browser and the server. There are a number of SSL certificate vendors you can choose from. We recommend vendors like:

You can easily purchase a Comodo Positive SSL cert for less than $9 a year.

Types of Certs

There are three primary types of certificates:

  1. Domain Validation: Single domain or subdomain, no paperwork (just email validation), cheap, issued within minutes.
  2. Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
  3. Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. Green address bar.

Trust Indicators

There are two types of visible trust indicators you can choose from with an SSL cert. The first is extended/organization validation which shows your company’s name in the address bar. These certificates are more expensive. The second and most common is the standard domain validation, which simply shows the green padlock in the address bar.

ssl certificates

See our tutorial on how to order an SSL certificate with GoGetSSL.

You can also use Let’s Encrypt to obtain a free SSL certificate. One easy way to do this is to use Certbot. Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client.”

certbot let's encrypt

2. Installing your SSL Certificate

Here are some easy to follow guides on how to install your SSL Certificate on your web server. Depending on what software you are running the steps can vary. (these are an example of installing a Comodo Postive SSL cert)

If you are deploying Let’s Encrypt with Certbot you can choose which type of webserver you are using on their website and the operating system you are running. They have extensive documentation. You can then pick “advanced” if you want less automation and more control. Here are just a couple quick links to some popular setups.

Checking Your Certificate

Once you have installed your certificate you will want to check to see if there are any issues with it. The following tools can be very helpful.

3. Update all Hard-coded Links to HTTPS

It is always best practice to use relative URLS, but there will always be times when someone has hard-coded a URL and so you will want to do a full sweep on your site and database during an HTTP to HTTPS migration.

The following will differ from platform to platform. In this example, we will show you how to update your link in WordPress. We recommend using a free tool from Interconnect IT called “Database search and replace script in php.” You could run update queries yourself, but there are a lot of tables and metadata fields you will probably miss unless you have an exact list.

We recommend doing this on a dev server and moving it back, or at least backing up your database first to be safe as this script does grab your local database credentials. Simply drop their program into the root of your site via FTP.

drop search replace into ftp

Then browse to it in your browser. (We named our folder “search-replace-db”)

search and replace script

You can then insert what you want to replace. Make sure you enter all of the formats you have mixed and matched over the years such as:

  • http://mydomain.com to https://mydomain.com
  • http://www.mydomain.com to https://www.mydomain.com

search replace http to https

We then recommend running a “dry run” first to see what it will be updating/replacing. Then when you are ready click on “live run.”

search replace run

Note: This will update all of your entries in your database, including your WordPress Site URL, hard-coded links on pages and posts, canonical tags, etc.

If you are uncomfortable making database changes then you might also want to check out the free Really Simple SSL plugin. It has over 20,000 installs with a 4.8 rating.

really simple ssl

  • The plugin handles most issues that WordPress has with SSL, like the much discussed loadbalancer issue, or when there are no server variables set at all.
  • All incoming requests are redirected to HTTPS. If possible with .htaccess, or else with Javascript.
  • The site URL and home URL are changed to https.
  • Your insecure content is fixed by replacing all http:// URLS with the protocol-independent //. Dynamically, so no database changes are made (except for the siteurl and homeurl).

4. Update Custom JS, AJAX Libraries to HTTPS

You will want to update any custom scripts you may have included so that they point to the HTTPS versions. This also includes 3rd party hosted scripts, otherwise you will get the dreaded mixed content warning as seen below.

ssl mixed content warning

HTTPS Fundamentals – Source: Cascading Media

For example, if you are using Google’s hosted jQuery library you will want to make sure you update it to their HTTPS CDN. https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js

Scan your Website for Non-Secure Content

The developers over at JitBit created a great little SSL Check tool which will scan your website and finds any non-secure content.

5. Add 301 Redirects to New HTTPS URLs

Adding 301 redirects is probably one of the most important steps in an HTTP to HTTPS migration. 301 redirects are a permanent redirect which passes between 90-99% of link juice (ranking power) to the redirected page. If you don’t implement 301 redirects you could seriously hurt your SEO rankings and your site could completely drop out of SERPs overnight.

It doesn’t matter what platform your website is using, we don’t recommend using a plugin for a bulk migration like this. It is much simpler to implement 301 redirects at the server level, especially if you are dealing with hundreds of URLs.

NGINX

Add the following to your Nginx config.

server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

Apache

Add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

6. Update your robots.txt File

Update any hard-coded links or blocking rules you might have in your robots.txt that might still be pointing to HTTP directories or files.

7. Install SSL Certificate on CDN

You have three options when it comes to your CDN. Most providers have a shared SSL option as well as custom SSL. KeyCDN also has a Let’s Encrypt integration. If you’re not familiar with Custom SSL (and the difference to Shared SSL), check out this guide. In the following examples we are using KeyCDN.

Enable Shared SSL

KeyCDN offers shared SSL completely free to its customers. Follow the steps below to enable it.

  1. Click into “Zones” in your KeyCDN dashboard.keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”keycdn edit zone
  3. Click on the option to “Show Advanced Features.”keycdn advanced features
  4. Then under SSL enable “shared.” Shared SSL enables the wildcard certificate for the zone: https://*.kxcdn.com Then under Force SSL make sure it is “enabled.” This redirects HTTP requests to HTTPS on the CDN and implements a 301 moved permanently redirect for SEO purposes.
    enable shared ssl

Enable Free Custom SSL with Let’s Encrypt

KeyCDN now has an integration with Let’s Encrypt which allows you to enable SSL for free on a custom zone URL. Follow our tutorial on how to use Let’s Encrypt with KeyCDN.

Let’s Encrypt only supports domain validation certificates, which means you will get a green padlock in your address bar.

domain validation - free ssl certificatesThey  have no plans at the moment to offer organization validation or extended validation certificates because these require human interaction and some form of  payment.

extended validation cert

Enable Custom SSL – Install Certificate

If you are enabling custom SSL you will need your own certificate, separate from the one you bought for your main domain. You can easily purchase another Comodo Positive SSL cert for less than $9 a year. See Step 1 for more information about buying an SSL certificate.

Then follow our complete guide on how to setup custom SSL on KeyCDN.

8. Update Origin URL on CDN

We also need to make sure to update your origin URL.

  1. Click into “Zones” in your KeyCDN dashboard.keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”keycdn edit zone
  3. We are using a pull zone. So under your origin URL make sure to update it from HTTP:// to HTTPS:// and click “Save.”
    keycdn pull zone http to https migration

9. Enable HTTP/2 Support on CDN

  1. Click into “Zones” in your KeyCDN dashboard.keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”keycdn edit zone
  3. Click on the option to “Show Advanced Features.”keycdn advanced features
  4. Select “enabled” and click “Save” to update your zone to HTTP/2. This is enabled by default on new zones.keycdn enable http2

10. Update all Hard-coded CDN Links to HTTPS

Now just like we did with your domain links we also need to update any hard-coded CDN links you might have. In this example, we are using the tool from Step 3 again in WordPress.

search replace cdn urls

Make sure after you are done with the search and replace script to remove it! You can do so by clicking on the “Delete Me” button or remove it manually via FTP from your server.

delete search replace

11. SEO: Google Search Console, Sitemaps, Fetch

Now that your site is running on HTTPS you need to create a new Google Search Console profile. Simply click on “Add a Property” and continue with the claiming process.

add https site google search console

Sitemaps

Sitemaps aren’t required for Google to crawl your site, but they can be useful if you are trying to debug indexing issues or verifying if your images are indexing. If you use them, you will need to resubmit the HTTPS version in your new Google Search Console profile.https sitemap

Note: For Yandex Webmaster Tools you will need to copy the same steps as we did for Google. For Bing Webmaster Tools you don’t need to create a new profile, simply resubmit your HTTPS sitemaps.

Fetch

We then recommend doing a fetch and crawl on your new HTTPs site just to get things moving a little faster. In some migrations to HTTPs it take weeks for Google re-crawl everything correctly.

  1. Submit your homepage by clicking on “Fetch” and then click on “Submit to index.”

fetch as google

  1. Then choose “Crawl this URL and its direct links.” If you have some very important pages too that might not be connected to your homepage you could also submit them individually for re-crawling.

google crawl

12. SEO: Resubmit Your Disavow File

This is a step a lot of people forget. If you have ever suffered from negative SEO or have needed to remove a backlink, then you probably created and submitted a disavow file. Because you created a new Google search console profile in step 11, this requires that you resubmit your disavow file under the new profile. If you don’t, the next time an algorithm update comes along, you could be facing serious troubles as Google will not see your disavow file.

So head over to the Google Disavow tool under your original Google Search Console profile (HTTP) and download your disavow file.

Then launch the disavow tool again under your new HTTPS site and resubmit your file.

disavow links

Make sure you see the confirmation message.

disavow domains

13. Update Your Google Analytics Profile URL

Then you need to update your Google Analytics Website’s URL. So under your account click into Admin and then your view settings. Then flip the URL to the HTTPS version. This way you don’t lose any history and can pick up right where you left off.

google analytics URL

14. Misc Updates

Here are a some additional miscellaneous updates you will also want to make after migrating from HTTP to HTTPS.

  • Update your canonical tags to point to the HTTPS version. If you used the tool for WordPress like in our example in Step 3 the canonical tags would have been updated. If you are on a different platform make sure these get updated.
  • Update third-party PPC URLs (AdWords, Bing Ads, FB Ads)
  • Update Email Marketing Software URLs (MailChimp, Aweber, GetResponse)
  • Update social media links to your site (Facebook, Twitter, Google+, LinkedIn)
  • Update all external links and backlinks as much as possible.
  • Migrate social share counts

The Google search team also just recently published answers to 13 FAQs when it comes to HTTPS migrations.

Summary

As you can see there is a lot that goes into an HTTP to HTTPS migration, but if you followed our guide above you should be in a good place going forward and can now benefit from both the increased performance of HTTP/2 and take advantage of the extra SEO ranking factor. Not to mention your site is now much more secure and logins will no longer be passed in plain text.

Do you have any other HTTP to HTTPS migration tips? If so we would love to hear about them below.

Related Articles

Complete Guide – How to Migrate from HTTP to HTTPS was last modified: January 10th, 2017 by Brian Jackson