Complete Guide – How to Migrate from HTTP to HTTPS

With the performance benefits you now get from HTTP/2, there has never been a better time to thinking about moving your site to HTTPS; not to mention the additional security and SEO advantages. Follow our guide below on how to migrate your site from HTTP to HTTPS.

Why Should You Redirect HTTP to HTTPS?

As you know Google is pushing hard for HTTPS everywhere so that the web is a safer place. While being more secure is always important, there are some additional reasons why you might want to consider moving to HTTPs.

1. Performance and HTTP/2

Content delivery networks and web hosting providers are starting to roll out HTTP/2. In a session at Velocity, Load Impact and Mozilla reported that internet users can expect websites optimized for and delivered over HTTP/2 to perform 50-70 percent better than sites over HTTP/1.1. To take advantage of HTTP/2 performance benefits you have to be running over HTTPS because of browser support.

http1 vs http2

Source: HTTP/1.1 vs. HTTP/2: A Performance Analysis

2. SEO and Rankings

Back in 2014 Matt Cutts announced that HTTPS is now a lightweight ranking signal and that over time Google might strengthen this signal. So running HTTPS can help benefit your SEO rankings.

According to the latest data from BuiltWith, around 6.3% of the top 100,000 websites are using SSL by default, up from 4.3% in November 2014.

websites using SSL

SSL by default

3. Better Referral Data

A third reason why it is good to migrate is because HTTPs to HTTP referral data is blocked in Google Analytics. So for example, lets say your website is on HTTP still and you went viral on Reddit and YCombinator. Both of these sites are running over HTTPS. The referrer data is completely lost and the traffic from both of those sites could end up under direct traffic which is not very helpful. If someone is going from HTTPS to HTTPS the referrer is still passed.

4. More Secure

A fourth reason why it is important to be running over HTTPS is of course because of security! For eCommerce sites, the reason you need an SSL certificate is because they are processing sensitive credit card data. For other sites the biggest reason for this is your WordPress login page. If you aren’t running over an HTTPS connection your username and password are sent in clear text over the internet. You can see an example in this article on how to actually sniff and capture WordPress logins over unsecured connections using these free tools. Many people will argue that blogs and informational sites don’t need to be running on HTTPS, but how important are your login credentials?

5. SSL Builds Trust and Credibility

A fifth reason why SSL is important is due to building trust and credibility with your visitors. According to a European survey from GlobalSign, 77% of websites visitors are concerned about their data being intercepted or misused online. By

28.9% look for the green address bar. – GlobalSign

By adding an SSL certificate and showing the green padlock this instantly adds credibility and what we like to call “SSL trust.” It is important to let your visitors know you are secure and that their information will be protected.

Follow the steps below on how to redirect HTTP to HTTPS for your site. Some of the steps use WordPress and KeyCDN as examples.

HTTP to HTTPS Migration Index

  1. Buying an SSL Certificate or Using Let’s Encrypt
  2. Installing your SSL Certificate
  3. Update all Hard-coded Links to HTTPS
  4. Update Custom JS, AJAX Libraries to HTTPS
  5. Add 301 Redirects to New HTTPS URLs
  6. Update your robots.txt File
  7. Install SSL Certificate on CDN
  8. Update Origin URL on CDN
  9. Enable HTTP/2 Support on CDN
  10. Update all Hard-coded CDN Links to HTTPS
  11. SEO: Google Search Console, Sitemaps, Fetch
  12. SEO: Resubmit Your Disavow File
  13. Update Your Google Analytics Profile URL
  14. Misc Updates

1. Buying an SSL Certificate or Using Let’s Encrypt

To begin, you will need an SSL certificate. SSL certificates are small data files which bind a key to a specific organization’s details. When installed it activates the HTTPS protocol, allowing secure connections between a web browser and the server. There are a number of SSL certificate vendors you can choose from. We recommend vendors like:

You can easily purchase a Comodo Positive SSL cert for less than $9 a year.

Types of Certs

There are three primary types of certificates:

  1. Domain Validation: Single domain or subdomain, no paperwork (just email validation), cheap, issued within minutes.
  2. Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
  3. Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. Green address bar.

Trust Indicators

There are two types of visible trust indicators you can choose from with an SSL cert. The first is extended/organization validation which shows your company’s name in the address bar. These certificates are more expensive. The second and most common is the standard domain validation, which simply shows the green padlock in the address bar.

See our tutorial on how to order an SSL certificate with GoGetSSL.

You can also use Let’s Encrypt to obtain a free SSL certificate. One easy way to do this is to use Certbot. Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let’s Encrypt and was previously known as “the official Let’s Encrypt client.”

2. Installing your SSL Certificate

Here are some easy to follow guides on how to install your SSL Certificate on your web server. Depending on what software you are running the steps can vary. (these are an example of installing a Comodo Postive SSL cert)

If you are deploying Let’s Encrypt with Certbot you can choose which type of webserver you are using on their website and the operating system you are running. They have extensive documentation. You can then pick “advanced” if you want less automation and more control. Here are just a couple quick links to some popular setups.

Checking Your Certificate

Once you have installed your certificate you will want to check to see if there are any issues with it. The following tools can be very helpful.

3. Update all Hard-coded Links to HTTPS

It is always best practice to use relative URLS, but there will always be times when someone has hard-coded a URL and so you will want to do a full sweep on your site and database during an HTTP to HTTPS migration.

The following will differ from platform to platform. In this example, we will show you how to update your link in WordPress. We recommend using a free tool from Interconnect IT called “Database search and replace script in php.” You could run update queries yourself, but there are a lot of tables and metadata fields you will probably miss unless you have an exact list.

We recommend doing this on a dev server and moving it back, or at least backing up your database first to be safe as this script does grab your local database credentials. Simply drop their program into the root of your site via FTP.

Then browse to it in your browser. (We named our folder “search-replace-db”)

You can then insert what you want to replace. Make sure you enter all of the formats you have mixed and matched over the years such as:

  • http://mydomain.com to https://mydomain.com
  • http://www.mydomain.com to https://www.mydomain.com

We then recommend running a “dry run” first to see what it will be updating/replacing. Then when you are ready click on “live run.”

Note: This will update all of your entries in your database, including your WordPress Site URL, hard-coded links on pages and posts, canonical tags, etc.

If you are uncomfortable making database changes then you might also want to check out the free Really Simple SSL plugin. It has over 20,000 installs with a 4.8 rating.

  • The plugin handles most issues that WordPress has with SSL, like the much discussed loadbalancer issue, or when there are no server variables set at all.
  • All incoming requests are redirected to HTTPS. If possible with .htaccess, or else with Javascript.
  • The site URL and home URL are changed to https.
  • Your insecure content is fixed by replacing all http:// URLS with the protocol-independent //. Dynamically, so no database changes are made (except for the siteurl and homeurl).

4. Update Custom JS, AJAX Libraries to HTTPS

You will want to update any custom scripts you may have included so that they point to the HTTPS versions. This also includes 3rd party hosted scripts, otherwise you will get the dreaded mixed content warning as seen below.

ssl mixed content warning

HTTPS Fundamentals – Source: Cascading Media

For example, if you are using Google’s hosted jQuery library you will want to make sure you update it to their HTTPS CDN. https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js

Scan your Website for Non-Secure Content

The developers over at JitBit created a great little SSL Check tool which will scan your website and finds any non-secure content.

5. Add 301 Redirects to New HTTPS URLs

Adding 301 redirects is probably one of the most important steps in an HTTP to HTTPS migration. 301 redirects are a permanent redirect which passes between 90-99% of link juice (ranking power) to the redirected page. If you don’t implement 301 redirects you could seriously hurt your SEO rankings and your site could completely drop out of SERPs overnight.

It doesn’t matter what platform your website is using, we don’t recommend using a plugin for a bulk migration like this. It is much simpler to implement 301 redirects at the server level, especially if you are dealing with hundreds of URLs.

NGINX

Add the following to your Nginx config.

server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

Apache

Add the following to your .htaccess file.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

6. Update your robots.txt File

Update any hard-coded links or blocking rules you might have in your robots.txt that might still be pointing to HTTP directories or files.

7. Install SSL Certificate on CDN

You have three options when it comes to your CDN. Most providers have a shared SSL option as well as custom SSL. KeyCDN also has a Let’s Encrypt integration. If you’re not familiar with Custom SSL (and the difference to Shared SSL), check out this guide. In the following examples we are using KeyCDN.

Enable Shared SSL

KeyCDN offers shared SSL completely free to its customers. Follow the steps below to enable it.

  1. Click into “Zones” in your KeyCDN dashboard.
    keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”
    keycdn edit zone
  3. Click on the option to “Show Advanced Features.”
    keycdn advanced features
  4. Then under SSL enable “shared.” Shared SSL enables the wildcard certificate for the zone: https://*.kxcdn.com Then under Force SSL make sure it is “enabled.” This redirects HTTP to HTTPS on the CDN and implements a 301 moved permanently redirect for SEO purposes.
    enable shared ssl

Enable Free Custom SSL with Let’s Encrypt

KeyCDN now has an integration with Let’s Encrypt which allows you to enable SSL for free on a custom zone URL. Follow our tutorial on how to use Let’s Encrypt with KeyCDN.

Let’s Encrypt only supports domain validation certificates, which means you will get a green padlock in your address bar.

domain validation - free ssl certificates
They have no plans at the moment to offer organization validation or extended validation certificates because these require human interaction and some form of payment.

extended validation cert

Enable Custom SSL – Install Certificate

If you are enabling custom SSL you will need your own certificate, separate from the one you bought for your main domain. You can easily purchase another Comodo Positive SSL cert for less than $9 a year. See Step 1 for more information about buying an SSL certificate.

Then follow our complete guide on how to setup custom SSL on KeyCDN.

8. Update Origin URL on CDN

We also need to make sure to update your origin URL.

  1. Click into “Zones” in your KeyCDN dashboard.
    keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”
    keycdn edit zone
  3. We are using a pull zone. So under your origin URL make sure to update it from HTTP:// to HTTPS:// and click “Save.”
    keycdn pull zone http to https migration

9. Enable HTTP/2 Support on CDN

  1. Click into “Zones” in your KeyCDN dashboard.
    keycdn zones
  2. Under your zone, click on the “Manage” button and then “Edit.”
    keycdn edit zone
  3. Click on the option to “Show Advanced Features.”
    keycdn advanced features
  4. Select “enabled” and click “Save” to update your zone to HTTP/2. This is enabled by default on new zones.
    keycdn enable http2

10. Update all Hard-coded CDN Links to HTTPS

Now just like we did with your domain links we also need to update any hard-coded CDN links you might have. In this example, we are using the tool from Step 3 again in WordPress.

Make sure after you are done with the search and replace script to remove it! You can do so by clicking on the “Delete Me” button or remove it manually via FTP from your server.

11. SEO: Google Search Console, Sitemaps, Fetch

Now that your site is running on HTTPS you need to create a new Google Search Console profile. Simply click on “Add a Property” and continue with the claiming process.

Sitemaps

Sitemaps aren’t required for Google to crawl your site, but they can be useful if you are trying to debug indexing issues or verifying if your images are indexing. If you use them, you will need to resubmit the HTTPS version in your new Google Search Console profile.

Note: For Yandex Webmaster Tools you will need to copy the same steps as we did for Google. For Bing Webmaster Tools you don’t need to create a new profile, simply resubmit your HTTPS sitemaps.

Fetch

We then recommend doing a fetch and crawl on your new HTTPs site just to get things moving a little faster. In some migrations to HTTPs it take weeks for Google re-crawl everything correctly.

  1. Submit your homepage by clicking on “Fetch” and then click on “Submit to index.”

  1. Then choose “Crawl this URL and its direct links.” If you have some very important pages too that might not be connected to your homepage you could also submit them individually for re-crawling.

12. SEO: Resubmit Your Disavow File

This is a step a lot of people forget. If you have ever suffered from negative SEO or have needed to remove a backlink, then you probably created and submitted a disavow file. Because you created a new Google search console profile in step 11, this requires that you resubmit your disavow file under the new profile. If you don’t, the next time an algorithm update comes along, you could be facing serious troubles as Google will not see your disavow file.

So head over to the Google Disavow tool under your original Google Search Console profile (HTTP) and download your disavow file.

Then launch the disavow tool again under your new HTTPS site and resubmit your file.

Make sure you see the confirmation message.

13. Update Your Google Analytics Profile URL

Then you need to update your Google Analytics Website’s URL. So under your account click into Admin and then your view settings. Then flip the URL to the HTTPS version. Do the same for your Property Settings as well. This way you don’t lose any history and can pick up right where you left off.

14. Misc Updates

Here are a some additional miscellaneous updates you will also want to make after migrating from HTTP to HTTPS.

  • Update your canonical tags to point to the HTTPS version. If you used the tool for WordPress like in our example in Step 3 the canonical tags would have been updated. If you are on a different platform make sure these get updated.
  • Update third-party PPC URLs (AdWords, Bing Ads, FB Ads)
  • Update Email Marketing Software URLs (MailChimp, Aweber, GetResponse)
  • Update social media links to your site (Facebook, Twitter, Google+, LinkedIn)
  • Update all external links and backlinks as much as possible.
  • Migrate social share counts

The Google search team also just recently published answers to 13 FAQs when it comes to HTTPS migrations.

Summary

As you can see there is a lot that goes into an HTTP to HTTPS migration, but if you followed our guide above you should be in a good place going forward and can now benefit from both the increased performance of HTTP/2 and take advantage of the extra SEO ranking factor. Not to mention your site is now much more secure and logins will no longer be passed in plain text.

Do you have any other HTTP to HTTPS migration tips? If so we would love to hear about them below.

Related Articles

Complete Guide – How to Migrate from HTTP to HTTPS was last modified: August 17th, 2017 by Brian Jackson
  • Bhavesh Desai

    Thanks for useful article.

  • awesome

    • Thanks for the compliment Garva! Would love a share on social if you get a chance.

      • i have migrated to ssl succesfully but on my phone my site still saying untrusted and on pc it is working good site– https://motog3.com

        • I still see HTTP assets on your homepage. You can use this to scan your site. https://www.jitbit.com/sslcheck/ Do you update your WordPress URL in General > Settings as well? Also make sure to clear cache on your server, etc.

          • bro please help me it can heart my ranking and visitors trust cause of the red bar

          • I was on namecheap’s hosting and today moved to cloudways 1 GB vps and they done the migartion well but the ssl problem is still exist sorry for english

        • Looks like you got it :)

        • Please open a support request if you still struggle to implement HTTPS.

  • Haresh Pansuriya

    Great.great…thanks for this useful guidance….

  • Tech Tip: preserve social shares when migrating to HTTPS or another domain, from the good people at KAYAK https://www.kayakonlinemarketing.com/blog/preserving-sharing-counts-when-migrating-to-https-or-another-domain Apologies for taking to long to post this.

  • Really awesome information of http to https. that is most useful guidance. http://www.netflue.com

  • Erick Boileau

    I have migrated a site from http to https but now in google webmaster tools I have 2 websites one with http and one with https , should I remove the one with http now ? or is there a place to write that the old http is now https ?

    thanks for helping

    • Eugene Kalashnikov

      Hi Eric, you can delete the HTTP version after you implemented the redirect from HTTP to HTTPS.

      • Erick Boileau

        thank you
        but I am still afraid to lose my position in search engines

  • Great guide, but it just missed a critical fact… somewhere on top it should also mention that for SSL you need dedicated IP… and it’s a big cost for someone who has purchased domain and hosting for a decade. I guess now I’ll have to keep SSL purchase idle till I make the big investment in dedicated IP.

  • Yum

    I love that!

  • I have a question too, now that i have successfully installed the SSL certs on my blog, where do i index new blog posts on Google search console?

    is it at the http version or the https version of my blog?

  • this is a great post covering a lot of ground. I’m a bit freaked out by a few things though., I couldn’t find where to download the disavow file, and Google gave me a big warning, so I chickened out. Is this still valid in Dec 2016? But hey, thanks for the excellent post.

    • You can only download your disavow file if you’ve already previously created one. The idea is to download the file from your old search console profile and upload it to the new one.

      • and if you’ve never created one but just changed from http to https? What would you do then?

        • Then you would create one if you need it. However if you don’t need to remove any bad backlinks then you don’t need one. This step is not necessary depending on your setup.

  • Excellent article, this has now been circulated through the office.

  • Patrick Traynor

    Thanks for the guide, was very helpful for a newbie like me.

  • DIL

    Thanks for this guide. I just activated ssl and now my site run on https.

    A question: I use Really Simple SSL plugin as your suggestion above. And now, after all is done, can I remove the plugin safely? Will it redo all settings to non-SSL?

    Or I have to keep Really Simple SSL on my site FOREVER?

    Thank in advance.

    • You will need to keep the plugin installed on your site. Otherwise you can make the database changes directly if you are comfortable in doing so.

  • MarioOO

    This guide is awesome even for our Opencart migration.
    What do you think will happen with “link juice” ? Will new url get the same old rank?
    I already checked in Ahrefs tools and new homepage have already lower UR while DR stays the same. ( https://www.misaron.si/ )

    • As long as everything as been implemented properly you should not (in theory) lose any Pagerank by switching to HTTPS. Google no longer penalizes for 301 redirects however there can be lots of moving parts to account for when making the switch – just make sure you’ve followed all the steps.

      • MarioOO

        That’s is correct… There is also a lot of work to manualy change hardcoded links…
        But it is doable! :) Thanks for nice article!

  • excellent tutorial – using the wp plugin “really simple ssl” rocks

  • Miles Saunders

    Amazing guide, easy to understand. Thank you!

  • Jaime Carrion

    Excellent post!!! Thank you for your help!

  • seoinfobeans

    Best http to https migration guide on internet! You guys nailed it for sure!

  • Thanks man this was a great guide!!

  • I updates to HTTPS and I see a drop in visitors and views.

  • Thanks for the in-depth explanation of the steps one needs to take to properly migrate to SSL. Did you personally experience any keyword fluctuations after doing so?

    • I’ve performed the migration on a few websites and haven’t noticed much fluctuation (if any) due to the change. I’d recommend just taking the time to properly implement each step and you should be fine.

  • dme

    Thanks great article

    bestpasswordsgenerator [dot] com

  • Great article worth reading :)

  • Eric Mayer

    This is truly a great resource. I just had one question. We are planning to do a domain move sometime soon (Domain A – Domain B) and i was wondering if we should switch to HTTPS first and then do the move, (as in Domain A HTTP – Domain A HTTPs). Or should we straightaway move Domain A HTTP – Domain B HTTPs?

    • I would say there should be no problem in moving Domain A HTTP directly to Domain B HTTPS. Moving Domain A HTTP to Domain A HTTPS first would obviously require that you setup an SSL certificate on domain A which is an extra step that I don’t see any benefit in doing.

      • Eric Mayer

        Thanks Cody for the clarity.

  • Heather Lumb

    Hi there, this guide is hands down THE most useful migration checklist I’ve ever read. I went from overwhelmed to “oh I got this” after perusing. However, I do have a question! It made sense when you visited https/seo, and how, under Referrals in GA, you won’t see them if they are https and you are http. Now what about the other way around? I’m https and they aren’t. Same problem or no problem?

    • No problem in that case. The referrer in still passed with HTTP > HTTPS.

  • I have made a 301 redirect but there is nothing at the https://www..com

  • Andi Wyder

    Hi thanks for this guide
    One question after all steps
    Delete the http site on webmaster tools or let ir in?

    Thanks

  • Hi :) you said here in .htaccess file we need to paste this code
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] ?

    but here in 2nd line it says : RewriteCond %{HTTPS} off “off”

    is off written correct here ? please reply

    • Yes this is correct. This says if the URL isn’t HTTPS then it will trigger the rewrite rule.

      • Burhan

        exactly.

  • Burhan

    great article ! thanks. i saved this page into my favorites.

  • Shreya Bhoyar

    I have many hard-coded urls using ‘http’ in code of a 500 pages website using php and aspx !
    So the question is when I migrate the website to https, will 301 redirection cover up these urls or I have to manually change these urls one by one ?
    Appreciate your help ! Good article indeed.

    • Sebastian

      Redirection won’t help you with that. For once you’ll get security warnings because the links in your pages will refer back to insecure URLs but you’ll also find those redirects will affect the performance of your page.

      So you should go and change those hardcoded references. The article describes this already for references in the database and you can do a similar search-and-replace on your files with an editor of your choice.

  • What about all links on google?

    • Your links on Google will eventually move from HTTP to HTTPS as Google re-crawls your site.

  • Most useful post online about the topic!

  • Hong

    13. Update Your Google Analytics Profile URL

    For the above section, should we update the Property Settings too apart from the View Settings?

    • Yes you should update the Property Settings too. I have updated the article accordingly.

  • Дмитрий

    Good reseller of certificates with democratic prices is LeaderSSL. Many large resources and shops bought their certificates here. My sincere recommendations!

  • really detailed article. covers most ascpects

  • Wow! Thank you for this great article, it has helped me a great deal
    migrating my site from http to https. Everyone should follow this guide
    when they need to migrate.

  • Thanks for putting this together. Isn’t it better or at least, easier, to purchase the SSL certificate to your host?

Share This