How to Migrate from HTTP to HTTPS - Complete Guide

With the performance benefits you now get from HTTP/2, there has never been a better time to thinking about moving your site to HTTPS; not to mention the additional security and SEO advantages. Follow our guide below on how to migrate your site from HTTP to HTTPS.

Why should you redirect HTTP to HTTPS?

As you know Google is pushing hard for HTTPS everywhere so that the web is a safer place. While being more secure is always important, there are some additional reasons why you might want to consider moving to HTTPS.

1. Performance and HTTP/2

Content delivery networks and web hosting providers are starting to roll out HTTP/2. In a session at Velocity, Load Impact and Mozilla reported that internet users can expect websites optimized for and delivered over HTTP/2 to perform 50-70 percent better than sites over HTTP/1.1. To take advantage of HTTP/2 performance benefits you have to be running over HTTPS because of browser support.

2. SEO and rankings

Back in 2014 Matt Cutts announced that HTTPS is now a lightweight ranking signal and that over time Google might strengthen this signal. So running HTTPS can help benefit your SEO rankings.

Reading "HTTPS as a ranking signal": https://developers.google.com/search/blog/2014/08/https-as-ranking-signal

- Matt Cutts (@mattcutts) August 7, 2014

According to the latest data from BuiltWith, around 6.3% of the top 100,000 websites are using SSL by default, up from 4.3% in November 2014.

3. Better referral data

A third reason why it is good to migrate is because HTTPS to HTTP referral data is blocked in Google Analytics. So for example, lets say your website is on HTTP still and you went viral on Reddit and YCombinator. Both of these sites are running over HTTPS. The referrer data is completely lost and the traffic from both of those sites could end up under direct traffic which is not very helpful. If someone is going from HTTPS to HTTPS the referrer is still passed.

4. More secure

A fourth reason why it is important to be running over HTTPS is of course because of security! For ecommerce sites, the reason you need an SSL certificate is because they are processing sensitive credit card data. For other sites the biggest reason for this is your WordPress login page. If you aren't running over an HTTPS connection your username and password are sent in clear text over the internet. You can see an example in this article on how to actually sniff and capture WordPress logins over unsecured connections using these free tools. Many people will argue that blogs and informational sites don't need to be running on HTTPS, but how important are your login credentials?

5. SSL builds trust and credibility

A fifth reason why SSL is important is due to building trust and credibility with your visitors. According to a European survey from GlobalSign, 77% of websites visitors are concerned about their data being intercepted or misused online.

28.9% look for the green address bar.

- GlobalSign

By adding an SSL certificate and showing the green padlock this instantly adds credibility and what we like to call "SSL trust." It is important to let your visitors know you are secure and that their information will be protected.

Follow the steps below on how to redirect HTTP to HTTPS for your site. Some of the steps use WordPress and KeyCDN as examples.

1. Buying an SSL certificate or using Let's Encrypt

To begin, you will need an SSL certificate. SSL certificates are small data files which bind a key to a specific organization's details. When installed it activates the HTTPS protocol, allowing secure connections between a web browser and the server. There are a number of SSL certificate vendors you can choose from. We recommend vendors like:

• GoGetSSL
• SSLs.com

You can easily purchase a Comodo Positive SSL cert for less than $9 a year.

Types of certs

There are three primary types of certificates:

1. Domain Validation: Single domain or subdomain, no paperwork (just email validation), cheap, issued within minutes.
2. Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
3. Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. Green address bar.

Trust indicators

There are two types of visible trust indicators you can choose from with an SSL cert. The first is extended/organization validation which shows your company's name in the address bar. These certificates are more expensive. The second and most common is the standard domain validation, which simply shows the green padlock in the address bar.

See our tutorial on how to order an SSL certificate with GoGetSSL.

You can also use Let's Encrypt to obtain a free SSL certificate. One easy way to do this is to use Certbot. Certbot is an easy to use automatic client that fetches and deploys SSL/TLS certificates for your webserver. Certbot was developed by EFF and others as a client for Let's Encrypt and was previously known as "the official Let's Encrypt client."

2. Installing your SSL certificate

Here are some easy to follow guides on how to install your SSL Certificate on your web server. Depending on what software you are running the steps can vary. (these are an example of installing a Comodo Postive SSL cert)

• Install SSL Certificate for Apache
• Install SSL Certificate for NGINX
• Install SSL Certificate for Microsoft IIS 7.x - 8.x
• Install SSL Certificate WHM/cPanel

If you are deploying Let's Encrypt with Certbot you can choose which type of webserver you are using on their website and the operating system you are running. They have extensive documentation. You can then pick "advanced" if you want less automation and more control. Here are just a couple quick links to some popular setups.

• Let's Encrypt on Nginx and Ubuntu 16.04
• Let's Encrypt on Apache and Ubuntu 16.04

Checking your certificate

Once you have installed your certificate you will want to check to see if there are any issues with it. The following tools can be very helpful.

• SSL Labs Server Test
• Certificate Checker (developed by KeyCDN)

3. Update all hard coded links to HTTPS

It is always best practice to use relative URLs, but there will always be times when someone has hard coded a URL and so you will want to do a full sweep on your site and database during an HTTP to HTTPS migration.

The following will differ from platform to platform. In this example, we will show you how to update your link in WordPress. We recommend using a free tool from Interconnect IT called Database Search and Replace Script in PHP. You could run update queries yourself, but there are a lot of tables and metadata fields you will probably miss unless you have an exact list.

We recommend doing this on a dev server and moving it back, or at least backing up your database first to be safe as this script does grab your local database credentials. Simply drop their program into the root of your site via FTP.

Then browse to it in your browser (we named our folder "search-replace-db").

You can then insert what you want to replace. Make sure you enter all of the formats you have mixed and matched over the years such as:

• http://mydomain.com to https://mydomain.com
• http://www.mydomain.com to https://www.mydomain.com

We then recommend running a dry run first to see what it will be updating/replacing. Then when you are ready run a live run. This will update all of your entries in your database, including your WordPress Site URL, hardcoded links on pages and posts, canonical tags, etc.

If you are uncomfortable making database changes then you might also want to check out the free Really Simple SSL plugin. It has over 20,000 installs with a 4.8 rating.

• The plugin handles most issues that WordPress has with SSL, like the much discussed loadbalancer issue, or when there are no server variables set at all.
• All incoming requests are redirected to HTTPS. If possible with .htaccess, or else with JavaScript.
• The site URL and home URL are changed to https.
• Your insecure content is fixed by replacing all http:// URLs with the protocol-independent //. Dynamically, so no database changes are made (except for the siteurl and homeurl).

4. Update custom JS, AJAX Libraries to HTTPS

You will want to update any custom scripts you may have included so that they point to the HTTPS versions. This also includes third party hosted scripts. Otherwise, you will get the dreaded mixed content warning, as seen below.

For example, if you are using Google's hosted jQuery library you will want to make sure you update it to their HTTPS CDN (https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js).

Scan your website for nonsecure content

The developers over at JitBit created a great little SSL Check tool which will scan your website and finds any non-secure content.

5. Add 301 redirects to new HTTPS URLs

Adding 301 redirects is probably one of the most important steps in an HTTP to HTTPS migration. 301 redirects are a permanent redirect which passes between 90-99% of link juice (ranking power) to the redirected page. If you don't implement 301 redirects you could seriously hurt your SEO rankings and your site could completely drop out of SERPs overnight.

It doesn't matter what platform your website is using, we don't recommend using a plugin for a bulk migration like this. It is much simpler to implement 301 redirects at the server level, especially if you are dealing with hundreds of URLs.

Nginx

Add the following to your Nginx configuration file:

server {
    listen 80;
    server_name domain.com www.domain.com;
    return 301 https://domain.com$request_uri;
}

Apache

Add the following to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

6. Update your robots.txt file

Update any hard coded links or blocking rules you might have in your robots.txt that might still be pointing to HTTP directories or files.

7. Install SSL certificate on CDN

You have three options when it comes to your CDN. Most providers have a shared SSL option as well as custom SSL. KeyCDN also has a Let's Encrypt integration. If you're not familiar with Custom SSL (and the difference to Shared SSL), check out this guide. In the following examples we are using KeyCDN.

Enable shared SSL

KeyCDN offers shared SSL completely free to its customers. This allows content delivered over HTTPS using your Zone URL. Follow our tutorial on how to setup shared SSL.

Enable free custom SSL with Let's Encrypt

KeyCDN now has an integration with Let's Encrypt that allows you to enable SSL for free on a custom Zone Alias. Follow our tutorial on how to use Let's Encrypt with KeyCDN.

Let's Encrypt only supports domain validation certificates, which means you will get a green padlock in your address bar.

They have no plans at the moment to offer organization validation or extended validation certificates because these require human interaction and some form of payment.

Enable custom SSL - Install certificate

If you are enabling custom SSL you will need your own certificate, separate from the one you bought for your main domain. You can easily purchase another Comodo Positive SSL cert for less than $9 a year. See Step 1 for more information about buying an SSL certificate.

Then follow our complete guide on how to setup custom SSL on KeyCDN.

8. Update Origin URL on CDN

We also need to make sure to update your Origin URL. From the KeyCDN dashboard, go to your Zone settings and update the Origin URL setting from http:// to https://.

10. Update all hardcoded CDN links to HTTPS

Now just like we did with your domain links we also need to update any hardcoded CDN links you might have. In this example, we are using the tool from Step 3 again in WordPress.

Make sure after you are done with the search and replace script to remove it! You can do so by clicking on the "Delete Me" button or remove it manually via FTP from your server.

11. SEO: Google Search Console, sitemaps, fetch

Now that your site is running on HTTPS you need to create a new Google Search Console profile. Simply click on "Add a Property" and continue with the claiming process.

Sitemaps

Sitemaps aren't required for Google to crawl your site, but they can be useful if you are trying to debug indexing issues or verifying if your images are indexing. If you use them, you will need to resubmit the HTTPS version in your new Google Search Console profile.

For Yandex Webmaster Tools you will need to copy the same steps as we did for Google. For Bing Webmaster Tools you don't need to create a new profile, simply resubmit your HTTPS sitemaps.

Fetch

We then recommend doing a fetch and crawl on your new HTTPS site just to get things moving a little faster. In some migrations to HTTPS it take weeks for Google recrawl everything correctly.

1. Submit your homepage by clicking on "Fetch" and then click on "Submit to index."

2. Then choose "Crawl this URL and its direct links." If you have some very important pages too that might not be connected to your homepage you could also submit them individually for recrawling.

12. SEO: Resubmit your disavow file

This is a step a lot of people forget. If you have ever suffered from negative SEO or have needed to remove a backlink, then you probably created and submitted a disavow file. Because you created a new Google search console profile in step 11, this requires that you resubmit your disavow file under the new profile. If you don't, the next time an algorithm update comes along, you could be facing serious troubles as Google will not see your disavow file.

So head over to the Google Disavow tool under your original Google Search Console profile (HTTP) and download your disavow file.

Then launch the disavow tool again under your new HTTPS site and resubmit your file.

Make sure you see the confirmation message.

13. Update your Google Analytics profile URL

Then you need to update your Google Analytics Website's URL. So under your account click into Admin and then your view settings. Then flip the URL to the HTTPS version. Do the same for your Property Settings as well. This way you don't lose any history and can pick up right where you left off.

14. Misc updates

Here are a some additional miscellaneous updates you will also want to make after migrating from HTTP to HTTPS.

• Update your canonical tags to point to the HTTPS version. If you used the tool for WordPress like in our example in Step 3 the canonical tags would have been updated. If you are on a different platform make sure these get updated.
• Update third party PPC URLs (e.g. AdWords, Bing Ads, and Facebook Ads)
• Update Email Marketing Software URLs (e.g. MailChimp, Aweber, and GetResponse)
• Update social media links to your site (e.g. Facebook, Twitter, and LinkedIn)
• Update all external links and backlinks as much as possible.
• Migrate social share counts

The Google search team also just recently published answers to 13 FAQs when it comes to HTTPS migrations.

Summary

As you can see there is a lot that goes into an HTTP to HTTPS migration, but if you followed our guide above you should be in a good place going forward and can now benefit from both the increased performance of HTTP/2 and take advantage of the extra SEO ranking factor. Not to mention your site is now much more secure and logins will no longer be passed in plain text.

Do you have any other HTTP to HTTPS migration tips? If so we would love to hear about them below.