Do you want to know how to switch to HTTPS so your website is more secure, but want to avoid the potential risks involved? Follow our guide to ensure the transition goes smoothly.
Jump straight to our HTTPS migration checklist or read on for some background information on HTTPS and its related technologies.
What is HTTPS?
For anyone out there still unaware of what those letters at the start of a URL actually mean, HTTP stands for Hypertext Transfer Protocol, with HTTPS standing for Hypertext Transfer Protocol Secure. The very earliest concepts of ‘hypertext’ actually date back to the 1940s and originally involved linked microfilm reels, but – as most of us know – modern hypertext simply refers to text on an electronic device which contain hyperlinks to other text. Netscape were the first proponents of HTTPS way back in 1994, but it was formally specified in the year 2000.
How is HTTPS secure?
Most websites have traditionally used HTTP, with e-commerce websites becoming early adopters of HTTPS for the trust and payment security features it provides for consumers, but now an ever-increasing amount of search results are from websites using HTTPS. HTTPS encrypts data, ensures it will not be unknowingly modified or corrupted, and authenticates that users are accessing the website they intend to visit. It communicates over HTTP within an encrypted connection utilising Transport Layer Security (TLS), or previously Secure Sockets Layer (SSL).
Benefits of HTTPS
HTTPS is now one of Google’s many ranking factors and it is likely that as time progresses, more weight will be placed on its importance within the ranking algorithm. An HTTP to HTTPS migration also comes with other benefits such as better referral data in Google Analytics, and the reduced likelihood of adverts being injected into your website, so knowing how to implement HTTPS on your website is quickly becoming a necessity rather than a luxury.
HTTPS SEO impact
It is important to be aware that – as with any type of website migration – there are potential risks involved, and it is possible that your website may experience a drop in rankings and traffic if you do not carefully follow the correct procedures (although if done correctly, you may well see increases in both). Many large companies (including some that specialise in SEO) have suffered such decreases by rushing into HTTPS implementation without proper planning. It is also important to consider that HTTPS websites can experience slower loading speeds, however if you combine your migration with a protocol upgrade to HTTP/2, this can be mitigated.
What is HTTP/2?
Published in 2015, the HTTP/2 specification is an upgrade to the HTTP protocol which allows for faster loading speeds and better security. For the most popular browsers, the protocol upgrade to HTTP/2 requires that websites use HTTPS, so if you are planning to migrate from HTTP to HTTPS then it could be worth considering investigating HTTP/2 at the same time. While you’re at it, you might also want to think about implementing HSTS…
What is HSTS?
HSTS stands for HTTP Strict Transport Security and is a web server directive which aims to safeguard websites against cookie hijacking and protocol downgrade attacks by specifying that user agents such as web browsers only use HTTPS connections. This can reduce the likelihood of ‘man-in-the-middle’ attacks which aim to invisibly convert HTTPS connections into HTTP ones, as well as preventing cookie-based website login details being taken.
HTTPS security symbols
Google will rank your HTTPS content over any HTTP content if both are available to be indexed, as long as certain conditions are met. Users can instantly identify a website’s positive security status by looking for the following (‘Secure’) before the start of a URL:
This means that data you send or receive through the website is ‘private’ – although it is still worth being careful with your personal information.
The URLs of websites that do not use HTTPS (‘Info or Not secure’) are now preceded by:
This indicates that the website does not use a private connection, so information you send or receive could potentially be viewed or modified by a third party; it is best to avoid entering passwords or credit card details for example.
URLs of websites that are considered to be insecure or potentially dangerous to visit (‘Not secure or Dangerous’) are preceded by:
This warning encourages you to avoid entering any personal information whatsoever, as something is wrong with the privacy of the website’s connection. If you also see a full-page red warning screen, the website has been identified as being unsafe by Google Safe Browsing and should definitely not be visited.
Well, with the background information out of the way, let’s move on to the site migration SEO checklist which covers how to convert from HTTP to HTTPS in detail…
HTTPS migration checklist
- Select an appropriate SSL certificate
You should acquire a certificate with a 2048-bit key using SHA-2 from a certificate authority, or upgrade your existing 1024-bit key; test it, and set a reminder for its expiration date. Certificate options are for single domain, multi-domain (if you have subdomains), or wildcard (if you have dynamic subdomains) and you can choose from domain validation, organisation validation, and extended validation certificates (these last two options offer more advanced functionality, but are also more expensive, require proof of your organisation’s existence, and usually take a few days to be issued).
- Plan the best time to migrate to HTTPS
It is advisable to conduct the migration at a time when your website typically receives lower amounts of traffic. Additionally, aim to begin at the start of a working day when development/SEO colleagues are available to deal with any issues which may arise. Remember to make sure you notify all of your colleagues about the time when the migration will be taking place.
- Crawl your existing HTTP website
This is an opportunity to fix any outstanding technical issues and get a complete picture of your URL structure, and – combined with a look at the backend of your website – will also help you to identify any technologies which might break during the migration, such as plugins, add-ons, external scripts, payment gateways, PDFs, and internal site search. Additionally, if you use a CDN, check whether there are any factors you should consider when migrating (such as turning it off or clearing your cache).
- Eliminate any unnecessary redirect chains
Try to remove as many redirect chains as possible, including any from existing non-www to www versions (or vice versa) of the HTTP version of the website.
- Download your disavow file
If you have an existing disavow file, download it here by following the ‘Disavow Links’ buttons until you reach the ‘Download’ button. You will be able to upload this later to your HTTPS property in Google Search Console and Bing Webmaster Tools.
- Benchmark rankings and traffic
If you haven’t already done so, it’s a good idea to benchmark your important search term rankings and set up an analytics platform such as Google Analytics, so that you can monitor how these might fluctuate before and after the migration.
- Test any changes in a staging environment
If possible, test the changes you will be making in a non-indexable and non-accessible staging environment, rather than directly to the production environment.
- Install the SSL certificate
Install the certificate and visit the HTTPS version of your website in your browser to check there are no errors. You can use this SSL Server Test tool to diagnose any issues.
- Ensure all forms are secure
Check any forms on your website that have insecure actions, as even though you have redirected your pages to HTTPS, the data they contain will be sent via HTTP before being redirected to HTTPS.
- Set server-side 301 redirects
Update your .htaccess file to redirect HTTP to HTTPS for all of your individual website pages. Redirecting to HTTPS is fairly straightforward as – unlike other types of migration – your URLs will remain consistent and all that you are changing is the protocol itself.
- Update your CMS settings
If you use a popular CMS such as WordPress, remember to update your address settings to reflect the switch from HTTP to HTTPS. In WordPress for example, you will need to update the ‘WordPress Address (URL)’ and ‘Site Address (URL)’ fields which can be found in ‘Settings’ > ‘General’.
- Check and update your robots.txt file
Make sure your robots.txt file doesn’t restrict any HTTPS pages – and that any references to URLs use HTTPS, and update it with a reference to your new XML Sitemap.
- Check any canonical and hreflang tags
If you use canonical tags or hreflang tags, check that they are not referencing HTTP pages.
- Update settings In Google Analytics
If you have Google Analytics set up, update your ‘Default URL’ and ‘Website’s URL’ in the ‘Admin’ section to reflect the change from HTTP to HTTPS. The Default URL can be found in the ‘Property Settings’ section and the Website’s URL can be found in the ‘View Settings’ section. Also, ensure Google Search Console is correctly linked (in the Property Settings section), and annotate all views with the date of the migration.
- Implement HSTS
It’s worth waiting until after the migration to implement HSTS, and then sending HSTS headers with a short max-age (this refers to how long the HSTS action will be applied). If the implementation doesn’t negatively affect users, search engines, or adverts for example, then you can gradually increase the max-age. Once you are happy that performance is not being adversely affected, you can also consider submitting your website to the HSTS preload list, which is a list of websites hardcoded into Google Chrome as being HTTPS only.
- Enable OCSP stapling
OCSP stapling allows a server to download a copy of the certificate authority’s response, when checking the certificate. This means that the browser checks the copy, rather than querying the certificate authority – so can help to improve performance.
- Add support for HTTP/2
Now that you are on HTTPS, you can enable HTTP/2 which will result in improved speed performance and security.
- Set up Google Search Console and Bing Webmaster Tools
Add, verify, and configure the www and non-www HTTPS versions of your website in Google Search Console and also update your Bing Webmaster Tools versions. If applicable, resubmit your disavow file, as well as any URL removal request and URL parameter settings.
- Recrawl the website
Recrawl the website to check nothing has broken – or is still loading over HTTP – and fix any errors.
- Submit your XML Sitemap and request indexation
Submit your updated XML Sitemap to Google Search Console and Bing Webmaster Tools and use their ‘Fetch as Google’ and ‘Submit URLs’ features respectively to submit the website to their indices.
- Update any references to your HTTPS website
Update any of the following that are applicable:
- Social media platforms
- Social sharing buttons (you may need to use a share count recovery tool to avoid data loss)
- Facebook Open Graph tags
- PPC campaigns
- Email marketing campaigns
- Local citations
- Schema / Structured Data
- RSS feed
- GoogleMyBusiness and Bing Places for Business
- Email signatures
- Monitor rankings, traffic, Google Search Console and Bing Webmaster Tools
Keep a close eye on your monitored search term rankings – and traffic levels for each channel. Also log in regularly to Google Search Console and Bing Webmaster Tools to make sure everything is as it should be.
So, now you know how to change HTTP to HTTPS with a minimum of disruption to your website. Bear in mind that as with any type of website migration, it may take some time for everything to stabilise – although an HTTPS migration will generally not take as long as other types of migration for things to settle down. If you’ve followed the steps in our site migration checklist, you shouldn’t experience any issues and will not only have a more secure website, but will also hopefully see an increase in your rankings, traffic, and in turn, conversions.
What’s the first thing we will be doing after writing this blog post? Practicing what we preach and ensuring our own website migrates to HTTPS (our clients tend to take priority)!
If you would like assistance with how to secure your website with HTTPS, or are interested in any of our other digital marketing services, then give us a call on 01273 921 866 or email us at firstname.lastname@example.org and we will be happy to discuss how we can help you.
If you found this article useful, you may want to view our other related articles:
You can print an editable copy of this article and checklist by clicking the ‘Print’ button below – or alternatively, bookmark this page for future reference.
GIFs by Elena Jimenez