Moving From HTTP to HTTPS: Part 1 of 2

Making the move from HTTP to HTTPS is now something I’d advising all my clients to do for a number of reasons:

1) Google Chrome and other browsers are now pointing out sites that aren’t secure in the address bar.

2) Google Search is now beginning to use HTTPS as a ranking signal, so switching can benefit SEO rankings.

3) When you use HTTPS you show your customers and visitors that you’re concerned about their safety and doing your part to protect them (as well as your yourself and your staff or employees).

4) It builds credibility – you don’t look very legitimate when your URL has an insecure site warning beside it. Especially for ecommerce sites people are looking for the green padlock.

What does it mean in practical terms for you? Imagine this…

You could be at a coffeeshop using their wireless network. You login to your (unsecured) website. A hacker sitting a few tables over is watching the network, sees you come online and watches your keystrokes as you login. Simple as that, they know how to get into your site. It’s so easy it’s scary for people who know what they’re doing.When you login to your HTTPS site, though, anyone eavesdropping on the network can see where you go, but they can’t know how you logged in or what you’re doing on your site once you’re logged in. Using HTTPS makes it harder for people to intercept things moving across a network or to know what people inside a secure site are doing.

But FYI: secure does not necessarily always equal safe. You could visit another secure site that’s been hacked, and even though your connection is secure, you are not safe from whatever they might try to do to your computer.

Getting Started

1) Buy and install an SSL certificate.

Many hosts sell these, and even though they might be a bit more expensive, they’ll usually install them for you at no charge. This is usually worth it for the convenience. Single-site SSL certs are typically $10-$50/year.

You don’t need to buy a $100 certificate for your single site – a $10 cert is as effective as a $400 one. The difference is in the amount of insurance they provide, but typically for most small business sites you’ll be fine with a less expensive cert.

If you have multiple domains to protect (mysite.com, surfing.mysite.com, travel.mysite.com) you’ll need a multisite cert, typically $30-$250/year depending on how many sites are involved. If you’re not sure of the number of sites, a wildcard cert will cover unlimited numbers for $80-$200/year.

Finally, some progressive hosts who recognize the value of securing more of the web offer free SSL certs like Let’s Encrypt. If you’re hosting with me, you have this available to you right now, get in touch to have it set up.

2)  If using WordPress, change the Site URL and WordPress URL to HTTPS.

Do this in Settings > General, and you will be logged out when you make this change.

3) Check to make sure the certificate is installed correctly: https://www.sslshopper.com/ssl-checker.html

You want to make sure it recognizes the SSL cert and shows that both www and non-www domains are included.

4) Check all the pages for the green padlock. If you don’t see it, that means there’s mixed content on the page – something is still using HTTP.

This is the often the big scary bear when moving to HTTPS – tracking down all those hard-coded links. You will have to dig into the code or theme files to do this, and it can be quite time-consuming. Once you have every link changed and are getting the green padlock everywhere…

4) Add 301 redirects from HTTP to HTTPS.

This is critical to preserve your search rankings! You must 301 redirect every old HTTP URL to their respective new HTTPS URLs. Fortunately this is pretty easy. Where you do it depends on the type of hosting you have – most will have Apache, and for that you add this code snippet to your .htaccess file: http://codepen.io/kanjigirl/pen/jBJqro

That will people and bots visiting the old HTTP pages to be forwarded automatically to the new HTTPS versions.


This is the end of Part 1. In an upcoming post we’ll go over the SEO tasks that have to be done during this switch. If you have questions about this process and why it’s important, or need help getting it done for your site, feel free to contact me.