How to Migrate to HTTPS

There are a few different ways we implement HTTPS for our clients.

  1. Traditional
  2. Let’s Encrypt
  3. Cloudflare
  4. Sucuri Web Application Firewall

Traditional HTTPS Implementation

The traditional way to implement HTTPS has always been to buy an SSL Certificate from your web host or domain registrar, validate information with the Certificate Authority, install the SSL through cPanel (typically), make sure your site URL is set as https://www.yourdomain.com and then renew the SSL certificate every year.

The traditional method is good for all types of websites including eCommerce and businesses that prefer an Organizational or Extended Validation certificate.

If a basic SSL certificate suits your needs, there are other ways to implement HTTPS and many of them are free.

Let’s Encrypt

If your web hosting company supports it, Let’s Encrypt is great way to acquire a free SSL and implement HTTPS. Let’s Encrypt is a service that issues SSL certificates and eliminates many of the complexities that come with a manual implementation.

Sounds great, doesn’t it? It is.

Web administrators generally do not work directly with Let’s Encrypt. Instead, they work through a web host company who offers this option and already has an API that integrates with it.

One of our preferred hosting providers, SiteGround, offers a Free SSL for web hosting customers through Let’s Encrypt.

So good news, if you’re a SiteGround customer or would like to become one (just let us know, we can help!) it’s easy to get your site up and running under HTTPS.

Cloudflare

Cloudflare SSL for HTTPSCloudflare is similar to Let’s Encrypt except its a bit easier to use and has some bonus features built in. They are another one of the few providers that offers basic SSL protection free of charge.

Free accounts on Cloudflare allow you to run HTTPS. They even include a rewrite feature to make sure you are FULLY HTTPS and not serving mixed content (some secure and some not secure). You can obtain upgraded SSL certificates through Cloudflare also.

Read about mixed content and Automatic HTTPS Rewrites | Cloudflare.

However, due to the way Cloudflare works, this option offers incomplete encryption and should only be used on basic websites without eCommerce.

Sucuri – Web Application Firewall (Smart Solutions Managed Solutions Plan)

Sucuri Free SSLOne benefit our Magento Managed Solutions Plan and WordPress Managed Solutions Plan customers take advantage of is the Sucuri Website Application Firewall (WAF) and a free SSL. A firewall helps stop website hacks and attacks. Managed Solutions Plan customers are offered a free SSL through this service.

Running your site through a firewall delivers many benefits:

  • Run sites over HTTPS
  • Automatically rewrite non-HTTP content
  • Block spam, malware, and other malicious bots from accessing your site
  • Add a layer of caching to speed up the delivery of your site to visitors and increase performance

Migrating your site from HTTP to HTTPS

1. Acquire an SSL Certificate

For starters, you’ll need an SSL certificate. The section above outlines various options for obtaining an SSL certificate. Regardless of the option you choose, you will need to plan your HTTPS migration and schedule time for it.

2. Check External Scripts and Services

Most sites these days are running external scripts or using 3rd party services such as non-Google analytics tracking, JavaScript libraries, or Google Fonts. 3rd party code embedded in a website that is not HTTPS can cause problems with validation so have your developer review your site programming when migrating. Review all scripts and make sure they are running over HTTPS. If some are not, find out if a HTTPS version is available. Sometimes this is as easy as changing references from HTTP to HTTPS in the script’s URL.

3. Social Share Counts

One side effect of moving to HTTPS is a URL change – http://yourdomain.com to https://yourdomain.com. Social sites often recognize these as two different URLs therefore impacting your sharing counts. For example, if an blog post has 30 Facebook shares, Facebook will no report share counts accurately. You will need to find out if your social plugin supports “share recovery.”

4. Migrate to HTTPS

If you’re running WordPress and are not a developer, there are some plugins to simplify the HTTPS migration. We recommend using Really Simple SSL. The plugin won’t do everything for you but it saves time and is as simple as activating the plugin and enabling SSL.

A plugin is not necessary however. You can also simply change the URL in the Settings of the WordPress dashboard and update any redirects you may have via a plugin or htaccess.

5. Test and Check for Errors

You’re almost done and it is hopefully everything is working correctly. However, it’s good practice to double check and make sure there are no hidden problems. An easy way to do this is to use the SSL Server Test tool from Qualys SSL Labs.

The tool will provide a certificate summary that looks something like this:

6. Force a Re-crawl and Update Citations

It’s good practice to let Google know when you make these types of site changes. One way is to force a re-crawl of the site. Google will naturally re-crawl on its own, but you can speed up the process using Google Search Console.

If your site isn’t already setup as a property in search console, this is a great time to do that. You simply need to create an account, add the site as a property and then verify it.

Usually this is done via uploading a html file via FTP or inserting some code into the head of the site. If you are running an SEO plugin like Yoast SEO, you can verify your search console (and analytics) connections in the plugin directly.

Updating Citations

You should also update your URL on any local and social properties. These are called citations.

Some typical places you may need to update your URL after you migrate to HTTPS:

  • Facebook Business Page
  • Google Places
  • Google Plus
  • Twitter
  • LinkedIn

Best Practices for Maintaining HTTPS on Your Site

Moving forward, you should always be careful when adding new functionality and features to your website and make sure any external scripts being linked to are from a secure source running over HTTPS. This is the biggest culprit for making a site non-HTTPS. One way to check this is to use the SSL Server Test tool.

Further Reading and Resources

Official Google Webmaster Central Blog: Here’s to more HTTPS on the web!

How to install SSL certificates