Let’s start with two important truths:
1. HTTPS is a stated Google ranking factor
2. Having a secure website is good for business
In essence this means that having a secure website potentially means more traffic and more conversions.
Given that Google dominates search you might assume that everyone would be scrambling to switch to HTTPS. However, we recently examined ranking factors for UK B2B websites and concluded that uptake is in the 2 to 3% range. Ouch.
What exactly is HTTPS and why all the fuss?
HTTPS is the secure form of HyperText Transfer Protocol (HTTP) where the ‘S’ stands for ‘Secure’.
In its most basic form it establishes an encrypted, secure connection between a user’s browser and the web server that hosts a website. Most people will recognize it as the padlock or green browser bar which indicates a secure connection.
The most common way of setting up HTTPS is to use an SSL Certificate (SSL = Secure Sockets Layer).
Traditionally HTTPS has been used by ecommerce sites to ensure that sensitive data such as payment card details or login credentials are passed securely from the browser to the PC.
However, online security is increasingly important and if just having a more secure website wasn’t enough of a reason for using HTTPS, then Google has upped the ante by counting HTTPS as a ranking factor. While the search engine hasn’t stated how much of a factor, rather like mobile we can expect it to become increasingly important over time.
But it’s not just Google we need to consider. HTTPS offers these additional benefits to your business:
- Greater Trust - Your visitors are reassured that you are a responsible business.
- More Transparency - Your visitors can see that you are a responsible business who owns the domain name.
- Higher Conversion Rates - Prospective customers are far more likely to do business with you if they can see that your site is secure.
In short, HTTPS is the direction of travel so it’s worth getting on board sooner rather than later.
Step by step guide to migrating your website to HTTPS
Given all of these benefits you would have thought that businesses and website owners alike would be frantically beating a path to HTTPS. But that isn’t the case as we’ve seen above.
The main reason for this lack of pickup is the perceived difficulty of making the switch. Here are a few common reasons that the change to HTTPS is put off:
- Concerns over costs, timescales and complexity
- Concerns of possible downtime
- Concerns over a permanent drop in the search rankings
These are genuine concerns, but as long as you follow a proven set of steps you can pretty much eliminate these risks.
We’ve put together a detailed infographic going through all the stages, but don’t worry, we also go through it all step by step below:
Image: Courtesy of Pickaweb
Step 1: Get an SSL certificate
First up you’ll need an SSL Certificate. You can usually get these direct from your hosting company or from a reputable SSL vendor. The advantage of buying through your host is that they’ll most likely help with the installation.
When you start looking, you’ll see that there’s quite a variety of SSL Certificates to choose from. Some of the most popular ones are:
Domain SSL - This is the most common type of SSL. Cheap, instant issue SSL which shows the padlock in the browser bar. Valid for one domain only.
Wildcard SSL - Similar to Domain SSL except also valid on subdomains of the same domain.
Organization SSL - More expensive SSL which requires basic company verification and takes one or two business days to issue. Domain and company details appear in the certificate and a padlock will be shown in the browser.
Extended Validation (EV) SSL - This is the most expensive type of SSL which requires legal, operational and physical company verification. It takes three to four days to be issued and includes the full green secure browser bar feature.
Don’t get too hung up on the different types of certificate. They all work in exactly the same way. The only thing is that the more expensive ones have more of a verification process in place and the EV SSL has the green browser bar. Don’t think that just because you opt for the cheaper Domain SSL that you’re getting cheaper security - you’re not, they are exactly the same.
Step 2: Install your SSL certificate
Once you’ve purchased your SSL certificate you’ll need to verify it. As explained above with the organization and EV certificates this can involve providing additional information.
Assuming you go for the domain SSL, you’ll need to verify your domain by approving an email that is sent to one of a number of pre-specified email addresses (i.e. webmaster@YOURDOMAIN).
You can also get your SSL with or without www. - it’s purely down to personal preference.
Once you’ve verified, your hosting company can then install it on your domain for you. A dedicated IP address for your SSL is not now strictly necessary, but some hosts may still require that you purchase one. Just check with your host and they’ll help you with this.
Step 3: Run a full backup
As with any task that involves changes to your website, it’s highly recommend that you run a full backup first. If you use a hosting control panel like cPanel you can run this manually from there.
Step 4: Update internal URLs
Now the fun starts. As you’re switching to HTTPS any internal links in your site will still use HTTP unless they are changed. If you leave them as HTTP after switching to HTTPS they may return 404 errors when clicked on.
If you’ve got a small site you can probably update these yourself or if you’re not comfortable looking under the hood, then you can get a designer, developer or web professional to do this for you.
On that note it’s worth just pausing and considering this point because it’s important. If you’re genuinely not comfortable with making these types of changes to your website then you should definitely get some professional assistance. You can use this guide to help you understand the steps involved so that you can communicate with them on their level. If you don’t have anyone in mind then start with your hosting company to see if they can recommend anyone or use a freelance site like Upwork or Guru to find someone.
Top Tip: If you do decide to use a freelancer, don’t be frightened to ask them to take a test first using a tool like Test4Geeks. Reject any that score less than 80% - you only want to work with the ‘A’ Graders.
Of course if your site is large and has hundreds, maybe thousands of pages, then it’s not really feasible to do this manually. Fortunately there are tools that can automate this for you, especially if you’re using WordPress.
Step 5: Update external URLs under your control
Once you’ve updated your internal links you should check to see if you have any external links that you control which you can update to HTTPS.
For example your social media profiles will have links to your site as will directory links. Wherever you have links where you have a login, you should go through and update them so they reflect the change to HTTPS rather than linking to the outdated HTTP address.
Of course, if you’ve got dozens or hundreds of external links pointing to you it’s not feasible to go round and ask all website owners to update these links. We’ll cover how to work around that shortly.
For now though, just run through the ones you do control and update them.
Step 6: Set up a global 301 redirect
A 301 redirect is a way of permanently redirecting traffic from one URL to another. In this case it would be from the HTTP URL to the new HTTPS URL. This is usually something that you might do occasionally on a page by page basis but in this case as you’re moving your entire website to HTTPS, you need a more efficient way to achieve this.
The way that you do this depends on the type of web server that you use. The majority of websites will be hosted on LAMP servers (Linux, Apache, MySQL, PHP). In this case you need to make changes to the htaccess file.
For NGinx this would be the NGinx Config File.
To double check your work there are tools that can scan your site for non SSL links. WordPress users even have their own Insecure Content Fixer plugin. Nice!
Again, if you’re not sure, get a web professional onboard to help you.
Step 7: Update your CDN SSL (optional)
If you use a Content Delivery Network (CDN) like Cloudflare then you’ll need to update your CDN SSL.
A CDN is a distributed set of servers across the globe that offers the double benefit of presenting your website files via the closest server to the person browsing, as well as being able to detect and prevent malicious traffic harming your website. Check first with your hosting company if you’re not sure about this. If you are then you’ll just need to contact your CDN provider and they will help you to configure your SSL.
Step 8: Update 3rd party tools, email templates & paid search
These days running an effective online strategy involves a whole range of additional tools such as email marketing, marketing automation, social media, landing page generators or Customer Relationship Management (CRM) applications. You’ll need to run through them and double check that any HTTP links are switched to HTTPS. Likewise if you’ve got a billing system that sends out invoices or automated emails these will all need updating.
Of course, in step 6 above you’ve already set up the domain level HTTPS redirection so to some extent this step is not really necessary. However, it just looks more professional if you’re using the correct URL especially for billing related links such as invoices and client login areas.
Finally double check any landing pages or paid search.
Step 9: Update Google (Console & Analytics) and sitemap
Nearly there. The final step is to update Google Search Console and Google Analytics and your sitemap.
In your Search Console you’ll need to submit the new HTTPS site. If you use an automatic sitemap generator then that should update automatically but if you have a manually generated sitemap then you’ll need to update it.
With Google Analytics you’ll need to set the default URL to HTTPS.
HTTPS is increasingly important. It is a Google ranking factor as well as the basic price of admission when it comes to online security. Switching to HTTPS is inevitable and the sooner you switch, the sooner you’ll get an advantage over less savvy competitors.