Migrate site from HTTP to HTTPS - Technical Seo

Secure your site with 10 steps

If you are wondering how important HTTPS is, Google has started sending notifications to web masters in Google Search Console for showing NOT SECURE warnings when users enter text in forms. This warning is part of a plan to migrate the entire web to a secure protocol, and mark all pages served over HTTP as not secure, so we decided to make a simple 10 step tutorial for moving your site to https.


HTTPS advantages

Although HTTPS requires complexity and has migration risks and costs, there are long term advantages that outweigh all the possible problems:

  1. Google has confirmed https as a ranking signal
  2. More referrer data as web is shifting to secure
  3. HTTPS adds security and privacy
  4. Authentication and data integrity


HTTPS certificate price

Not so long ago https certificate price was a part of the reason why many of small businesses did not migrate their web sites. Here comes Let's Encrypt to save the day - a free, automated, and open Certificate Authority that issues free https certificates. The process of issuing a certificate is kind of complicated and lengthy, but for long term it pays off. If you don't want to go through Let's Encrypt process of issuing a certificate you can buy a Standard Validation SSL Certificate which typically costs between 10 - 100$ or an Extended Validation SSL Certificate which often costs between 100 - 500$.


Migrate to HTTPS with 10 steps and preserver your Seo rankings!

  1. Create a custom 404 pageBy making a custom 404 page you minimize the risk of loosing visitors that have landed on urls you forgot to redirect or just wanted to remove from index. Take some time and design a 404 page that is unique and easy to use, with search form, closely related results and link to the homepage.
  2. Map and manage 301 redirects, canonicals and hreflangs.301 redirects are THE MOST IMPORTANT STEP if you want to preserve your Seo and rankings. The best way to minimize the risk is to get the list of urls (from your database or just scrape them) and work on all urls. When mapping redirects be sure to redirect on topic related urls and do not forget old redirects. If possible make max. 1 hop to new https version of urls. When implemented incorrectly canonicals can lead to serious problems like Google Bot endless looping or urls dropping out off index. Moving to a new domain with the need to leave some urls working on the old domain is possible with the implementation of cross-domain canonical. After checking your canonical urls, don't forget to update your hreflang tags, as they can also cause problems.
  3. Update all resources to secure your site.First, make a list of all elements that should use https (css, fonts, images, widgets, iframes, javascript, all cdn content, ...). Use that list to work your way through the web and point all http urls to secure https urls.
  4. Test iframes on your site.When moving to https do not forget to test iframes on your website.
  5. Implement HSTS.Implement HTTP Strict Transport Security (HSTS), a response header that tells user agents to access HTTPS even when directed to an HTTP page. This eliminates redirects, speeds up response time, provides extra security but also brings extra complexity so you should check Google HSTS recommendations.
  6. Implement OCSP stapling.Implement OCSP stapling which enables a server to check if a security certificate is revoked instead of a browser, which keeps the browser from having to download or cross-reference with the issuing certificate authority.
  7. Create https profile in Google Search Console.Create the https version in Google Search Console and Bing Webmaster Tools. Do not remove the old http profiles until all new https urls are indexed. We remove our http profiles one month after deploying https, but that depends on how many urls does your site have and your crawling / indexing rate.
  8. Set https urls in Disavow File and Robots.txt.When doing a migration to https you should not forget to upload a Disavow File to your new https profile in Google Search Console. Update all your absolute urls in robots.txt.
  9. Generate new sitemap with https urls.Although this step seems very easy, we have seen many website that had a lot of problems with generating up to date new https sitemaps. Double-check with your developers if the right urls will be included in your new sitemap.
  10. Set https in Google Analytics.You need to update Google Analytics, so navigate to your web property and click into Admin, go to View settings and change the url to https. Don't forget to change the url Property Settings as well. By doing this your won’t lose history.

What after doing all 10 migrate to HTTPS steps?

Finally, use the Fetch and Render function in Webmaster Tools to ensure Google can properly crawl, render and index your site. Test all your 301, canonical and hreflangs.

What about the meta referrer tag?

We have decided to completely ignore the loss of referral data from http sites. Google has already started sending warnings like "Starting October 2017 Chrome will show security warnings on http://www.example.com", so the number of sites moving to https will increase rapidly.

Here is a quick info about referral loss:

  1. HTTP HTTP - referrer sent
  2. HTTP HTTPS - referrer sent
  3. HTTPS HTTPS - referrer sent
  4. HTTPS HTTP - referrer NOT sent

Known issues with HTTPS migration

HTTPS requires extra communication between servers, so it can slow down your website. Some of the speed problems can be resolved by implementing SPDY and HTTP2. There is also a great article on Moz.com about Enabling HTTPS Without Sacrificing Your Web Performance.

Special attention should be on duplicate content issues with cdn networks. This has the potential of duplicating entire sites so be sure to manage this correctly.

If you think HTTPS migration is overwhelming and you need professional guidance in migrating and securing your website, feel free to DROP US A NOTE.

Secure Your Site NOW


Leave a Reply

Your email address will not be published. Required fields are marked *


You can implement everything from this blog post on your own risk with no guarantees. Ranklio can not be responsible for any problems, damages, costs or lawsuits which came out of use of anything from this blog post.