There are two main reasons for moving your website to HTTPS / SSL. The first one is related to search rankings because Google has recently announced that HTTPS is now a ranking signal. A lightweight signal at this time but which will definitely gain more strength over time. While search engine rankings are crucial, protecting user privacy should also be an important goal for each business or website owner.
By moving your entire website to HTTPS / SSL, you can improve search rankings and protect your business / website reputation while playing a proactive role in protecting user privacy.
Minimum requirements needed to move to HTTPS
- a shared hosting plan with SSL support; just contact your hosting provider about that, they usually offer support for it. In cPanel you can find it under SSL / TLS manager.
- Server Name Indication support or a dedicated IP address; all decent hosting providers are offering SNI support or dedicated IP addresses for shared hosting plans.
- a SSL certificate
- a properly configured website (read bellow)
If you’re going for SNI, you should know that there is no support for SNI in Windows XP’s Internet Explorer versions. Internet Explorer 7+ (Vista or later) and all new browsers do have support for SNI.
Buy a SSL certificate for your site. Isn’t it expensive?
A SSL certificate is cheaper than you may think. For example, if you go for a domain validation certificate, it will cost you around $9 a year. The nice part is that a domain validation certificate is usually issued within few minutes.
If you’re running a business you may want to consider an EV SSL certificate, which is slightly more expensive. For more specific needs like validating multiple domains or multiple subdomains, with a single certificate, you should also check other SSL packages.
As a tip, while activating the SSL certificate, make sure that WhoisGuard or other similar tools are disabled.
Generating and installing your SSL certificate
In order to generate a SSL certificate you’ll need to submit a certificate signing request (CSR) for your website. You can generate the CSR from your control panel or you can ask your hosting provider to generate it for you.
After sending the CSR you’ll also have to specify an email address (from your domain) that will be used to approve certificate’s activation.
After approval, the certificate will be emailed back to you. All you have to do now is to install it using your control panel or ask your hosting provider to install it for you.
Moving your website to HTTPS / SSL
At this stage, your HTTPS version should be up and running. You’ll have to make sure that all your resources are loaded using a secure connection and that all your internal links are using HTTPS.
If you’re using a cache plugin like WP Super Cache (on WordPress) or a system cache plugin (on Joomla) you should disable it at this point. It will be easier to debug mixed content warnings with cache disabled.
Replace all internal links with their corresponding HTTPS version
You can force all links to be loaded through HTTPS using HTTP Strict Transport Security or you can replace all your internal links using the Search and Replace plugin.
On deconf.com I had to replace all http://deconf.com occurrences with https://deconf.com in all tables of my database.
In WordPress, if you use a Search and Replace plugin, make sure you manually replace links from widgets with their HTTPS equivalent. Usually these type of plugins are not able to replace things inside widgets (because of the way widget’s content is stored in the database).
You should also check your page source and replace / update all your HTTP internal links (if there are any) present in PHP, CSS, JavaScript and other type of files.
Avoid mixed content errors and warnings
After replacing the majority of your internal links you should access your website using the HTTPS URL (https://yourdomain.tld) to debug and fix all remaining mixed content warnings.
At first load, you’ll probably see a warning similar to this one:
Use the Inspector to find which resources are causing errors. In your browser, start the Inspector using CTRL+SHIFT+I and go to Console tab. The resources causing the warning will be displayed within console:
SSL support with CDN
Your CDN service also needs to have SSL support, because almost all your page resources will be loaded through a CDN edge. If you’re using MaxCDN, you’re lucky, because you can switch to SSL with no additional costs.
On MaxCDN, in Pull Zone settings you’ll have an option called Shared SSL. By enabling this option a new CNAME will be available in pull zone’s settings section, which looks like this: name-alias.netdna-ssl.com. Don’t forget to update the new CNAME in your website theme, CDN manager and / or cache plugin.
If you don’t want to use a shared SSL certificate, you can enable SNI SSL which allows you to install your own custom SSL certificate or you can use a Dedicated SSL plan.
Redirect from HTTP to HTTPS
After fixing all mixed content warnings you should redirect all your HTTP requests to HTTPS. Because duplicate content can always be a major source of SEO problems, you should use a 301 redirect.
Apache .htaccess example:
[bash]
RewriteCond %{HTTP_HOST} ^yourdomain\.tld [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.tld/$1 [R=301,L]
[/bash]
If you need to keep SSL off for some subdirectories (e.g. foo1 and foo2) you should use something like this:
[bash]
RewriteCond %{REQUEST_URI} !/foo1/
RewriteCond %{REQUEST_URI} !/foo2/
RewriteCond %{HTTP_HOST} ^domain\.tld [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domain.tld/$1 [R=301,L]
[/bash]
And here is the result of moving your website to HTTPS, no warnings and a green padlock icon:
SEO tips for HTTPS sites and other SSL tweaks
In terms of SEO, besides 301 redirection of all links, you should also add the HTTPS version of your website to Google Webmaster Tools. You’ll be able to add and verify it, but you won’t be able to use the change of address feature. In fact there is no need to follow the change of address procedure, because the only thing that has changed is the protocol and not the actual domain name. Adding the HTTPS version of your site map is also recommended.
Regarding Bing’s Webmaster Tools, you don’t have to add and verify the HTTPS version of your website, but is recommended to replace the site map with its HTTPS equivalent.
If you have embedded videos on your site, you should also update those links. For YouTube you’ll need to replace all http://youtube.com occurrences with their https://youtube.com equivalent.
Pay attention to third-party services like Google AdSense and Google Analytics. If you’re using an old Google AdSense code you’ll have to update that. Same thing applies to Google Analytics, Clicky Analytics and other similar analytics services.
If you use one of my analytics plugins (for Google or Clicky), these kind of things will be handled automatically. These plugins will automatically generate and insert the proper tracking code.
If you were using a cache plugin don’t forget to enable it back, to make the necessary updates and to clear the entire cache.