HTTP to HTTPS: How to Migrate & Maintain SEO

Posted in Web Development
Last Updated:

Migrating your website to HTTPS can seem like a daunting task at first glance. This guide will help you through the process while keeping your existing SEO efforts in-tact - plus improve your future rankings!

Google has been pushing for increased security across all websites for some time. This campaign has become a topic you can't afford to skip over.

At first glance, all this security talk can sound very complex and overwhelming. Once you understand the concepts laid out in this article, making a migration will be just a matter of putting in the work.

I am going to provide full context around why you should secure your website, walk you through the transition steps - all while preserving (and improving) your existing SEO efforts.

Why Switch to HTTPS?

The benefit of a secure web is all about protecting the user - and what is good for the user, is often a good SEO practice. Here are some of the main points on why you need to make the switch:

Improved Website Security

Data sent between your browser and a web server over HTTP is insecure. By switching to HTTPS you are enabling data transfer using the Transport Layer Security (TLS) protocol (previously the Secure Socket Layer or SSL).

Data transferred through TLS provides 3 layers of protection:

  1. Encryption - An encrypted data transfer protects communication on a public network (the internet). This keeps the data confidential and prevents a 3rd party from intercepting or monitoring the communication between a website and a user.
  2. Data Integrity - Over an insecure transaction, data can be manipulated between the web server and browser. This can result in modifications to the resulting website. This could result in changing images, advertisements, or other website content. A secure connection ensures that the website that a visitor requested is provided in an unaltered state.
  3. Authentication - The process of attaining an SSL certificate requires a website owner to provide identifiable information. To the end user this means that when they visit a website, they can trust that the site they intended to visit is truly the site they end up on. This protects from man-in-the-middle attacks.

Altogether, these security measures ensure that a website visitor sees the web page they requested in an unaltered form, and their interactions with that website are protected.

For a very detailed article that dives into HTTPS, I highly recommend checking out Vladislav Denishev's article via Smashing Magazine.

Positive Impact on Search Rankings

In August of 2014, Google caught the attention of SEO's when they announced that HTTPS was 'very lightweight signal' and 'over time, we may decide to strengthen it'. This announcement didn't result in a rush to update, though a small percentage of sites did.

Since that time, Google has kept their promises and only pushed harder for webmasters to secure their websites through increased consequences for non-secure sites.

Many reports across the net confirm noticeable ranking increases. Though we can't measure the actual impact on rankings, one thing is for sure - NOT switching to HTTPS is going to hurt in the long run.

Improved SERP & Browser Display

As more and more sites switch to HTTPS, the changes are seen directly on the search result pages. Secure sites display a leading 'https://' on their results, letting the user know they are heading to a secure page. This has a positive impact on CTR.

Netmospherics HTTPS SERP Display

Once you click through to the site, you'll be greeted with a secure status bar indicator. The display varies from device to device and browser to browser. One thing is for sure - users are looking for that lock that indicates their session is secure.

Chrome URL Secure Bar Display

The latest announcement from the company is that their Chrome browser will begin showing 'Not Secure' warnings more aggressively. Two new cases were announced:

  • When users enter data on an HTTP page.
  • On all HTTP pages visited in Incognito mode.
HTTPS warnings in Google Chrome Browser

image: Chromium Blog

As mass adoption continues, missing these trust signals will hurt your site more and more.

Join a Growing Crowd

The first couple years of the 'secure by default' campaign were slow to see sites transition to HTTPS everywhere.

Over the last year, however, adoption has quickly accelerated. Many major sites have gone to fully site-wide secure. At the time of writing, roughly 33% of the top million sites (as reported by Builtwith) are secure by default.

Builtwith Default SSL Secure Chart

image: Builtwith

If you haven't installed an SSL/TLS certificate on your site - NOW is the time to make it happen.

How to Transition From HTTP to HTTPS

The following checklist will cover all the important steps you need to consider during a migration. I've tried to make the list work for the widest range of sites possible. If you have specific questions for your project - use the comment section on this page.

If you have a staging server available, I suggest testing as much of this there before moving to production.

Pre-Move Items

  • Backup Everything - Ensure that you take a full backup of your production and staging environments before you get started.
  • Grab a Current Sitemap - You'll want to get a snapshot of the scope of your current site before you make a move. Download a pre-move version of your sitemap or crawling everything site-wide and keep it as a reference point.
  • Consider Your CDN Setup - Read up on your specific content delivery network setup before you get started. Make sure you understand the steps you need to take to make the transition.
  • Get a Security Certificate & Install - You can purchase a TLS (also referred to as an SSL) certificate from a provider like GoDaddy or get a free one from a service like Lets Encrypt. After you get your certificate, install it on your web server. This entire process is very well documented for all server types.
  • Preview the HTTPS Version - After you install your certificate, you'll be able to view the secure version of your site by adding the https:// protocol to the front of your site URL. Visit the major page types on your site and preview the display. You'll be able to confirm that you have a valid certificate and a secure connection by using the inspector in Chrome and visiting the 'Security' tab.
  • Take Inventory of Mixed Content - You confirmed your certificate is installed correctly in the step above. Now it's time to look around for mixed content. This issue arises when a user requests an HTTPS page, but some resources (images, scripts, etc) are loaded over HTTP. When this happens, your page will be marked as non-secure even when you visit over HTTPS. To find mixed content issues, browse your site over HTTPS with the inspector in Chrome open to the 'Security' tab. At the bottom, it will display any mixed content issues. Take inventory of these issues across your major page types. This will guide you as you fix mixed content through the following steps below.

On-Site Move Items

  • Update Template & Theme Links - If you have hard-coded links in your templates, now is the time to update them to point to https:// or use relative paths. A find and replace across all template files will do the trick.
  • Update Content & Database Links - Many CMSes will hard code links for assets uploaded via the admin. For example, WordPress hard codes image links. The easiest way to fix this is using a plugin and search and replacing with I rarely recommend plugins for small jobs, but this is one case where I think it's smart. Check out Better Search & Replace to get this done on WP. Other platforms like Magento handle all the link updating when the site URL is updated.
  • Change the Site URL - Most platforms have a site URL setting. As a common example, in WordPress you'll visit Settings > General and then update your URL's to https://.
  • Clear Your Website Cache - If you're using a website caching solution, now is the time to clear it out.
  • Create a Sitewide 301 Redirect Rule - You need to ensure that any requests to an http:// page are 301 permanent redirected to the https:// version. This is essential for a smooth SEO transition, so make sure you triple check the implementation. In Apache, this is easily handled by adding the following code to your .htaccess file:
    # BEGIN HTTP to HTTPS Redirection
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    # END HTTP to HTTPS Redirection
  • Update Legacy Redirects - Any existing redirects need to be updated to point at the https:// version of the page. The above universal redirect rule will catch these issues, but updating old redirects removes extra redirect hops.
  • Update Canonical & hreflang Tags - This might be handled automatically by your CMS, but you need to ensure that these tags are pointing to the secure version of the page. For example, this is handled automatically on WordPress using Yoast's SEO plugin.
  • Re-Generate the Sitemap - After you make the URL switch, you'll want to re-generate your sitemap and ensure that all the entries are showing https://.
  • Update the Sitemap Entry in Robots.txt - Make sure that your sitemap entry in your robots.txt is pointing at the https:// protocol version of your sitemap.
  • Re-Check for Mixed Content Issues - The final step is to crawl your site or look through pages manually. You're looking for any remaining mixed content issues. Anything you find, loop back through and fix each on a case-by-case basis. Once you can crawl or browse your entire site without running into these errors, your technical setup is complete!

Optional On-Site Move Items

  • Enable HSTS - Enabling HTTP Strict Transport Security forces the browser to use a secure connection.I'd suggest enabling HSTS in most cases. It is supported by 85% of major browsers worldwide at the time of writing. Enabling it is fairly simple - via Apache, add the following to your .htaccess:
    # Enable HSTS
    Header always set Strict-Transport-Security "max-age=10886400
  • Enable HTTP/2 - HTTP 2 is the big brother to HTTP 1 and 1.1. The new protocol is said to have a 60-70% speed increase over the version 1 releases. Enabling HTTP/2 is done at the web server level and is not universally supported - though it may be soon. If you're running a large, resource heavy site - it's worth looking into. If you're running a small blog, your time would probably be better spent adding more high-quality content and improving your marketing efforts.

Off-Site Move Items

  • Add the HTTPS Version of Your Site to Search Console - Do this for both Google and Bing. In Google, this will add a new property to your search console account. Submit your https:// sitemap to this new entry. Do a fetch, render, and request a deep index of the homepage over HTTPS to help the indexing process along.
  • Update Search Console Settings - If you had URL parameter settings or a disavow file, you'll need to re-add these configurations to the new search console entry for HTTPS.
  • Update Analytics - Change the site URL to use the HTTPS protocol. Ensure that all your goals and event tracking aren't based on http:// protocol entries. If they are, you'll need to update the rules.
  • Change Paid Advertising URLs - If you're running paid ads via Google, Bing, social or otherwise, make sure and update the URLs in your ads to the new secure versions.
  • Update External Services - Anything else you're using to track users, run A/B testing, SaaS services, or similar - check them and ensure they are still functioning. You might also need to update rank tracking software (like ahrefs) to show results from the secure version of your site.

Monitoring After the Switch

After you finish all the steps above, it's time to sit back and congratulate yourself on a job well done. Your work is not over though.

From here on out it is important that you closely monitor the transition and test, test, test. Here are a few common places to look:

  • Test Conversion Round Trips - Ensure that your website still functions all the way through a conversion - whatever that is in your case. If you're hosting lead forms, make sure all the entries pass through appropriately. If you're hosting an eCommerce site, ensure that your orders make it all the way through the process.
  • Search Indexing and Rankings - Be sure to monitor your rank tracking closely (daily) until you observe a successful re-indexing of your HTTPS site version. After doing several migrations, I have not seen drops in search traffic. If done correctly, the transition is seamless. You will notice that impressions drop in the HTTP Search Console entry and rise in the HTTPS version. This is normal.

    Google Search Console HTTP to HTTPS Transition

    Comparison of the HTTP vs HTTPS Clicks via Google Search Console after a migration.

  • Services & Analytics Tracking - Be on the lookout for service that 'stop working' or tracking that drops or flatlines. Often these are configuration errors that need to be investigated.

I hope that this guide helps you make a smooth transition to HTTPS. Your users will thank you, and you'll enjoy the positive SEO impact from the switch. If you have any questions or comments, leave them below.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *