How to switch to HTTPS: step by step guide. How HTTPS Works

Table of contents:

How to switch to HTTPS: step by step guide. How HTTPS Works
How to switch to HTTPS: step by step guide. How HTTPS Works

In July 2014, Google announced a ranking advantage for sites with properly installed SSL certificates. Converted and secured SSL sites began to appear as HTTPS (hypertext transfer protocol secure) as opposed to the early HTTP standard. Thus, there is an additional layer of security that prevents unwanted access to stored data.

Today, Google, Safari, Firefox, and most other popular browsers require this protocol for better ranking, geolocation, credit card input, and more. The HTTPS security protocol also protects a website from unwanted advertisements that annoy visitors with intrusive, ugly information, sometimes containing malware. Since October 2018, Google has started showing a red warning when users enter data on HTTP pages orpadlock in green address bar when security is OK on

Short definition

Brief definition
Brief definition

HTTPS and SSL are visible on the site URL as reflected in the browser bar. Nearby you can also see the symbol of the castle. This is how modern browsers show that the user is on a site that uses SSL encryption. In some cases, the URL includes the company name. These signs indicate that the visitor is on a site that takes privacy seriously. It stands for HTTPS Secure Hypertext Transport Protocol. Its "brother" HTTP means the same without the "secret" at the end and is a communication protocol commonly used to facilitate web traffic.

The secure version uses an SSL (Secure Socket Layer) certificate to establish a connection between the browser and the server. Therefore, it becomes clear how HTTPS works - any information that is exchanged becomes encrypted. Encryption is the process of replacing plain text information such as usernames and passwords with random numbers and letters. Thus, it can no longer be read by humans and is harder to understand during interception.

Small clarification: technically SSL is not really the right term, it changed to TLS (transport layer security) in the late 90s. However, it is still often used when describing HTTPS processes.

Site Migration Step by Step Guide
Site Migration Step by Step Guide

The first thing you need to do to switch to informationalHTTPS information security technologies, is to buy the right SSL certificate, which creates an encrypted, impenetrable connection between the browser window and the web server. Various types of certificates are available, which differ in cost. The important point is that basically they all work on the same principle, so the user does not get "more security" just because he pays more.

There are different feature sets:

  1. Entry-level Domain SSL. They are issued instantly and require only email confirmation before switching to HTTPS, offer HTTPS browsing with a lock, no deep analysis process, only verification of domain ownership. Ideal for small businesses on a budget that do not accept online payments.
  2. Organizational SSL certificates require a higher degree of verification of company ownership. With this type of certificate, the company name and domain name appear in the browser bar.
  3. SSL with advanced verification, allow you to use the "green browser bar". They are more expensive than previous certifications and include legal, operational and physical verification.
  4. Once an SSL certificate has been purchased, it will need to be approved. There are different levels of validation prior to issuing a certificate. For example, for a domain SSL, it can be issued immediately once the domain owner validates their email address. If the site owner uses virtual hosting, then before switching to HTTPS, they turn to the provider for help inserver administration with an approved certificate.

Algorithm for switching to

  1. Perform a full site backup. If your hosting is managed by cPanel, you can use cpanel's built-in backup feature. Otherwise, contact your hosting company to see if they offer a managed backup service.
  2. Change HTTP links to HTTPS on the site. The procedure depends on the size of the site, which sets out how HTTPS works. If the site has only a few pages, then a manual process can be used. If there are hundreds or even thousands of pages, tools are used that automate the process, especially if it is hosted on the WordPress engine.
  3. Before switching to HTTPS, code libraries are checked. This step is optional and applies to more complex sites that use additional software such as JavaScript and Ajax.
  4. Update all external links pointing to the site from social media accounts and listings in authoritative directories.
  5. Create an HTTPS 301 redirect. It sounds complicated, but it really isn't. 301 is a method of redirecting traffic from one web page to another URL. This is an important point because if a site has dozens, hundreds, or even thousands of backlinks pointing to it from other sites, they will point to HTTP pages, and search engine rankings depend on the number and quality of backlinks. Setting up a 301 redirect depends on the type of web server thatused. The most popular types of web servers are Apache, NGinx and LiteSpeed and Windows. Before migrating to HTTPS With Apache and LiteSpeed you need to update the htaccess file, with NGinx the NGinx config file, and on Windows the web.config file.
  6. If you are using a content delivery network (CDN) such as CloudFlare, you must also synchronize SSL with this system. A CDN is a globally distributed network of servers that stores copies of web pages on its servers. This not only provides advantages in terms of speed, but also security, as it can recognize various malware patterns and prevent the site from being hacked.
  7. Update any other tools and transactional emails, such as email marketing, automation, and landing page generators. We need to prepare a list of these programs and look for mentions of web pages that link to HTTP, then update them to
  8. And last but not least, in order to follow the instructions to migrate to HTTPS, you need to update your Google Analytics and Search Console accounts. In Analytics, you need to change the default URL to HTTPS. In the search console, you need to add a new site with

SEO Pitfalls Avoided

Avoiding SEO Pitfalls
Avoiding SEO Pitfalls

Chrome warns users that a site is not secure when they fill out a form, such as a search box or email registration. This latest alert, combined with the benefits of Google SEO, has accelerated the transition to the new standard for manysites.

Multiple details and checklists exist for the engineering side, but sometimes SEO specifics can be overlooked in the transition. An HTTP to HTTPS checklist that focuses only on SEO issues: planning, migration, and post-migration monitoring.

Using Keylime Toolbox Query Analytics, you can combine HTTP and HTTP Secure query data from Google Search Console and track trends in clicks, rankings, impressions over time, aggregated, query level, and category. Keylime Toolbox Crawl Analytics provides daily log analysis to help track Googlebot crawls, estimate how long a full crawl and re-index will take, and identify any issues. If the site is large and normal crawling is not effective, consider implementing specific crawl performance features before starting the migration.

Setting transition functions

Setting transition functions
Setting transition functions

When switching to Redirects, configure the following parameters. HTTP to HTTPS Migration Guide:

  1. 301 redirect HTTP addresses to HTTPS URLs. To the extent possible, include all existing rules. Google will only crawl up to 5 redirects in a thread.
  2. Update all internal links to HTTPS URLs.
  3. Update metadata and structured markup.
  4. Make sure all resources are moved to HTTPS and links are updated in page source code.
  5. Check the propertyHTTPS in Google Search Console.
  6. Create a property set that combines HTTP and HTTPS for monitoring purposes.
  7. Configure the processing of parameters for the HTTPS version of the domain in Google Search Console according to the HTTPS installation settings.
  8. Set international targeting.
  9. Set the scan speed.
  10. Make sure the HTTPS robots.txt file has the same content as previously specified for HTTP and doesn't disable everything.
  11. Make sure HTTPS pages don't have "meta noindex" attributes.
  12. Make sure web analytics and other third party tags are installed.
  13. Submit XML Sitemap for URLs on HTTPS and don't block HTTP URLs with robots.txt.
  14. Track organic search traffic in web analytics to make sure it's stable.
  15. Track rankings and other SEO-related data in Google Search Console.
  16. Manually check the display of search results to make sure everything looks correct as HTTPS URLs are indexed.

Google crawling

Scanning by Googlebot
Scanning by Googlebot

Process tracking data, how Googlebot crawls HTTP and HTTPS, what URLs it crawls, and what response codes it receives, is only available if Crawl Analytics is used, which downloads server log files for processing. To do this, download the full list of crawl errors provided by Google, for both HTTP and HTTPS, as well as link source data for eacherrors.

Tracks aggregate rankings and HTTP and HTTPS traffic over time for branded and non-branded queries, as well as other SEO data such as individual and aggregate click-through rates and their total number of click-through rates for which a site appears

If the site is large and crawling is inefficient, it may take some time for Google to re-crawl all HTTP URLs and replace them in the index with HTTPS versions to speed up the process. The log files are an excellent resource for identifying performance issues. Although Google claims that it treats the PageRank flow in the same way for 301s and 302s, these redirects are still handled differently. Since the 302 is technically "temporary", Google continues to index the 302 destination URL. With a 301 redirect, Google removes the redirect URL from the index and only indexes the 301 destination URL.

Consolidation of redirect rules

Consolidation of redirect rules
Consolidation of redirect rules

Googlebot only performs up to 5 redirects, and as URLs change over time and canonicalization rules are added, redirect chains are becoming commonplace. However, they slow down page loading, especially on mobile devices.

In many cases, HTTP/HTTPS and www/non-www redirects are done at the server level, and everything else at the application level. In this case, the ideal scenario is to use a single 301 at the server level to account for both

This last onea redirect to HTTPS will include the following rules:

  1. From old URL patterns to current ones make sure all old rules are updated with current end goals. Case normalization, for example, from to and a trailing slash, for example, from to In this example, will redirect 301 directly to in one round of HTTPS and www.
  2. By reviewing all the old rules, updating them and consolidating them, make sure that all are 301 and not 302. URLs that redirect 302 may remain indexed, resulting in unpredictable search results display elements. They may not only show the wrong URL, but also other undesirable behavior. For example, if metadata, such as site links, is associated with the current URL, and the old one appears in search results, no additional links will be displayed.
  3. Update all internal links to canonical URLs, which is useful as redirects increase page load time, especially on mobile devices. Ideally, internal links should be absolute, not relative, and should update to HTTPS URLs.
  4. Use relative rather than absolute references, eliminating the need to update internal ones. This is ok, but not ideal, and is because internal links are a strong canonical signal to search engines, so if any URLs are misconfigured to notredirect, then the site is accidentally duplicated on a subdomain or deleted. All links on these pages will be on non-canonical versions.

In most cases it doesn't take much work to update internal links. Often they can be updated through configuration options, programmatically, or all at once through a script.

Updating metadata and structured markup

Updating metadata and structured markup
Updating metadata and structured markup

When updating canonical attribute values on HTTPS URLs, if a 301 is redirected from HTTP to HTTPS but the HTTPS URLs have HTTP canonical attributes, Google will see an infinite loop, resulting in unpredictable indexing results. To fix the failure, you will need:

  1. To move a site from HTTP to HTTPS, update the pagination attribute values on the HTTPS URLs.
  2. Update hreflang attribute values to HTTPS URLs.
  3. Update rel alternates if used for individual mobile URLs on HTTPS URLs.
  4. Update structured markup such as videos, carousels, and site link search box to HTTPS URLs.
  5. Make sure all resources are moved to HTTPS. All resources used by HTTPS pages must be served from HTTPS. This includes items such as images, JavaScript files, and CSS.
  6. Updating social plugins, promotional calls and so on.
  7. Use Google tools to search for "mixed content" on the site.

Setting up the search console

Setting up the search console
Setting up the search console

To customize the search console, create a property set that contains both the HTTP and HTTPS versions of the domain to monitor. Algorithm of sequential actions:

  1. Set up the parameter processing configuration for the HTTPS version of the domain in Google Search Console.
  2. Set international targeting, if applicable, to match what was set for
  3. Update the scan rate if set for
  4. Download all disavowed files that are uploaded for
  5. Set the preferred domain.
  6. Set the robot exclusion protocol for HTTP and
  7. Make sure the HTTP robots.txt file redirects or 404s.
  8. Make sure the HTTPS robots.txt file has the same content as the previous HTTP except for the link to the Sitemaps.
  9. Make sure HTTPS pages don't have a meta noindex attribute.
  10. Make sure the Web Analytics (and other) tags are still in place

In many cases, the site will continue to use the same web analytics tags, such as the Google Analytics property ID. But if it's changed, make sure the site pages are up to date. In addition, make sure that the source code containing the tags is not removed from the pages during the migration process. You can use a third party tool that checks for tags, or set up a scanner like Screaming Frog to check for it.

If XML Sitemapsadded to Google Search Console, you can use reports to track indexing declines. Start crawling Googlebots for HTTPS URLs when they are in XML Sitemaps. You can track indexing progress with XML file indexing reports. Always create XML Sitemaps that are comprehensive and canonical, not just for the purposes of migrating from HTTP to

Search Console Monitor

Search Console Monitor
Search Console Monitor

Must submit XML Sitemap for URLs on HTTPS and leave the existing XML Sitemap for HTTP. This will track indexing decrease for the HTTP property and indexing increase for the HTTPS property.

All URLs in an HTTP sitemap should have a 301 status code, and indexing should decrease over time. All URLs in the HTTPS sitemap should have a 200 status code, and indexing should increase over time. This process can take some time, and you may find that some HTTP URLs are still being indexed after months.

The most common reasons for this are:

  1. HTTP URLs are blocked by robots.txt so Googlebot cannot crawl the redirect and are partially indexed.
  2. HTTP URLs are "non-canonical" and are not crawled very often.
  3. HTTP URLs do not return 301, instead return 302 or an error.

Troubleshooting Tips

Troubleshooting Tips
Troubleshooting Tips

Sorry, step by stepinstructions and switching to HTTPS is a rather complicated process and the user needs to understand what he is dealing with.

Main types of transition failures:

  1. The most common issues that occur after a site migrates to HTTPS are mixed content warnings. This happens when the browser finds unsafe links on another secure page. It's usually a matter of updating links to jquery libraries, custom fonts, or similar HTTPS versions. The user should take care of this when scanning their site before publishing it, and if such warnings appear, be sure to check the sources that cause them.
  2. Switching from HTTP to HTTPS can negatively affect your rankings, although this is usually only temporary. If you set up a 301 redirect, it only handles 90-99% of the link mass. That is why the rating may go down in the beginning. However, they should increase over time and benefit in the long run.
  3. If you find that some URLs are still being indexed after months, but the Google Search Console Search Analytics reports don't show any clicks on the HTTP property, this issue might not be worth investigating. URLs don't rank for queries and don't cause problems. However, if there are clicks on the HTTP property, then the URLs are ranked by requests.
  4. The easiest way to start an investigation is to look at the server logs to see exactly what Googlebot gets when it crawls. In Excel log files detail Keylime Toolbox Crawl Analyticsinclude a tab that lists all URLs with a 200 response code, all URLs with a 302 response code, and so on.
  5. You can crawl a site with a tool like Screaming Frog to get a list of URLs that return 200 blocked by robots.txt. You can also look at the Google> Search Console Crawl> robots.txt Tester for the HTTP property to see if Google sees the robots.txt file and, if so, if it blocks any URLs.

Other non-SEO pitfalls

There are other potential issues for sites that switch to

  1. Potential reduction in AdSense revenue. In the past, the decline in Adsense revenue was due to the large number of non-HTTPS compliant ads. It's important to note that if a user switches from HTTP to HTTPS, they need to update their AdSense code or experience the content issues described above.
  2. It is not uncommon for a site to lose all of its social media shares when switching to HTTPS. Even a fantastic article that has garnered tens of thousands of likes on Facebook can reset to zero after the transition. The Facebook documentation explains a workaround for this, which involves setting the og:url meta tags to point to the old http url. However, he says that it only works if the old URL returns a 200 response. If you redirect http pages to https pages, then the "old" pages will return 301, not 200.
  3. Switching to HTTPS may cause Google to re-evaluate the site withquality point of view. This is the biggest transition issue and can mean that all pages on the site get a new quality score. It is possible that the tricks and loopholes that were used before will no longer work the same after the HTTPS offset, resulting in a drop in traffic after switching to
  4. Sitemaps need to be updated. Before switching, make sure a new sitemap has also been created.
  5. Disavow file must be uploaded in
  6. Google still treats the HTTPS and HTTP versions of a site as separate sites, and if Google Search Console is used, a new property will need to be created for the HTTPS version. If the user has a disable file, then upload it to the HTTPS version.
  7. Make sure the certificate has not expired. If the site is running on HTTPS and the security certificate is expiring, then when Google tries to send visitors to the site, they will get a big full screen warning, which will definitely turn people off.

Securing traffic is one of the most important concerns for any website owner. In addition to conveying trust, the process benefits from increased speed and improved SEO. This is a great investment for the future as the network is heading in that direction. As mentioned, Google considers the use of SSL to be a positive ranking factor, so if a user moves their site to HTTPS, it will actually make it more attractive. It seems that after such weighty arguments, the user will no longer havethe question of switching to HTTPS and why "fence the garden".

Popular topic

Editor's choice

  • Let's build iOs apps! Overview of programs, instructions, recommendations
    Let's build iOs apps! Overview of programs, instructions, recommendations

    Today more and more people are starting to dive into the world of IT. A fairly common industry is the creation of various kinds of mobile applications. Quite a lot of different games and programs have already been developed for Android. It is because of this that many developers have begun to move to the iOS platform. This is not a very crowded industry where you can find a lot of clients and make quite a lot of money

  • Moving WordPress to another hosting: features, procedure
    Moving WordPress to another hosting: features, procedure

    Today, every person who has his own website on the Internet may face the problem that he will need to transfer the site to another hosting. There can be many different reasons for this. Of course, the most common of them is dissatisfaction with the services provided. If you can't take it anymore, then you need to act. This is a rather long procedure. If you do everything step by step, you can safely transfer the site, and not redo everything several times

  • How to pass on the rights in "SAMP RP"?
    How to pass on the rights in "SAMP RP"?

    Every person who plays online games is trying to upgrade his character and achieve many interesting things. Users who prefer SAMP try to get a driver's license even from the first level. Experienced players may not take the exam, but simply go to the instructor and buy rights from him. Of course, it will be somewhat more expensive, but this way you can save your time. How to pass on the rights to "SAMP"? Let's review this

  • How to turn off the camera on a laptop? 3 easy ways
    How to turn off the camera on a laptop? 3 easy ways

    Today, hacking has begun to actively develop in the world of information technology. An experienced hacker can get into almost any computer and get the user's information, provided, of course, the laptop is connected to the network. Recently, users have been complaining that their webcam turns on by itself. This way hackers can see where you are and what you are doing. In the future, this information can be used in completely different ways, up to the fact that you become a star on YouTube

  • Shared AppStore Account Features
    Shared AppStore Account Features

    A shared App Store account has many features. It allows users to install games and applications, as well as watch movies in high definition. Shared accounts give official access to app and game downloads for Apple devices (iPhone, iPad, iPod Touch)