Converting a Website to HTTPS

Posted on by

In recent times there has been a push for websites to use HTTPS (HTTP over TLS) rather than HTTP.

HTTPS Icon

Traditionally HTTPS was used only when highly secure or financial information was being exchanged but in modern times other general website are being encouraged to switch to HTTPS.
Google even say “we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.[https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html] and they now also “..use HTTPS as a ranking signal. For now it’s only a very lightweight signal…”

Overview

Based on experience, this guide will show the steps and considerations involved in moving a HTTP site to HTTPS when it uses an apache web server. It may not be comprehensive or perhaps only partially relevant but there should be food for thought on some of the considerations to be made.

Enable HTTPS and Get an SSL Certificate

Does your web host and/or domain provider support HTTPS and also allow provision of a SSL Certificate? You need to make sure this is possible and you can budget for it in the case of any additional costs. Enabling the HTTPS version of your site can then be done and should be possible to do while the HTTP version is still running.

Redirecting Traffic

Hopefully you will have lots of external links back to the HTTP version of the site that will continue to be used for a long time. There is no way to avoid this, therefore you must setup a permanent redirect for all traffic to the website, folder and page to the HTTPS equivalent.

.htaccess Update

The key to redirecting traffic on global basis is to add the following to the top of .htaccess

RewriteEngine On

RewriteCond %{https} off
 # First rewrite to http:
 # Don't put www. here. If it is already there it will be included, if not
 # the subsequent rule will catch it.
 RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 # Now, rewrite any request to the wrong domain to use www.
 RewriteCond %{HTTP_HOST} !^www.website.com$ [NC]
 RewriteRule ^(.*)$ https://www.website.com/$1 [R=301]

Obviously, change the 2 instances of website.com to suit your needs.

Other Considerations

Adding the HTTPS version of the domain is relatively easy and getting traffic to redirect from HTTP to HTTPS is also relatively easy in the sense of when it works, it works. But…

Your Site may be HTTPS but still Loads HTTP Resources

It is important that all external resources (scripts, images and libraries from locations not on your domain) use HTTPS as well. If your site uses HTTPS but one or more resources are loaded via HTTP, the browser is likely to flag this as a security warning.

Load Scripts From Unauthenticated Sources

Getting your site in a state that stops these warnings could take a lot of effort, depending how controlled things are. The more effort that can be put in to this prior to the HTTPS switch, the more seamless things will be. A quick rule of thumb is to search for “http” in your content and for any resource found, see if it can be called via its https counterpart manually.

Links to http / https can made more resilient by:

1) Using relative links if the resource is on the same domain

2) Use the //website.com/folder/page.htm notation. for example:

<script type=”text/javascript” src=”http://maps.google.com/maps/api/js”></script>

…could become…

<script type=”text/javascript” src=”https://maps.google.com/maps/api/js”></script>

…but this is better…

<script type=”text/javascript” src=”//maps.google.com/maps/api/js”></script>

Google Analytics & Google Search Console

Google Analytics will continue to work fine however if you use Google Search Console you will need to add the new HTTPS version of the site as if it is a new website. You can keep or disregard the previous HTTP listing. My advice would be to keep it for a while so you can at least see the traffic volumes decrease.

When To Implement

The change itself is quick to implement. You should have the HTTPS version of the domain created and fully propagated across DNS servers as you don’t want to be waiting about for this at a critical time.

It would be best implementing at the weekend for high-weekday-traffic sites, failing that an overnight change depending on the timezone of highest use.

Long Term Impact

How long before my site gets back to normal, or even improves in terms of traffic flow?

Direct Traffic should continue to flow as normal but a big concern will be that search engines will need to re-index the HTTPS version of the site and transfer across any rank or creditability built up over the years. This re-index should take place quite soon (days), the search results will also start showing the HTTPS label soon (days), but the shock of the change is a longer term project to analise.

When analysing traffic impact, things should be measures in weeks and months.

External Links

https://support.google.com/webmasters/answer/6073543?hl=en

https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

https://www.whynopadlock.com/

Let’s Encrypt – https://letsencrypt.org/

Leave a Reply

Your email address will not be published. Required fields are marked *