Migrating your Website from HTTP to HTTPS

Posted on 21/01/2015 by Ben Wood

httpsThis post outlines the processes involved in migrating a website from HTTP to HTTPS. HTTPS stands for Hyper Text Transfer Protocol Secure, which is the secure version of the Hyper Text Transfer Protocol (http).  HTTPS is usually used on sites to secure e-commerce transactions, such as online banking sites, email applications and e-commerce checkout areas.

When a user connects to a website via HTTPS, the website encrypts the session with a Digital SSL (Secure Sockets Layer) Certificate.  A user can tell if they are connected to website that has a valid SSL certificate if the website URL begins with https:// instead of http://.

I have previously written a detailed article  that explains more about HTTPS, and  more specifically the benefits of migrating from HTTP to HTTPS. Essentially, HTTPS has become a major talking point within the SEO industry since Matt Cutts of Google announced that using SSL encryption will give sites a slight ranking boost within Google’s search engine results pages. Her’es his tweet back in August last year:

matt cutts tweet

From an SEO perspective, there are literally  hundreds of other things you could be doing to improve your website which have more potential to increase the visibility of your website in Google’s search results. However, there is an ever growing list of reasons why you may want to consider moving your site over to HTTPS. For instance, Google have recently published their plans to warn users browsing websites via Google chrome of the security risks in visiting HTTP websites, which they refer to as ‘non-secure’ sites. Therefore, if you don’t want users visiting your website to be put off by a visible warning of an insecure connection, you should start planning the migration of your website to HTTPS.

chrome team member
A chrome team member announces the planned ‘non-secure’ website warning.


Popular browsers like Chrome, Firefox and Internet Explorer already use a padlock icon in the navigation bar to indicate if a website uses HTTPS or not. Google’s plan is for their Chrome browser to indicate via a pop up message that a website is insecure because it uses HTTP, which is a much more visible (some may say over the top) method of encouraging the adoption of HTTPS.

Considerations when moving to HTTPS

Moving your website from HTTP to HTTPS is very similar to migrating your website to a new URL structure, or a new domain. In my experience, there’s so many things that can go wrong if the migration isn’t handled efficiently, which can have a detrimental impact on a website’s rankings. To avoid as little disruption as possible to your search engine rankings, you should ensure you plan each stage of the migration in detail, as I’ll go on to explain.

Firstly, you’ll need to choose the right level of certification for your website (i.e. 2,048 bit certificate) from an accredited/trusted provider. You’ll find a detailed explanation of all the different levels of certification here. One thing to note is that you’ll only get the green padlock bar in the browser if you install an extended SSL certificate. Most providers include a free installation service with the purchase of an SSL certificate, so the initial stage is often taken care of.

Once you have installed an appropriate SSL certificate for your website, there are a numerous steps you’ll need to take to ensure your website functions as it should, and that search engines are made aware of the change in your site structure.

ssl ceritficates

1. Check Internal Links

Ensure all your internal links point to the new HTTPS URLs – this includes navigation/menu links, images, css references on the website etc. If the website still references http files, it will break.  On WordPress websites, it is often just a case of doing a find (http) and replace (https) in the database to resolve this issue.

2. Change External Links

Ensure any external links and local directory listings are edited to point to your new HTTPS website, including links from your social media profiles.

3. Check Canonical references

Ensure that all rel=canonical references point to the new HTTPS version. Once you move over to HTTPS these tags often still point to the HTTP version, leading to Google becoming confused over what page should be indexed.

4. Implement 301 redirects

Ensure that you implement a permanent 301 redirect on a page by page basis – meaning every HTTP page should be redirected to it’s HTTPS counterpart. You must not 301 redirect everything (either via global or via a wild card redirect) to the home page as this can have a negative impact on rankings.

5. Set up HTTPS site in Webmaster Tools

Add the HTTPS website as a new property in your webmaster tools account, and submit sitemaps accordingly. At present, the change of address tool doesn’t support http > https requests, so Google will rely upon the proper implementation of 301 redirects to understand your new site structure. Once set up, keep an eye on your Webmaster Tools account and monitor any issues Google may be having with your new HTTPS website.

HTTP to HTTPS 301 redirects

Implementing 301 redirects from your HTTP pages to the new HTTPS versions is an essential to retaining your search engine rankings and traffic. Moving to HTTPS is not as easy as simply buying the certificate and relying on Google to index your new HTTPS website – you instead need to indicate that your URLs have changed through the use of 301 redirects.

Google will expect to see a direct replacement for the content on the HTTP URL if you use 301 redirects to a HTTPS URL, so if you redirect all HTTP URLs to the HTTPS homepage, you risk impacting the rankings of all the pages on your website. It is therefore strongly recommended that you redirect all HTTP pages directly to their HTTPS counterparts.

If your website is running on an Apache server, you can implement a site wide redirect from all HTTP pages to their HTTPS counterparts by adding a snippet of code to your .htaccess file. Brian K Ross has provided some great advice here on using rewrite rules to redirect any http requests to their https counterpart on your website.

It should be noted that this is not the W3C recommended method of redirecting to SSL. Their recommended method of implementing site wide redirects (using virtual hosts) can be found here.

If you’re a little unsure how to implement these redirects on your website, I’d suggest contacting an experienced web developer or SEO consultant to avoid any issues.

Potential negative impacts

I have thus far talked about the pros of moving over to HTTPS, but I must warn you it is not always a straightforward process.

The reason I say this is because with Google, any major changes to a website’s structure, even if done correctly as outlined above, can still result in a short term drop in rankings. It often takes a few days (weeks even) for Google to understand complex changes in website structure, and it can take time for these changes to be reflected in their results. This often depends on how often Google crawls your website, but you can make their life easier by submitting up to date XML sitemaps for your HTTPS pages to webmaster tools as I have suggested.

dwight meme

The important thing to remember is that you should treat the migration from HTTP to HTTPS just like you would a migration to a new domain. Helping Googlebot to find the new HTTPS pages on your website by updating your navigation links and removing any references to your HTTP content will reduce any confusion and speed up the time it takes for Google to update your website listings in their search results.


The issue of HTTPS is understandably complex and there’s a lot of information to take on board, but it is becoming clear that there may be negative impacts to those businesses who do not make the switch to HTTPS in 2015. Many web based companies have already implemented the switch to HTTPS, and many more are planning to make the switch in light of Google’s recent announcements. However, I can’t emphasise enough that moving over to HTTPS isn’t without risk, and great care should be taken when redirecting traffic from the non-HTTPS to the HTTPS version of your website.

I’d be interested to hear your experience with moving from HTTP to HTTPS in the comments below – have you made the jump already? Was it a success? Did you have any issues? And most interestingly, did your website maintain it’s rankings throughout the process?

If you’ve not yet migrated to HTTPS and would like our advice, then please feel free to get in touch,

Enjoy this article?

Subscribe for weekly insights

Migrating your Website from HTTP to HTTPS

Let’s thrive together

Get in touch to take the first step.

Contact us