According to Google’s recent announcement, Chrome will be considering HTTP (Hypertext transfer protocol) sites as ‘not secure’. Firefox already took this step in 2017, and small business owners who still use HTTP, it final call for them to migrate their site from HTTP to HTTPS.
Over 50% of web users use Chrome as their primary browser. From July onwards, the HTTP sites will be greeted with caution whenever someone will try to access them. Any website that takes personal data from the users and truly cares about users should take security seriously. If you are yet to make the switch to HTTPS, here is a comprehensive step-by-step guide to help you migrate your site from HTTP to HTTPS.
Step #1. Buy an SSL certificate
This is where the journey begins. An SSL certificate creates a secure link between a website and a visitor’s browser. There are various reliable, free, and open SSL certificates, and their prices vary a lot. Start by choosing a trusted certificate provider. Make sure to choose an SSL certificate with a 2048-bit key as per Google’s recommendation. You can choose between a single, multi-domain, or wildcard certificate, depending on your website’s requirement. Once you get the certificate, make sure to deploy it properly and configure it following the best practices. Some of the websites from where you can buy an SSL certificate are: RapidSSL, GeoTrust, Comodo, GoDaddy, and more.
Step #2. Consider redirection properly (301 redirection)
Once the SSL certificate is deployed, configured, and tested, it’s time to redirect your website links to the HTTPS version to prevent anyone from landing on an HTTP page from now on. You can redirect your HTTP site to HTTPS by applying 301 redirect.
“A 301 Redirect is a method of permanently redirecting traffic from one web page (URL) to another.”
However, if you fail to update all the URLs properly, it may lead to duplicate issues, such as the initial content of your site will load on HTTPS while images will load on the insecure HTTP. This is not a small issue and must be resolved. If you don’t do this, the issue can jeopardize the security of the entire page making it vulnerable to hacking activities.
Step #3. Update your ‘Robot.txt’ file
If you want Google to know that you’re migrating your website to HTTPS:
- Revise your robots.txt and make sure you haven’t restricted your HTTPS pages.
- Check the HTTPS pages for any unmeant no-index tags.
Double-check everything. Use an audit tool to analyze your website and check out everything is perfect or not.
Step #4. Remove Unnecessary Redirect Chains
When you migrate your HTTP site to HTTPS, some of them already implemented redirects will become unnecessary. If any of your ‘www’ page redirects to both – ‘non-www’ and ‘https non-www’, it can decrease the speed of your site. Slow loading speed may cause users to leave your site. So make sure that all redirects lead to the relevant pages, otherwise, it can affect your site’s ranking.
Step #5. Update XML sitemaps, Canonical Tags, HREFLANG, XML in robots.txt
Misleading tags can create a lot of confusion for Google. Therefore, making changes with your tags, XML sitemaps etc. in the Robots.txt is really crucial. Make sure nothing is leading to HTTP anymore.
If you fail to do it, the Google bots will fail to send the necessary signals to the sites you want to be seen. Instead, Google will divert you to the wrong pages.
Make sure that all rel=canonical tags should point to HTTPS URLs. If your website is using rel=alternate or hreflang tags, all of those should be taken care of before going live too.
Step #6. Fix mix content
Fixing mixed content all over the website can be a whole lot of work to do. However, it’s really important to fix this issue as mixed content can render the protection of your website.
Mixed content occurs when your website is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because the content on both – HTTP and HTTPS is referring to the same page.
This broken content – a link, a script, or other kinds of active mixed content may enable an attacker to intercept the request and rewrite the contents or steal sensitive user data. To be safe, you must revise all the internal links and make sure they are only redirecting to HTTPS. Each of the following resources should either have an absolute HTTPS URL or a relative path:
- Internal images, videos or audios
- Web fonts
- Iframes
- Internal JS and CSS files inside the HTML code
- Images, fonts, and any other internal URLs inside the JS and CSS files
- Open Graph tags
- Any absolute URL references in the Structured Data used on the website (as well as Schema.org references)
- Any other internal links
Step #7: Update any external links that you control
The next step is to update all the external links, such as social media accounts and listings in authority directories. This is necessary because after the migration some of the counters will turn out to be totally HTTPS-friendly while others may reset to zero.
Moreover, you don’t want your users on social media platforms, email providers, and apps to get redirected to your new HTTPS through unnecessary redirects. If this happens your users may start looking for other options.
Step #8: Add Hypertext Transfer Protocol Security to Google Search Console (GSC)
Now as your site is functioning on HTTPS, you need to create a profile on Google Search Console. If Google bot is having difficulty in crawling your site, it’s necessary that you add HTTPS to your GSC account and make the settings required to get rid of the inefficiencies. Follow these steps to add Hypertext Transfer Protocol Security to GSC
- Create a GSC account and make the updates to the information correctly. You can do this by simply clicking ‘Add a Site’ and add your URL.
Add new Sitemaps to GSC
Google does not necessarily need sitemaps to crawl your site. However, Google takes HTTP and HTTPS as different. So the next step is to create a new sitemap for your HTTPS site and submit it to Google Search Console.
Fetch
The next thing you need to do is submit your homepage to index by clicking on “fetch” in Google Search Console. It is recommended to fetch your site as in some instances, Google takes weeks to re-crawl all the content on a site.
Then select “crawl this URL and its direct links.” If you have other pages that you consider important, you should submit them for crawling individually.
Resubmit your Disavow File
Do not forget this step as many do. You must re-submit a disavow file. Failure to submit this will cause trouble when the new algorithm is released because your disavow file will be missing.
Download the disavow file and resubmit it in your newly launched disavow tool under the current HTTPS site. Only settle when you see a message confirming the success.
Update Google Analytics
See the settings in your admin dashboard where you change your URL to HTTPS status. You should also update your property settings.
Step #9. Scan Your Website for Non-Secure Content
It is crucial because it might help you identify any details along the way you might have missed. Here are some tools that can help you identify these details:
Why No Padlock: It’s a simple tool that tells about the insecure items present on your SSL page.
SSL Check tool: This tool scans your website and finds any non-secure content.
SSL Insecure Content Fixer: It will help clean up WordPress website HTTPS mixed content.
Conclusion
Follow this systematic approach to migrate your HTTP site to HTTPS. This approach will ensure that your audience gets the best experience using your new HTTPS site. It also ensures that every potential risk is put to the test and then resolved appropriately.
Migrating to HTTPS should be a priority for you now. If you need any assistance or support migrating your website to HTTPS, get in touch with us today!