Moving to HTTPS, 5 Important Steps

by Jim November 30, 2016

Yesterday one of our client’s hosting companies accidentally applied https to their site. It was via the popular server management software WHM. Apparently there has been an update recently for “auto SSL“. If your hosting company installs that update, it will automatically apply SSL and update it the certificate as required. That is a BIG issue if you have not prepared for it to be switched on. Let me know if that has happened to you.

Welcome back Rankers!

Now then, a few weeks ago I did a show about three top SEO things to do before the end of the year. One of them was moving to HTTPS. The reason for this, and I did a blog post about this on ProBlogger only this week (, and Ive been fielding a fair amount of questions as it seems to have struck a nerve. We conducted a training session in the bloggersSEO Facebook support group that also raised many questions.

The main question was, Why should I bother moving to HTTPS if Im not conducting transactions or arent collecting personal information? Well its because Google is going to push as hard as they can to have every site HTTPS in the future. The reason for that is simple: Its good for the user.

What Does HTTPS Do?

HTTPS stops what is called man-in-the-middle attacks. That means that when you request a webpage from a web server, that server encrypts that for you before sending it to you. Your machine then decrypts it. This ensures no one can have a sneaky look at whats happening between you and the server. Its a good thing for the user, hence the reason why Google wants everyone on it. Now obviously you dont have to go on it, but Google is subtly warning users initially, leading to something less subtle down the track such as a giant red warning sign or similar.

HTTPS Warning
Within 18 months I think Google will be showing HTTPS warnings like these

Initially for users on the Chrome browser, they will see a warning come January that says, This site is not secure. Therefore, a user that searches for your site, or finds it via a Google search, and it doesnt have HTTPS, they will see a warning sign. So regardless of whether you are conducting transactions via an eCommerce site, or collecting personal details (if you have basic forms on your site, then you are collecting details), you need to be on HTTPS. This is happening, so you are better off doing it sooner rather than later.

How to Move To HTTPS

There are many poor ways to make the move to HTTPS, and there are many good ways.

1. Get The Certificate

The way we do it, and have done a few recently, is that firstly you need your certificate. Where do you get one? Most hosting companies will have some sort of HTTPS certificate available to purchase through their site. They should handle the purchase and installation of the certificate for you. You need to ask them for a 2048-bit certificate (the most secure one) and you need to understand what you need that certificate for. How many domains do you need it for? If you think only for one, you might actually need it for two. You may need it for both www and non-www if you use both somewhere along the line. It wont cost you much more for that.

If you happen to have many sub-domains, you may want to investigate which is the correct certificate for your situation as some are limited. Others come with insurance in the event you are hacked, but Ive yet to hear of this happening. Some sites may also need dynamic HTTPS. For most of us, a multiple domain certificate will suffice. Get your hosting company to install it.

2. Remove HTTP References

All the resources on the site, anything that references HTTP such as JavaScript, CSS files, anything embedded on a page like YouTube videos or iframes, anything that goes into creating the page, they all have to be HTTPS. This, unfortunately, wont happen automatically. If you have old YouTube videos embedded, theyll all remain HTTP. Ensure anything that is building the page is referencing HTTPS. That includes all external resources such as share bars and widgets, as they can all have an effect.

3. Redirect HTTP

Once all that is sorted, you then have to redirect all of the HTTP to the equivalent HTTPS pages at an individual level. You have to set up the HTTPS version in Google Search Console.

4. Setup GSC

Do not remove the old HTTP from Search Console. Leave it there for the time being.

You also need to set up your HTTPS sitemaps in Google Search Console and, strangely, Google wants you to submit your HTTP sitemaps into your HTTPS Google Search Console. That appears a little counterintuitive but its what Google wants. It may be so they can see the relationship between the two sitemaps in the two sites.

5. Run A Crawler

Once all your redirections and sitemaps are in place, I would then run a check using something like Screaming Frog, and do a protocol check to make sure the only HTTP references are ones that are external links and not actually part of the site that you are on currently.

Follow the Steps

Those are the highlights if you like. For us, depending on the site, it amounts to roughly ten hours of work. Some hosting companies can do it faster as they have everything set up and ready to redirect. For most hosting companies that isnt the case though. Ive heard some horror stories recently where some hosted solutions are simply moving their clients to HTTPS without doing any of the required work. That will result in a drop in rankings.

You need to follow the steps. Obtain the correct 2048-bit encrypted certificate, make sure there are no resources within the pages themselves that are not HTTPS, redirect all the HTTP to the HTTPS, set up the Search Console for the HTTPS, and finally watch it like a hawk for the following week or so.

Hopefully thats helpful. Ill see you all next week. Please share the video amongst your friends. Bye for now.        

« | »
Thank you! Your subscription has been confirmed. You'll hear from us soon.