Change Website To HTTPS: Step By Step Guide

adminUncategorized0 Comments

The conversion of the website from HTTP to HTTPS involves opportunities and risks, which you should be aware of as a webmaster. If you are careful and follow the most important rules, you will not only prepare yourself for the future but may even benefit from a small ranking bonus at Google & Co. But if you disregard the rules for a clean transition to HTTPS or take the whole thing on the light, which threatened in the worst case, a very painful loss of existing rankings.

I show you in this post by means of a checklist how you can change your website step by step to SSL or HTTPSSEO-compliant and without ranking loss!

Table of Contents:

What is HTTPS / SSL?
HTTPS marking in the web browser
HTTPS as ranking factor on Google
Change website from HTTP to HTTPS
General and important tips for getting started
SEO checklist for converting to HTTPS
1. Preparation
1.1 Crawling the website (actual status analysis)
1.2 Checking Indexing Status and Crawling Resources
1.3 Apply for SSL Certificate
1.4 Integrate and test SSL certificate
1.5 Make a copy of the webpage / backup
1.6 Find out about 301 redirects
2nd adaptation
2.1 Adjust links
2.2 Check HTTPS delivery
2.3 Crawl the HTTPS variant of the test environment
3. Live circuit
3.1 Domain Migration to HTTPS
3.2 Set up SEO-compliant HTTPS redirect (301 redirect)
3.3 Crawl the new domain / robots.txt / sitemap
4. External services, backlinks and monitoring
4.1 Switching and / or setting up external services
4.2 Adapting backlinks on external pages
4.3 Monitoring
Let’s start with some general information about HTTPS, SSL / TLS, certificates, secure data transfer, and the impact on the website and rankings on Google and other search engines.

What is HTTPS / SSL and how is it improtant for website designing?

SSL encryption – Secure data transfer – 100% data securityHTTPS is a communication protocol for secure data transmission in the Internet. In contrast to HTTP, the data and interactions between the web server and the client are not encrypted in plain text, but encrypted and encrypted using the encryption protocol SSL / TLS. TLS (Transport Layer Security) is more widely known under SSL (Secure Sockets Layer) and refers to a hybrid encryption protocol for secure data transmission over the Internet. The three main levels of security are:

Encrypted data transfer: All data transmitted between the web server and the client is encrypted so that it can not be intercepted by unauthorized third parties. The user of the website can therefore rest assured that his activities are not being followed or even “intercepted” across different pages and is protected against data theft.
Data integrity: Data integrity prevents the unauthorized modification of information transmitted between your website and the user. The transmitted data can not be altered or damaged unnoticed.
Authentication of the client: This process is to ensure that only the user communicates with the website and nobody else intervenes. This strengthens users’ trust in the website and the company and protects against man-in-the-middle attacks .
Data sent using HTTPS can not be manipulated or altered by third parties. To activate the encrypted data transmission, webmasters can apply for a so-called SSL certificate:

HTTPS marking in the web browser

Secure connection: Web pages that are completely retrieved under HTTPS and thus via a secure connection are marked accordingly in the web browser. In most cases, the label is in the form of a green lock in front of the URL in the address bar. For example, Google Chrome looks like this:

Website HTTPS identification in Chrome
This site is labeled as safe by Chrome.

Connection is not secure: If the page itself can be delivered via HTTPS – ie a valid SSL certificate is available – but not all content is delivered over a secure connection (eg images, graphics or scripts), then the labeling is usually done in the form of an orange lock in the address bar:

Website HTTPS coding in Firefox
This website is labeled as “Not Safe” by Firefox, as parts of the site are not delivered via HTTPS.

Missing or Invalid SSL Certificate: When attempting to access a web page via HTTPS that does not have a valid SSL certificate, the browser immediately warns:

HTTPS call without valid SSL certificate
Chrome warns you when you visit an HTTPS web page that does not have a valid SSL certificate.

HTTPS as ranking factor on Google

Google places a high value on security and therefore publishes the HTTPS Ranking Factor Update in August 2014 – since then HTTPS has been the ranking signal . The ranking algorithms take into account when checking a website whether it uses a secure, encrypted connection. As of this update, websites that use the HTTPS protocol can receive a small Google evaluation bonus.

The addition of HTTPS as a ranking signal meant that dozens of websites were switched from HTTP to HTTPS in a short space of time, hoping to gain a significant ranking advantage. However, that’s not the case, because HTTPS is just a lightly weighted ranking factor and due to the mass of websites that have already been upgraded, one enjoys less of a ranking advantage but rather prevents a ranking disadvantage by continuing on an insecure connection puts.

Since Google wants to encourage website owners to switch from HTTP to HTTPS and thereby increase security on the Web, one can assume in the future that secure data transmission via HTTPS will play an increasingly important role as a ranking signal. You should therefore approach the change as early as possible!

HTTPS as Ranking Signal (Google Webmaster Central Blog)
Since August 7, 2014 HTTPS is officially ranked by Google as a ranking signal.

Change website from HTTP to HTTPS

Many companies and website operators take the transition to the HTTPS protocol lightly: apply for SSL certificate from the web host of trust, customize URLs and links, done. A subsequent visit to the website from the perspective of a user reinforces this opinion – after all, everything works wonderfully and every click leads to the desired page. But what happens behind the scenes can sometimes have a huge impact on the ranking of the website, leading in the worst case to a strong ranking loss.

The following checklist will help you with the preparation as well as the implementation and subsequent control, so that when changing from HTTP to HTTPS, nothing goes wrong.

General and important tips for getting started:
Think about what kind of certificate you need: single domain, multiple domains, subdomains, wildcard, or wildcard certificate.
Use strong security certificates and choose a 2048-bit key when setting up the certificate for high security.
Redirect users and search engines to the HTTPS page or resource using server-side 301 HTTP redirects .
Make sure Google can crawl and index the HTTPS pages (no meta tag “noindex”, no blocking via the robots.txt).
Use relative URLs for all scripts and resources (eg CSS style sheets, Javascript, images, videos, documents) that are located on your own domain.
Make sure that external scripts and resources are also called via a secure HTTPS connection.
For more tips, see Google’s Best Practices for Implementing HTTPS in Web Pages.

SEO checklist for converting to HTTPS

The following checklist will help you to gradually upgrade your website from HTTP to HTTPS, so that your existing rankings remain with Google.

Important! I assume that you already use a web analytics tool like Google Analytics or Piwik to measure visitors to your website. If that’s not the case, then set it up and run it for a few weeks so you can count on reliable numbers. Before I would not start the conversion.

1. Preparation

Before you start the transition, you should be aware of the current status of your website. This not only helps you to be able to better assess processes and processes, but also helps you to analyze or compare after the changeover.

1.1 Crawling the website (actual status analysis)

With a website crawler such as the Screaming Frog SEO Spider Tool (up to 500 URLs) or Xenu’s Link Sleuth you can check all the URLs of your website. The crawler tracks every single link on your web page and checks its status. Links that point to no longer available content and resources or mass forwarding should be corrected before the conversion to HTTPS!

Here is a video of the Screaming Frog SEO Spider Tool:

1.2 Review indexing status and crawl resources

How many pages on your website are indexed on Google, and how many resources does Google provide for crawling your website? This information is especially important for larger websites to estimate how long it takes for Google Bot to recrawl all pages. You can determine the indexing status by means of a site query . In addition, I recommend every webmaster to use the Google Search Console (formerly Webmaster Tools), because this provides detailed insights for indexing and crawling your website.

For example, in the Crawl -> Crawl statistics section, you can see how many pages the Google Bot crawls on average daily, and then estimate how long it will take to visit each page of your website after switching to https.

1.3 Apply for SSL Certificate

SSL certificates can be requested from any provider. It usually lends itself to apply for the certificate directly from the current web host. Use strong security certificates and choose a 2048-bit key when setting up the certificate for high security . The certificate should be issued for a maximum of 2 years. A 1-year SSL certificate that validates the domain is usually sufficient. A separate validation of the domain owner, examination of the certificate holder or even insurance protection usually play a role in web shops or larger companies.

Important: You need an SSL certificate for every single domain and subdomain, or you opt for a more expensive wildcard certificate that covers all subdomains.

For blogs and smaller websites that do not store sensitive data (eg login, customer or order data), there are providers like Let’s Encrypt who issue free SSL certificates.

1.4 Integrate and test SSL certificate

After the SSL certificate has been successfully issued and integrated (for certificates via the web host the integration is usually automatic, for third-party providers the keys must be entered) you can check its correct function, because your website should now be retrievable via HTTPS. With the free SEO tools for Website Validation SSL Server Test and SSL Checker you can have your certificate checked – just enter the URL of your website with https: //.

Certification of the SSL certificate with the SSL Checker
If the SSL certificate is valid and correctly wrapped, the result should look like this with the SSL Checker.

Do not worry, including the SSL certificate does not affect the ranking of your website . It only results in your website being accessible via HTTPS. You will get errors when calling your website via HTTPS first, because not all content is encrypted and this is completely normal until the complete conversion from HTTP to HTTPS.

1.5 Make a copy of the webpage / backup
Before you start the conversion process, you should create a copy of your website (database + web data) and make sure to save it as a backup. In order to be able to change your website to HTTPS in peace and quiet, it is advisable to work with a test environment – in other words with a 1: 1 copy of your website. Personally, I always do this via a subdomain for which I have also set up an SSL certificate.

1.6 Find out about 301 redirects

In the course of the live circuit you will have to deal with so-called 301 redirects . This is a search engine-friendly redirect from the old HTTP to the new HTTPS variant of the page, where 100 percent Link Juice is inherited and a clear signal is sent to search engines that the requested resource can now be found permanently under a different URL is. Find out in advance how it works so you can set it up quickly and easily on live video.

301 Redirect: Technical procedure of a 301 forwarding
301 Redirect: Technical process when processing a 301 redirect through the web server

2nd adaptation

When all the issues in step 1 are done, you can start customizing your website. The goal is to change all resources, links and references so that they are only queried and delivered via HTTPS.

2.1 Adjust links

You probably will not find all of the following on your website and that does not matter – just take care of what you find. If your website works with relative paths (eg / feeds / instead of http: //www.domain.tld/feeds/ ), most of it will be automatically converted. CMS systems such as WordPress, for example, always work with realtive paths, unless you have defined absolute paths (eg in posts or pages).

The following links must be checked and adjusted if necessary:

Internal links and redirects (navigation, content, footer, etc.)
Media (pictures, documents, videos, etc.)
CSS and Javascript files
HTTP header
Canonical URLs (rel = “canonical”)
hreflang attributes (rel = “alternate” hreflang = “x”)
Structured data (schema data)
Page numbering (Page 1, Page 2, Back, Next, etc.)
Categories and archives
Product variants (at webshops)
Feeds (eg RSS)
CDN settings
Sitemaps
Mobile version of the website
AMP version of the website
cookies
www. / non-www.
For customizing links in the database, I recommend the free Database Search and Replace Script from connect / it. Adjustments to scripts and files can be done with any editor (Sublime, Atom, Bracket, Notebpad ++, etc.) via Mass Search and Replace. It is important to always have a backup!

2.2 Check HTTPS delivery

The easiest way to check if all scripts and resources are delivered correctly is to call your test environment via HTTPS. Assuming you have a valid SSL certificate included, you can tell by the address bar if everything is working properly (see HTTPS tag in web browser):

red warning and / or red marking in the address bar: Your SSL certificate is invalid or incorrectly integrated.
yellow or orange marking in the address bar: Your website is accessible via HTTPS, but not all content is delivered via HTTPS.
green identification in the address list: Your website will be completely delivered via HTTPS, the HTTPS connection will work without errors.
Tip: As long as you get hints that not all content is transmitted via HTTPS, it is easiest to look at the source code of the page. Just search for “http: //” and look at what content is still being delivered via the insecure HTTP protocol.
If you receive a red warning, then it is best to re -use the SSL tools mentioned under point 1.4 to check the correct functioning and integration of the SSL certificates on the new main domain.

This website is safe
If you did everything right, it should look like this. This website is secure – it has a valid SSL certificate and all content is loaded via a secure connection.

2.3 Crawl the HTTPS variant of the test environment

Your test environment is now completely encrypted and classified by the web browser as “safe”? Very good! Then you have already the biggest part of the conversion behind you. Now it’s time to check the internal links. Again use a website crawler like the Screaming Frog SEO Spider Tool (up to 500 URLs) or Xenu’s Link Sleuth and look at the results, if there are still internal links to pages and resources with the insecure HTTP protocol ( http: //). The crawling will show you immediately if you have forgotten something. You should not receive crawl errors anymore – unless you intentionally did not fix them during the first crawl (see section 1.1).

3. Live circuit

If you can check the following points, then you are ready for the live connection:

Validated SSL certificate (see point 1.4)
Green safety notice in the web browser (see point 2.2)
Error-free crawling result (see point 2.3)
Complete backup of the current website

The following points should be made immediately after the changeover, as these can have a major impact on the accessibility of your website via search engines and thus the ranking.

3.1 Domain Migration to HTTPS

Make sure that your domain can only be reached via HTTPS and redirect all other variants to it. For example, if you’ve chosen to have your new address “https: //www.domain.tld,” you’ll need to redirect to the following variants:

http: //domain.tld
http: //www.domain.tld
https: //domain.tld
You can set up this forwarding either directly with your web host (keyword: domain mappings) or, if your web host does not offer this option, via a 301 redirect (301 redirect) via PHP or htaccess. The prerequisite for this is that the Apache rewrite module is activated and the web server is already accessible via HTTP and HTTPS.

Example of forwarding from www to non-www:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.de$ [NC] RewriteRule ^(.*)$ http://domain.de/$1 [L,R=301] 1
2
3
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.de$ [NC] RewriteRule ^(.*)$ http://domain.de/$1 [L,R=301] Example for forwarding non-www to www:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.domain\.de$ [NC] RewriteRule ^(.*)$ http://www.domain.de/$1 [L,R=301] 1
2
3
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.domain\.de$ [NC] RewriteRule ^(.*)$ http://www.domain.de/$1 [L,R=301] Now that you’ve set the preferred domain, you can now redirect the rest of the pages to automatically redirect them to the HTTPS variant.

3.2 Set up SEO-compliant HTTPS redirect (301 redirect)

As already mentioned, hopefully you have dealt with the subject of the 301-redirects. You should now as soon as possible take care that all old URLs (which are indexed in Google & Co.) automatically redirect to the HTTPS variant. Missing redirects or unreachable links can have a devastating effect on your website’s ranking, either causing duplicate content or being removed from the index by Google if the pages become unavailable for an extended period of time.

Here’s an example of forwarding all pages from HTTP to HTTPS via htaccess:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
1
2
3
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
or alternatively (via a server port check):

RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L] 1
2
3
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L] In both cases, the code should be inserted at the beginning of the htaccess file. Both variants lead to the same goal.

You can check whether the redirects are working correctly by: a) trying to get URLs of your webpage http: // (which should then automatically redirect to the https variant) and b) launch a site query on Google and then arbitrarily start some click through the search hit. Ideally, the pages are always automatically redirected to the respective https variant.

3.3 Crawl the new domain / robots.txt / sitemap

Yes, we crawl the website again, in the https variant. If everything has been changed correctly, you will not find unwanted links or mistakes anymore. If it does: eliminate it immediately! Also check if the robots.txt is reachable via HTTPS and if the links in your sitemap (if you use one) have been converted to https.

Important! If you are using a caching program, please delete the cache completely.

4. External services, backlinks and monitoring

If all the points from step 3 are implemented, then the more relaxed part follows: the setting up of external services, backlinks as well as the continuous monitoring of the HTTPS conversion.

4.1 Switching and / or setting up external services

The following services (if you use them) need to be rebuilt:

Create https property in Google Search Console / Bing Webmaster Tools
Submit https sitemap (s)
Conversion of the Web Analytics Property to https (Google Analytics, Piwik, etc.)
Connect or reconnect Google Search Console and Google Analytics if you already had a connection for the http website.
In the Google Search Console, it’s best to create a sentence with all 4 URL variants (see: Grouping properties into sentences ) and define the variant you have chosen (eg https: // www.) As the preferred domain (see: Set preferred domain (with or without “www”) ).

If you are using other services, then change them as well.

4.2 Adapting backlinks on external pages

If you have the ability to customize links from external websites (eg linking from your own projects or posting links somewhere), then do it. Links to websites that you can not influence yourself are not a problem, because Google will be able to easily follow up the links based on the established 301 redirects.

4.3 Monitoring

In the first days and weeks after the transition you should always keep an eye on your website. Check Google’s indexing status via site query (the number of hits should not go down, only the search hits should gradually change to the https variants) and the Google Search Console. Watch for crawl errors and significant changes in traffic on your website.

Ideally, you use a professional SEO tool such as the Xovi Suite or – free for sites with up to 100 URLs – OnPage.org and can respond quickly to problems and changes in the ranking.

Here is a video of the OnPage analysis tool by Onpage.org:

I hope that my contribution to the conversion of your website from HTTP to HTTPS has helped or helped you. Unfortunately, I can not cover all eventualities, so some self-direction is still required. If, for example, you still use third-party systems within your website that are accessed via your main domain (eg a blog with your own CMS system), you will of course also have to change these separately.

Otherwise, I can only say: Continue to much success with your project!

Leave a Reply

Your email address will not be published. Required fields are marked *