Sign up for our newsletters and digests to get news, expert articles, and tips on SEO
Enter correct email address
Thank you for subscribing!
4 comment
17 min read
May 21, 2020

Back in 2014, HTTPS encryption became one of Google’s ranking factors and Chrome has been marking all HTTP websites as not secure since July 2018. Mozilla, Safari, and even Microsoft Edge followed the lead, so today whenever you access a non-HTTPS website via one of the popular browsers, you get the respective warning. 

Not secure connection in Chrome

It doesn’t matter if you handle sensitive information like passwords or banking card details. If a website runs on HTTP, it is always marked as not secure. And this notice surely doesn’t help build user trust. 

From what I see when browsing the web, Google’s stick-and-carrot approach has proven effective and most websites have already switched to HTTPS. But if you’re not yet on the HTTPS bandwagon, here’s another reason to jump on board ASAP.

If you store sensitive user data and your website serves EU customers, running a website on HTTP can get you into legal trouble. According to GDPR that came into force in May 2018, websites must ensure that all users’ personal data is handled securely. It means that in case of a data breach, you will be deemed responsible and will have to pay a hefty fine.

To protect both your website visitors and yourself, you’ll have to move to HTTPS. And we’ll guide you through the whole process to help you sidestep possible pitfalls on the way. 

What’s the difference between HTTP and HTTPS 

HTTP stands for Hypertext Transport Protocol. Since the early days of the Internet, it has been used for transmitting data between a browser and a server storing website files. One of the major drawbacks of HTTP is that information is passed in plain text and can be intercepted by anyone within the network, and ultimately be altered or stolen.

This issue is solved with the help of encryption. When data is encoded it becomes unreadable and so even if malefactors lay their hands on it, they won’t be able to make use of the information. That’s how HTTPS is different from HTTP:  All the messages are transmitted through an encrypted communication channel. For this reason, the letter “S”—that stands for “Secure”—was added to the protocol name.

Below, you’ll find a five-step guide on moving your website from HTTP to HTTPS. 

Step 1. Choose an SSL certificate

To make it possible for your website to establish an encrypted connection, you’ll need to get a TLS certificate first—better known as the SSL certificate. The thing is, after a major upgrade the certificate was renamed to TLS, but the older name stuck around. The certificate is a small file that contains an encryption key along with verified information about the website owner. Depending on how much data you provide about the person/company owning a website, you can get one of three certificate types.

DV (Domain Validation) is the most basic certificate. As the name suggests, it only verifies that a person requesting a certificate owns a domain. You can get a DV certificate in no time and it won’t break your bank.

OV (Organization Validation) certificate verifies not just the domain ownership, but also the legal organization behind a website. It takes time to verify a company’s business records, so you’ll have to wait longer to get this type of certificate. Plus, it costs more money.  

EV (Extended Validation) is a top-level certification. To issue such a certificate, the certifying authority will thoroughly check a company’s governmental records and independent business listings, will verify the identity of the person requesting the certificate, and finally will arrange a phone call with the issuer. Surely, EV certificates are the most expensive ones and take time to get issued.

The EV certificate is a must for governmental organizations, banks, big e-commerce websites. If this is not your case, you will be fine with the regular DV certificate as your website visitors won’t notice the difference anyway.

Back in the day, websites that obtained an EV certificate would get their company name featured in the address bar next to the padlock. It was highlighted in green to make it clear from first sight that the website was secure.

Site protected with EV SSL marked in Chrome

Now, to check if a company has gone through an extended validation, you’ll have to click the padlock sign and look for the company name in the Details section. And the reassuring green color is now also gone.

EV SSL certificate details in Chrome

In addition to the validation level, SSL certificates differ by the number of domains and subdomains they cover. 

  • The basic DV certificate only covers one domain without subdomains
  • If you have subdomains on your website (,, etc) you’ll have to obtain a wildcard SSL certificate; 
  • To protect several domains, you can get a multiple domains certificate.

To sum up, when picking the type of SSL certificate that fits your website best, pay attention to the validation level you want to get and the number of domains (including subdomains) you need to cover. 

Important note: Before proceeding to the next step, check if you will be able to install an SSL certificate to your hosting serversome hosting providers still do not support HTTPS. If you host your website with a CDN, make sure it’s also HTTPS-compatible.

Step 2. Get and install an SSL certificate

Option 1: Buy from your hosting provider 

Once you’ve decided what kind of SSL certificate you need, check what your hosting provider has to offer. If the pricing is reasonable, this would be your best choice as you’ll get things done faster and easier. 

The standard procedure of obtaining and installing an SSL certificate is as follows: 

  • You pick the type of certificate that works best for you;
  • You generate a private encryption key and a certificate signing request (CSR) with your hosting provider;
  • You order an SSL certificate from your selected vendor—at this point, you’ll have to upload the CSR file you generated earlier;  
  • Once the certificate signing request is sent, you’ll have to go through the verification procedure that will vary depending on the certificate type (DV, OV, EV);
  • After the validation is completed, you’ll be able to download your SSL certificate from your vendor’s website and upload it to your hosting server.  

As you can see, things get a bit complicated because you need to get files from a hosting provider and then upload them to an SSL certificate vendor, and vice versa. If you buy an SSL certificate directly from your hosting service, there’d be no need for such file exchanges and you should be able to cross a few points off the list. With some providers, all you need to do is click a couple of buttons and everything will set up automatically. In any case, contact your hosting company to learn how they can help you move to HTTPS. Also, check if by any chance your hosting plan includes a free SSL certificate—some providers do offer such a benefit. 

Option 2: Buy from the certifying authority or at a specialized store

If for some reason, you cannot get an SSL certificate from your hosting provider, there’s an option to buy one directly from a company issuing such certificates (Comodo, Symantec, Geotrust). Besides, there are plenty of specialized online stores selling SSL certificates.

Option 3: Get it for free

Thanks to the Let’s Encrypt initiative, there’s also an option to get an SSL certificate absolutely for free. Certificates they issue work in the same way as paid certificates with only one difference: They are only valid for three months while regular SSL certificates last for one year. Therefore, you’ll have to constantly renew your Let’s Encrypt certificate. Besides, they only provide DV certification. 

Once you install your SSL certificate, you’ll have to make sure it works properly—you can use SSL Server Test for this purpose. It will check whether the certificate is valid, which encryption protocol is used, how strong the cipher is and will calculate the overall rating of your website. The highest possible score is A+, and if you get a lower rating, the service will show you why. 

SSL Server Test

Step 3. Force using HTTPS 

Once your SSL certificate is successfully installed, your website will become accessible both through HTTP and HTTPS. The problem is that in the eyes of search engines these are two separate websites that can compete in the SERP. To make users and search engines access your website over HTTPS, you’ll have to set up a redirect. Over time, as HTTPS-pages of your website get indexed, their HTTP version will drop out of the SERPs and the link juice will flow to the HTTPS version of your website. 

Now, there’s one thing you need to do before setting up redirects—replace all the absolute URLs on your website with relative ones. 

Implementing relative URLs

First, let’s define what relative and absolute URLs are. An absolute URL contains the entire address of a page including the connection protocol and the domain name. Most of the URLs you see over the Internet are absolute (e.g. Relative URLs, on the other hand, are used for internal linking. They do not specify the connection protocol and may or may not contain the domain name (e.g. or simply /blog). 

If a website uses relative links, the browser itself adds the missing protocol and domain name to the webpage address. It assumes that a relative HTTPS link on a webpage should be pointing to another page on the same website that also runs on HTTPS. 

You’ll have to replace ALL of the following absolute links with relative ones: internal linking, paths to stylesheet, scripts, images, video. Otherwise, you will be faced with a mixed content issue. It occurs when some page elements load over the secure HTTPS connection and others—over the insecure HTTP protocol.

Mixed content error

Such webpages are vulnerable to man-in-the-middle attacks as elements loading over HTTP allow malefactors to gain control over the whole page. Having mixed content on your website is like theft-proofing your home with a reliable door lock while forgetting to close the window. Naturally, browsers mark pages with mixed content as insecure, so you want to make sure all your website resources load through HTTPS. 

So, you can either spend hours fixing internal linking and rewriting file paths to images, videos, scripts, etc. after enabling redirection. Or implement relative links and nip the problem in the bud. 

If you have a big website, you won’t be able to implement relative URLs overnight. So, consider replacing your links with relative ones beforehand. That way, you’ll be able to set up redirects shortly after you install an SSL certificate before both HTTP and HTTPS versions of your website get indexed and start to compete in the SERPs. 

Setting up 301 redirects

To redirect users and search crawlers to your HTTPS website, use the server-side 301 redirect. It tells search engines that the page has been permanently moved to a new address. The setup procedure will vary depending on the type of your webserver. If your site is hosted on a server running Apache—which would be the case with many hosting providers—all you need to do is add a few lines of code to your .htaccess file. 

You can find the file in your website’s root folder, but keep in mind that it may be hidden. In this case, you’ll have to go to the settings of the admin panel and check the “Show hidden file” box. Make sure to copy the file before altering it to have a backup in case something goes wrong. If you haven’t located the file, it means your website doesn’t have one and you’ll need to create it on your own using a regular text editor. 
Add the following line of code to your .htaccess file, replacing with your website address:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule .*{REQUEST_URI} [R=301,L]

To check if it worked for you, type the HTTP address of your website into the browser’s address bar—you should be redirected to the HTTPS version. 

Step 4. Update your Google Search Console

Even after you set up the redirect, your HTTP pages will still rank on Google. To get them replaced with HTTPS versions, the latter need to be crawled and indexed. You can speed up the process by uploading an updated version of your XML sitemap to Google Search Console. Before that, you may need to add your HTTPS website to GSC. Or it will be already there—it depends on which method you used to verify your website ownership. 

The thing is, in February 2019 Google launched domain properties to let webmasters analyze domain-wide data. Domain property is a URL without protocol (HTTP/HTTPS), www prefix or other subdomains(m, support, help, etc), and paths (es, fr). So if you add to GSC, you’ll get combined data on different versions of your website address including,,,,,  and dozens of other possible variations both with HTTP and HTTPS protocols. The only way to create a domain property is by going through DNS record verification

Now, if you have a domain property set up in your GSC, it will automatically start collecting data on the HTTPS URLs. But if your website has a URL-prefix property status, you’ll have to manually add the HTTPS variation of your website. Again, you have a choice to either add it as a URL-prefix property or verify your ownership through DNS and create a domain property to see aggregated data.

Adding property to GSC

Mind that domain properties are only available in the new Google Search Console, which lacks some long-established tools including the Disavow tool. If you can’t do without the Disavow tool, you have no other choice but to stick with the old Search Console, manually add the HTTPS property, and resubmit your Disavow file to it.

Step 5. Find and fix errors

Since we’ve implemented relative URLs across the website before forcing HTTPS, no critical technical errors should come up after you set up the redirects. Nevertheless, a good practice would be to run a website audit and make sure everything is working properly. 

Pay attention to the following issues: 

  • Existing pages should return the 200 status code, nonexisting—404;
  • HTTPS-pages should not be blocked by robots.txt file or meta noindex tag—otherwise, Google won’t be able to crawl and index them;
  • rel=canonical and rel=alternate tags, as well as hreflang attribute, should point to HTTPS pages;
  • Pages should not return mixed content errors, meaning every page element should load over the HTTPS protocol.

You can easily detect all these issues with SE Ranking’s Website Audit. After you run an audit for your website, you’ll have access to a detailed report covering 102 potential issues grouped in 19 sections. Take a look at the Website Security section to see if you have any redirects or canonical tags pointing to HTTP pages, HTTP URLs in your sitemap.xml, or pages with mixed content.

SE Ranking Website Audit errors after moving to HTTPS

To check if you have any potential problems that may stop your pages from indexing, check the Crawling section of the report. You’ll know what pages have been blocked by robots.txt or noindex and nofollow tags.

Mixed content errors in SE Ranking's Website Audit

The Website Audit tool is available under the free trial, so all you need to do is sign up to SE Ranking. Once you create your first project, the audit will start automatically. You’ll have 14 days to test out all the other tools SE Ranking offers including our Keyword Rank Tracker.

Keep an eye on your rankings

Apart from technical difficulties, many feel doubtful about moving to HTTPS because they fear to lose traffic and rankings. 

It’s true that you may see some ranking fluctuations in the first couple of weeks. But if you’ve taken good care of all the technical details when switching to HTTPS, you shouldn’t suffer drastic ranking drops. The 301 redirect passes up to 99% of link juice, so after all your HTTP webpages drop out of the index, you should regain the rankings and traffic you had before. Besides, as you remember HTTPS is a ranking factor. It is minor, but still, you may be among the lucky websites that actually experience a boost in rankings after moving to HTTPS. 

In any case, you’ll want to keep an eye on your ranking fluctuations after moving to HTTPS. Then, in case of a ranking drop, you’ll be able to figure out what may have caused it and fix the issue ASAP. 

As was mentioned, SE Ranking also has a handy and reliable tool for ranking monitoring. Keyword Rank Tracker allows you to keep track of all your target keywords across your selected locations. 

SE Ranking Rank Tracking

Moving to HTTPS is inevitable 

Moving to HTTPS may seem like a daunting task. You need to bear dozens of details in mind and messing up is not an option as your rankings and traffic are at stake. And still, you cannot afford to stick to HTTP as you will compromise the security of your users and lose their trust. Besides, in the nearest future, search engines may also stop tolerating websites running on HTTP.

Back in 2018, Google claimed that in the long run, they want to remove secure indicators from Chrome and only mark non-secure websites. The final goal is to transform the Internet into a place where every website user access is secure by default. It is still unclear how Google plans to use to further encourage websites to switch to HTTPS. But it’s quite probable that they will choose the stick method and HTTP protocol will become a negative ranking factor. In any case, my advice is not to sit on the fence and move to HTTPS without further delay. And our guide will help you to do it right.

Subscribe to our blog

Sign up for our newsletters and digests to get news, expert articles, and tips on SEO

Thank you!
You have been successfully subscribed to our blog!
Please check your email to confirm the subscription.
  1. I have a question about your tool checking for mixed content. Does it tell what causes the error?

    1. Thank you for your question, Kaleb. All the numbers in the Mixed Content column are clickable, and upon clicking the number you can see which page elements are loaded over HTTP.

  2. Does anyone still use HTTP these days? Haven’t seen the Not Secure mark in like months

    1. Yes, some websites still run on HTTP. The majority of websites (61% to be precise) now use HTTPS protocol by default, and I believe most of the established websites are a part of this large group. But the remaining 39% still need to switch.

Write a comment

Your email address will not be published. Required fields are marked *