How to migrate from HTTP to HTTPS (complete tutorial)

So after recently going through a migration from HTTP to HTTPS for a client I wasn’t happy with the documentation and tutorials I found online so I decided to write my own. If you miss one thing, such as moving over your disavow file it can be disastrous. This tutorial does assume you are using WordPress, but most of it is applicable for any platform.

Choosing an SSL certificate

First, you will need to decide if you need a single, multi-domain (use on more than one domain), or wildcard certificate (use on unlimited subdomains). Google recommends using a 2048-bit key certificate or higher.

Thankfully with Kinsta, this is also a breeze as they offer free Let’s Encrypt SSL certs. I simply logged into the MyKinsta dashboard, clicked into my site, and there is an option to enable a free SSL certificate with a single-click.

Add Let's Encrypt certificate at Kinsta
Add Let’s Encrypt certificate at Kinsta

I won’t be going over the manual installation of the cert here. I would just recommend having your host do it for you if you don’t know how.

HTTP to HTTPS checklist

Now to get down to business! Some of these might not be applicable for you, but I wanted to be thorough.

Step 1 – Turn off CDN

The very first thing to do is disable/turn off your CDN if you are running one. I am using the free WordPress CDN Enabler plugin so under Plugins in WordPress I temporarily disable this plugin.

disable cdn enabler

Step 2 – Clear your website’s cache

The next thing you want to do is clear the cache on your website. I am using the free WordPress Cache Enabler plugin so in the top right corner of the WordPress dashboard I click on “Clear Cache.”

clear cache wordpress

Step 3 – Update all database and hardcoded links to HTTPs

Now it is time to update and replace those HTTP links in the database and your URLS to HTTPS. For this I use an awesome free tool from Interconnect IT called “Database search and replace script in php.”

If you aren’t comfortable doing this you can also use the free Better Search and Replace plugin. Note: I never recommend using the Really Simple SSL plugin as this is just a band-aid. However, it can be a quick way to get up and going.

I do recommend doing this on a dev server and moving it back, or at least backing up your database first to be safe as this script does grab your local database credentials. Simply drop their program into the root of your site via FTP.

drop search replace into ftp

Then browse to it in your browser. (I named my folder “search-replace-db”)

search and replace script

You can then insert what you want to replace. Make sure you enter all of the formats you have mixed and matched over the years such as:

  • http://mydomain.com to https://mydomain.com
  • http://www.mydomain.com to https://mydomain.com
search replace http to https

I then recommend running a “dry run” first to see what it will be updating/replacing. Then when you are ready click on “live run.”

search replace run

Note: This will update all of your entries in your database, including your WordPress Site URL, hardcoded links on pages and posts, etc.

Step 4 – Update all CDN URLs to HTTPS

Now if you are using a CDN you will want to run this procedure again. I use KeyCDN. Most likely you have a few hardcoded CDN URLs floating around.

search replace cdn urls

Make sure after you are done with the search and replace script to remove it! You can do so by clicking on the “Delete Me” button or remove it manually via FTP from your server.

delete search replace

 

Step 5 – Update custom JS, Ajax libraries to HTTPS

Next if you have done anything custom on your WordPress install, like include a jquery library, custom scripts, etc…, you will want to make sure those are also updated to HTTPs. For Google’s jquery you can simply point it to their HTTPs hosted version: https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js

Step 6 – Add 301 redirects (force HTTPS)

Now you need to add a 301 redirect to all of your new URLs (pages/posts). Or rather you need to redirect all of your HTTP traffic to HTTPS. I don’t advise using a plugin like Really Simple SSL as this is only a temporary fix. All redirects should be done at the server level.

If you’re a Kinsta client you can easily do this with a few simple clicks. Simply click into “Tools” on your site and enable the “Force HTTPS” option.

Force HTTPS in WordPress
Force HTTPS in WordPress

If you’re managing your own server, you can also do this manually. Simply add the following code to your .htaccess file via FTP. (if you aren’t comfortable doing this ask for help as you can break things) Also make sure to change the code depending upon whether or not your domain uses www.

Apache

RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.yoursite.com/$1 [R=301,L]

Here are some additional examples of using htaccess redirects.

NGINX

server {
listen 80;
server_name domain.com www.domain.com;
return 301 https://domain.com$request_uri;
}

Step 7 – Update origin URL on CDN

Now we need to update the origin URL at KeyCDN. Under your pull zone settings in the dashboard, update the Origin URL to HTTPS and click “Save.”

keycdn origin URL

Step 8 – Install SSL cert on CDN

KeyCDN has Let’s Encrypt integration which means SSL certs are completely free! Click into the advanced settings of your KeyCDN zone and enable Let’s Encrypt under SSL.

keycdn let's encrypt

Add a CNAME record in your DNS (Zonealias → Zone URL). DNS changes take some time depending on the TTL. Check that your new DNS record is active with the DNS Check Tool.

cname check dns

Create a Zonealias for that zone. Note: If your zone already has a Zonealias, you must either remove it before changing the SSL option to LetsEncrypt or recreate it afterwards. Further, you cannot add a Zonealias if the CNAME record is not fully propagated.

Step 9 – Enable HTTP/2 on CDN

Then I recommend double checking to make sure HTTP/2 is enabled.

HTTP/2 is a networking protocol for low-latency transport of content over the web. Originally started out from the SPDY protocol, now standardized as HTTP version 2. (source: caniuse)

In the KeyCDN dashboard under advanced features make sure HTTP/2 is enabled.

cdn enable http2

Step 10 – Update CDN URL in CDN plugin + re-enable

Now make sure you update your CDN URL in your CDN or caching plugin and turn the CDN back on. So I re-enable the WordPress CDN Enabler and I click into the settings. I update the URL to HTTPS and also check the CDN HTTPS box. Then click on “Save Changes.”

https cdn enabler

 

Step 11 – Update sitemaps function file to point to new HTTPS CDN URL

Well now we need to actually update that function to point to the HTTPs version in your WordPress functions.php file. See an example of the updated version below.

functions file fix images indexing maxcdn

Step 12 – Create new Google Search Console site

Now you need to create a new Google Search Console site for the HTTPS version of your site. Simple add another site your HTTPS domain.

add https site

Remember to setup the same settings you have on your original GWT site, such as international targeting, etc.

Step 13 – Create new Google Search Console site for CDN

If you are running KeyCDN you will also want to create a new GWT site for your HTTPS CDN domain. (See step 14 for why I have to create a separate GWT site for my CDN)

gwt https cdn

Step 14 – Submit sitemaps to new Google Search Console site

Next make sure to submit your new sitemap file to Google Webmaster Tools. Make sure you are grabbing your new HTTPS sitemap URL.

submit https sitemap

Step 15 – Fetch and crawl

I then recommend doing a fetch and crawl on your new HTTPs site just to get things moving a little faster. In some of my migrations to HTTPs I have seen it take weeks for Google re-crawl everything correctly.

What I do is usually fetch my homepage and then click on “Submit to index.”

fetch as google

Then choose “Crawl this URL and its direct links.” If you have some very important pages too that might not be connected to your homepage you could also submit them individually for re-crawling.

crawl this url

Step 16 – Resubmit disavow file under new Google Search Console site

If you had a disavow file before under you original GSC site you will want to resubmit this file under your new HTTPS GSC site. This is very important! If you miss this step you could do a lot of damage to your site.

So head over to the Google Disavow tool under your original GWT site (HTTP) and download your disavow file.

disavow domains

Then launch the disavow tool again under your new HTTPS site and resubmit your file.

disavow links
disavow domains

Step 17 – Submit HTTPS sitemaps to Bing Webmaster Tools

Then you need to re-submit your new HTTPS sitemap file to Bing Webmaster Tools. This is slightly different than GWT as you don’t have to create a new site. They simply need your new sitemap file and your good to go.

bing webmaster tools https

Step 18 – Create new Yandex Webmaster Tools site

For Yandex, you do need to create another new site for the HTTPS version just like GWT. Feel free to follow this tutorial on “How to Submit Your Website to Yandex Webmaster Tools“.

Step 19 – Submit Sitemaps to new YWT site

You will then need to submit your new HTTPS sitemap file to your new YWT site.

yandex https

Step 20 – Update Google Analytics profile URL

Then you need to update your Google Analytics Website’s URL. So under your account click into Admin and then your property settings. Then flip the URL to the HTTPS version. This way you don’t lose any history and can pick up right where you left off. Also update your view as well.

https google analytics

Step 21 – Re-link Google Search Console site to analytics profile

Now you will want to re-link your Google Analytics profile with your new HTTPS Google Search Console site. To do this click into Admin under Google Analytics and then your property settings. Scroll to the bottom and click on “Edit” under Webmaster Tools Settings.

Google Search Console settings in GA
Google Search Console settings in GA

Then choose your site and hit Save. You will get a prompt about un-linking your old association (HTTP). Simply say OK.

`Link Google Search Console with Analytics
Link Google Search Console with Analytics

And that’s it folks! You have now successfully migrated your site to HTTPs. You will want to monitor Google Search Console for the next week or two to make sure everything starts indexing again in your new site. Also fix any crawl errors that come up right away.

Your new GWT site will most likely look like this after a few days and your old GSC site will drop off.

search queries

Step 22 – Re-associate YouTube channel website

If you have a YouTube channel you will want to re-associate your website with your new HTTPS version in GWT. Otherwise you will get errors with annotations and other things in YouTube complaining about the HTTPS link being invalid.

In the YouTube dashboard click into your Channel and then into “Advanced.” Then change your domain to the new HTTPS version and click Add. You will have to then approve it by going into GWT, clicking into your messages for that site and click on approve.

re-associate youtube channel

Step 23 – Update Facebook App URL

If you have a Facebook App running for things like the WordPress SNAP plugin or a social login then you will need to update your App’s URL. So head over to https://developers.facebook.com/apps.

Click into your App.

facebook app

Then click into Settings on the left-hand side and update the Site URL and Mobile Site URL with the new HTTPS version. Then click Save Changes.

facebook app URL settings

Additional things to update:

  • Update Google AdWords URLs
  • Update Bing Ads URLs
  • Update AdRoll URLs
  • Update Facebook Ad URLs
  • Update MailChimp RSS Campaign URL (or any email marketing tool)
  • Update External Links (Social Media, Backlinks, etc)
    • Facebook website URL
    • Twitter website URL
    • Pinterest website URL
    • Google+ website URL
    • YouTube website URL

Scan website for non-secure content

There is an awesome free tool from the guys over at Jitbit to scan your website to check for non-secure content. This can be a quick way to diagnose anything you might have left behind. There is also a tool called HTTPS Checker which is pretty handy. It will scan your entire website for any HTTPS errors and provide you with an easy to read report. The free plan allows up to 100 pages.

Additional things to note:

  • If you are running Disqus it will automatically switch to HTTPS when migrating. I didn’t have to do anything. So the automatic switch usually works but sometimes I have found Disqus doesn’t pick up the new URLs. So you need to run their URL mapper tool to migrate your comments from the old HTTP URLs to new HTTPS URLs. If you are migrating both to HTTPs and a new domain you can follow my tutorial on how to “Migrate Disqus to a new Domain and Shortname.”
  • The WordPress Site URL is updated to HTTPS when you ran the updates in Step 4.
  • Adding “rel=canonical” tags is done automatically because when you change your WordPress Site URL Yoast updates your canonical tags.
  • If you are using a WordPress plugin like Simple 301 redirects all of your old redirect links were updated to point at the HTTPs version during your updates in Step 4. You may also want to look into adding 301 redirects at the server-level. Mainly due to performance reasons.
  • Make sure to check that your robots.txt is accessible and working.

Will you see traffic improvements by migrating to HTTPS?

I definitely saw a slight increase after everything settled back down from the migration. There is a very interesting article on “HTTPS Encryption – What is the impact of TLS/SSL on Rankings?

As of February 1st, 2016, John Mueller also posted up 13 answers to FAQs about HTTP to HTTPS migrations. Make sure to check it out.

As always feel free to leave your comments below! And if I missed anything please let me know.

author bio
Brian Jackson

I craft actionable content and develop performance-driven WordPress plugins. Connect on X, subscribe to my newsletter (once a month), or buy me coffee.

50 thoughts on “How to migrate from HTTP to HTTPS (complete tutorial)”

  1. This is a helluva list!

    I’m surprised that Google Webmaster tools doesn’t provide a way to updaate the site url to https.
    Why is it good to create new Google Webmaster Tools for the cdn?

    I just finished a re-design of a site that moved to https. This post was great timing.

    cheers!
    jules

    Reply
    • Thanks Jules! Yes it definitely took some time to put together. But even I will use it in the future :) Ya GWT still doesn’t have a good way to move to HTTPS. Their site migration tool only supports moves to new domains.

      Glad the post was helpful!

      Reply
    • Thanks Mike! Glad it was helpful. I have gone through a couple migrations now and these steps worked perfectly every time. I will keep updating this post if I find additional things of importance. Did you buy ReviewHell? I know Brent put it up for sale a while back. If so, congrats! It is a great website.

      Reply
  2. Very detailed tutorial on migrating to SSL. However, I do not think it’s always worth it to use SSL. Forexample, for website not featuring login it might put extra strain on the server (shared hosting might be affected). I know also for a fact that a lot WordPress plugins can break, reason being is that the hardcode the ‘http://’ in evaluations or resource specification.

    Reply
  3. Pingback: WordPress Weekly Watch – April 19 2015
  4. Pingback: Why You Should Move from HTTP to HTTPS for SEO - Create3
  5. Wow, what an awesome tutorial! Thank you so much for all the homework and love you put into this. Definitely gave me some peace of mind to help me think through all the angles as I was migrating my site from HTTP to HTTPS today.

    I do have one thing I would add. I see that Google recommends using HSTS when migrating to HTTPS. You did not mention this, so I thought I would bring it up. See here: https://support.google.com/webmasters/answer/6073543?hl=en

    Funny enough, I found myself in a bit of a pickle when implementing HSTS, and I thought I would share it here. I found a nice WordPress tutorial on the topic: https://thomasgriffin.io/enable-http-strict-transport-security-hsts-wordpress/. But then things got interesting. After setting up HTTPS on my WordPress site, and setting up 301 redirects on all my pages, I added the HSTS header, and looked at the network tab in my browser’s developer tools, and I noticed something concerning. When I try to navigate to the old HTTP version of a page, instead of doing a 301 redirect, it is doing a 307 redirect due to the HSTS. Which makes me wonder if this is potentially a problem with the search engines? Might Google’s spider hit this 307 and never realize that I’m doing a 301 to pass on the link juice and search rankings of my old page to the new HTTPS version, since a 307 is a temporary redirect as opposed to the permanent 301?

    Do you have any thoughts on this? I thought it was an interesting predicament and wanted to share.

    Either way, thanks again for this amazing tut!

    Reply
  6. Hey Brian! I followed your steps and found I kept getting a “too many redirects” issue for my new site, WPStarters

    Here’s what I did to solve it
    1) Removed W3 Total Cache and all residue files
    2) Unprotected the site on CloudFlare

    Then I found I had issues with the permalink (but I could access the backend and the stylesheets worked!). After browsing through some solutions (which seemed really complicated), I solved it with
    1) Switching back to the plain permalinks.
    2) Tested and found it working
    3) Switched back to the prettified permalinks
    4) It works!

    Appreciate your resource! :)

    Reply
  7. Great guide! I also had to edit my wp-config’s WP_SITEURL and WP_HOME URLs to break out of a redirect loop.

    Reply
  8. Pingback: Internet Marketing Checklist • Aaron Gray
  9. Hi, you did not address, how to change all internal links in wp from http to https. Sure they are 301 redirected, but it would be better to have them all change in the first place.
    Are there plugins you use or so you have a process to change it in the database?

    Reply
  10. Hi, thanks for this guide!

    In section 20 on Google Analytics, I notice that you don’t mention changing the GA Property over to https as well—just the View. Is this just a minor oversight?

    Reply
  11. Pingback: Cómo diseñar un blog profesional: detalles del rediseño de VAM
  12. Pingback: Social Warfare Review - Ultimate Social Sharing Tool - brightkite
  13. Pingback: HTTPS For SEO: How SSL Can Boost Or Set Back Your Google Rankings
  14. Great Resource. (Y)

    Found your write up on link ahrefs blog, there you shared this post on a comment section. I was totally new using HTTPS for my http://www.thestocklot.com/site/ site, but now i 100% confident to migrate from HTTP to HTTPS.

    I’ll move to HTTPS SOON.

    Thanks man

    Reply
  15. Thanks for this, Brian. My web host offered me an SSL upgrade and I was looking for a guide to what to do next. Yours is the clearest one I’ve seen.

    Reply
  16. Wow! Very useful article, indeed, Brian.

    However, one thing baffles me completely:

    I understand the reasons and benefits of migrating to HTTPS.
    But why do I see numerous – well respected and well ranked – sites with TWO versions, both HTTP and HTTPS, of their sites?

    Not only that, Google indexes and presents in the serps the 2 different versions.

    If you state your preferred site to be HTTPS:
    1. Why keep the HTTP version.
    2. Why does Google not just list the HTTPS version?

    If you, or anyone else knows, please enlighten me.

    Reply
  17. Hi Brain, I use Serverpilot AutoSSL. After enabling SSL on my website, I enabled http to https in serverpilot control Panel. When my website start working smoothly on https, I created a new property in Google webmaster for the https website. Now the same https://….links apearing in both sitemap – sitemap of the http and https websites. Is there any problem or it is just normal

    Reply
  18. Hi,

    Im from Chile, and im a bit scared about this change -.- because there are myths about traffic drop

    I read all your post, and i think im doing the things right.

    Regards

    Reply
    • Hey Matias, if you do everything right, you won’t see a traffic drop. I have migrated dozens of sites from HTTP to HTTPS and none of them saw decreases in traffic. In fact, a lot of them saw increases.

      Reply
  19. Did you change domains at all? If so you would need 301 redirects setup for all your URLs. Did you also setup a 301 redirect from HTTP to HTTPS? Also, did you create a new Google Search Console profile?

    Reply
    • I did not change the domain, but I did change hosting. And I never did a 301 redirect from HTTP to HTTPS. I did create a new Google Search Console, but I also didn’t create a xml sitemap.

      Reply
      • Ya that is the issue, you have to do a global 301 redirect from HTTP > HTTPS. Just open up a support ticket with your new host and tell them you need a “global 301 redirect” to HTTPS for your site. Any host should be able to add this for you. 2 lines of code and you should get all your traffic back :) It might take a few weeks for Google to realize you fixed it, but you should be fine.

        Reply
  20. Lol, Brian you wrote “And if I missed anything please let me know.” what it can be? You’ve included all necessary details :)

    It’s really great to see that you’ve included information about updating URLs used with social media site such as Facebook. I’ve seen in many cases where website owner forgets to change from http to https in their Facebook App.

    I’ve just migrated my site from http to https and found lots of helpful information in this article. Thank you for sharing.

    Reply
  21. Two years later and I’m still using this post as a reference when I’m updating a site to HTTPS!

    RE: Step 21.
    You might consider updating the post to reflect Google Analytics new terminology.
    Scroll down to “Search Console” and click on “Adjust Search Console” to associate desired Search Console account.

    Cheers!
    jules

    Reply
    • Awesome to hear Jules :) I have just gone through and updated some of the Google Webmaster Tool references to now say “Google Search Console.” I also added a few new pics. Thanks!

      Reply
  22. Hello Brian,

    I have query related to HTTP sitemap.

    As soon as done with the HTTPS migration, the HTTP sitemap will no longer be available to webmaster tools.

    Will that non availability of HTTP sitemap cause any issues in rankings

    Reply
    • Hey Raj, no that won’t impact your rankings. Just make sure to submit your new HTTPS one so Google knows quicker where to find everything.

      Reply
  23. Outstanding article Brian, thanks for sharing. My Hosting provider done the whole SSL Registration for me. Glad you mention the updated site map. Google Search Console must be the most valuable tool for all Bloggers.

    Really great and conclusive work. I also use a plugin called “Really Simple SSL” that deal with most issues.

    Reply

Leave a Comment

41