settingsAccountsettings
Menusettings

Q: How to migrate a site from http to https and SSL?

+5 votes

I need to install SSL certificate and use https on my site. Please help me with tutorial how to do it. Here is an image of what I mean:

image of ssl certificate in the browser window

I need the same green padlock! Moreover, SSL and secure connections are trendy nowadays and there are even rumors that Google is loving them by giving more SEO privileges to sites with encrypted connections.

The process of migration seems to be hard for me and I need a tutorial how to do it properly. Step-by-step please! Thanks!

asked in Web Design category by user eiorgert

3 Answers

+4 votes

It is not that hard my friend - you just need to get used to the whole process - but usually for not that big sites it takes around one day to do all the steps;

Firstly, I need to mention that you need to be patient because sometimes the green padlock sticks to the yellow color and you might get confused.

5 (just five!) steps to install SSL and have https on your site:

1st STEP: Buy your SSL certificate

You can buy the certificate from your hosting provider. I, personally, use Hostgator and for Business accounts there is free SSL certificate (Comodo Positive SSL) :-) In my opinion, the best way is to buy SSL from your hosting provider - because they will install it for you for free and you will avoid some hassle.

Also, you can buy 3rd party SSL certificate for less money from:

https://www.namecheap.com/security/ssl-certificates.aspx

Here is even cheaper SSL online store here:

https://www.gogetssl.com/

You can also search online for other places which sell SSL certificates - BUT be aware of cheap ones - from Chinese sites for example;

The certificate I am using is the Positive SSL from Comodo with 256 bits of encryption: it is $9 per year if you buy it from NameCheap.

Here is and article explaining the difference between the certificates:

https://webdesign.tutsplus.com/articles/ssl-certificates-and-https-what-you-need-to-know--cms-28242

After the purchase of the SSL you will need to install it on your domain name. The big hosting providers are willing to install them for a small price. For example: to install 3rd party SSL, Hostgator is asking $10.

If you order your SSL from your hosting provider the whole process will take up to 12 hours and if they install the 3rd party SSL certificate it can take up to 72 hours. You can check whether the certificate is installed in your site’s Cpanel or your billing/profile/account page.

For Hostgator hosting users here is more useful information:

http://support.hostgator.com/articles/how-do-i-purchase-an-ssl-and-what-type-is-it

http://support.hostgator.com/articles/ssl-certificates/ssl-setup-use/i-have-purchased-a-ssl-from-you-now-how-do-i-use-it

2nd STEP: The migration

2.1. Check your code and if you have images like this in the code:

<img src="http://yoursite.com/images/image.jpg"/>

Simply change the path from http:// to just //:

<img src="//yoursite.com/images/image.jpg"/>

This will help you later - and whatever version of the site you have http or https - the images will ALWAYS be shown!

2.2. Check your CCS paths as well and also change their path - from full to relative.

2.3. After the installation of the SSL on your domain you will need to change your site's name from http://yoursite.com to https://yoursite.com. If you are using WordPress CMS you can do this in the Dashboard >> Settings >> General.

2.4. For WordPress there are many plugins which might be helpful for migrating from http to https. BUT the best one in my opinion is this: https://ithemes.com/security/ it is a bit pricy BUT with one click of a button you can redirect all your images and styles to the https version.

It will also give you an opportunity to use the https version in your wp-admin area. It will add 2 lines of code in the wp-config.php file and will force the migration of http to https for the admin + login area:
 

define( 'FORCE_SSL_LOGIN', true ); // Force SSL for Dashboard - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard
define( 'FORCE_SSL_ADMIN', true ); // Force SSL for Dashboard - Security > Settings > Secure Socket Layers (SSL) > SSL for Dashboard


The WP plugin itself will also protect your site from different type of attacks and spam - so it is pretty handy!

2.5. If you don't use Ithemes security pro plugin you will need to add the above-mentioned code manually in wp-config.php.

There are 2 more options for securing your admin area (https-ing it :-).This is in case the option from 2.4. failed to work (2 added lines in the wp-config.php file):

OPTION 1: Add this code in your functions.php:

function force_https () {
if ( !is_ssl() ) {
  wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
  exit();
}
}
add_action ( 'template_redirect', 'force_https', 1 );

OPTION 2: Add this code in your wp-config.php:

if(!_isSSL()){
    $url = 'https://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
    wp_redirect( $url, 301);
    exit();
}

function _isSSL(){
     if( !empty( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' )  return true;
     return false;
     return is_ssl();
}

Here are some articles about the WordPress and installing the SSL on this powerful CMS:

https://code.tutsplus.com/tutorials/options-for-ssl-in-wordpress--cms-21995

https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress/

3rd STEP: 301 redirect of your http version to your https one

This part of the process is somewhat tedious because it might not work immediately and you might need to try different options... For the 301 redirection you will need to change your .htaccess file located in the root of your site. It "speaks" with your server (most often it is Apache). The purpose is to avoid duplicate content loading from http:// and https:// simultaneously.

For WordPress there are varius options of the rewrite rule code. You will need to add one of the options (see them below) right after the # END WordPress line in your .htaccess file (the rules follow from top to bottom). Do not forget to change the yoursite.com (and yoursite\.com) in the examples with your actual domain name.

OPTION 1: The most common rewrite rule for migrating from http to https is this one:

RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

If there is a loop in the browser, use this one instead:

RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

OPTION 2:

RewriteEngine On
RewriteCond %{HTTP_HOST}#%{HTTPS}s ^www\.([^#]+)#(?:off|on(s)) [NC]
RewriteRule ^ http%2://%1%{REQUEST_URI} [R=301,L]

OPTION 3:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80 [OR]
RewriteCond %{HTTP_HOST} ^www.yoursite.com
RewriteRule ^(.*)$ https://yoursite.com/$1 [L,R=301]

OPTION 4:

RewriteEngine On
RewriteCond %{HTTPS} !=on  [OR]
RewriteCond %{HTTP_HOST} !^yoursite\.com$ [NC]
RewriteRule ^ https://yoursite.com%{REQUEST_URI} [R=301,L]

OPTION 5:  (this one worked for my WP site):

RewriteEngine On
RewriteCond %{HTTPS} !=on  
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^www*\.(.*yoursite\.com)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

OPTION 6:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www*\.(.*yoursite\.com)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

My .httaccess file in my WordPres CMS site for example looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

RewriteEngine On
RewriteCond %{HTTPS} !=on  
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^www*\.(.*mysite\.com)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

Now you will need to check whether everything is working fine by typing in your browser http://yoursite.com and http://www.yoursite.com - do not forget to clear your cache as it might affect the redirection. Press CTRL+H in your browser to clear the cache and cookies and then try again if needed.

If you have another CMS or PHP platform the rewrite rule might differ. For example for a Question2Answer platform this one works pretty well:

DirectoryIndex index.php
<IfModule mod_rewrite.c>
RewriteEngine On
#RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)//(.*)$
RewriteRule . %1/%2 [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP_HOST} ^www*\.(.*yoursite\.com)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^.*$ index.php?qa-rewrite=$0&%{QUERY_STRING} [L]
</IfModule>

4th STEP: Verification

4.1. Check whether your CSS styles and images are loading correctly! If the padlock in your browser is steady green (not yellow) everything works fine!

4.2. You can check whether the SSL is installed properly here:

https://www.sslshopper.com/ssl-checker.html

or here

https://www.whynopadlock.com/

SSLshopper WhyNoPadlock will crawl ONLY one page - so you might need to check the other inner pages of your site by using this service:

https://www.jitbit.com/sslcheck/ - this site will crawl up to 200 of your website's pages and will tell you whether there is a problem with the SSL.

For more advanced users you can use a program called http://www.scrapebox.com/ - it is useful if your site is bigger and you want to scan a lot of pages to check if there is an insecure connection - maybe an image or something else. You can use Scrapebox's plugin/addon: Page Scanner: http://www.scrapebox.com/page-scanner

5th STEP: Notify Google about the changes you've made

For SEO purposes you will need to notify Google. If you are using Google analytics simply change the site's Default URL from http:// to https:// by going to the Google's Analytics Dashboard.

The next step is to add https://yoursite.com to the webmaster tools - as a new site by clicking on Add a Property (keep the old http:// version though!) Watch the video below to understand the process better (after 1:30):



In your robots.txt file located at: https://yoursite.com/robots.txt don't forget to change your sitemap's path form http to https and add it in the Search Console

Another video you might find useful:



and an article:

http://www.howto-expert.com/how-to-get-https-setting-up-ssl-on-your-website/

All done! Enjoy your secure and encrypted connection + (maybe) boost your SEO rankings :-)

answered by user golearnweb
edited by user golearnweb
+4 votes
If you are from Russia you can watch these 2 videos about SSL installation and all the pluses of using it:

1. The first video is from Devaka - SEO master and guru in Russia :-) It explains the importance of having SSL on your site:



2. The second video shows the exact steps of installing the SSL on a site - kind of a live performance:



Also to mention that there is one great article from Evgeniy Popov here:

https://evgeniypopov.com/blog/kak-perevesti-vash-sajt-na-https-i-pochemu-eto-ochen-vazhno.html

The article has a lot of YouTube videos embedded so the whole installation of SSL certificate is very good explained!
answered by user hues
+3 votes
Here is an article for Bulgarians in Bulgarian: https://blog.jump.bg/https-migracia-i-chast/
answered by user mitko
Modern websites tend to be SSL secured (HTTPS) as it provides an extra security layer while logging in to your Web Service. Google announced that an HTTPS (vs HTTP) website would receive an extra boost in their ranking.

While switching to HTTPS, make sure your site remains optimized and see to it that your website will still run quickly. Follow these best practices for a smooth transition:

- Use a serious issuer to purchase your SSL certificate
- Redirect all of your HTTP pages to the HTTPS version of your website
- Use HTTP Strict Transport Security (HSTS) in your headers
- Renew your SSL certificate every year, before it expires
- Make sure that all of your content (CSS, etc.) is linked to HTTPS
- Update your XML sitemap to ensure the URLs include HTTPS and update the robots.txt file to reference this version
- Register the HTTPS website in Google & Bing Search Console/Webmaster Tools
...