I get sad when I see websites without a secure lock beside their URL in the address bar. Because for most small business owners, it is EASY and FREE to get a secure lock plus it improves your search engine optimization (SEO).

Bigger sites like Amazon or The Huffington Post may take a little more precautions in planning how to adjust their SEO rankings before switching. But if you’re reading this blog, chances are you manage your website yourself because it’s within your ability and budget to do so. It’s more likely that adding the HTTPS to your website properly (as outlined in the steps below) will only improve your SEO.

This tutorial will take you through the process to:

• Check if you already have HTTPS
• Apply an SSL to your website
• Keep your SEO in tact
• Notify Google of changes

At the end you’ll have the coveted site lock on your own website, improved your SEO, and indicated to visitors that your website is trustworthy.

What is the HTTPS, and why should you care?

HTTP stands for Hypertext Transfer Protocol. It is the way information is sent from the user’s web browser to your website. The data that is shared between the browser and the website is sent over in plain text. The problem with that is if someone intercepted a connection between the user’s browser and your website, the information being sent and viewed can easily be seen by the person intercepting. This means sensitive information, like a credit card number, can be viewed on an unsecured HTTP.

HTTP is a bit like using a postcard. Anyone can pick up the postcard and read it. You don’t want to use a postcard to deliver a message if you’ve written a juicy story that should stay private.

HTTPS is – you guessed it – Hypertext Transfer Protocol Secure. It creates a safe transfer of information by using a SSL (Secure Sockets Layer) to act as the protocol for data transfers between the browser and website. It also encrypts the information as it travels the pipe from the user to the website.

Think of the HTTPS as writing your juicy story on a piece of paper, but then locking it in a safe and mailing the safe to be opened upon delivery by the receiver. You can bet your message is more secure than your regular postcard.

Even if you don’t take credit cards on your website, any user input is at risk of being stolen (like inputting the email in a contact form). It’s no wonder that Google developers began hinting in December 2014 that they’ll consider websites without the “Secure” HTTPS to be less rank-able than websites that carry the HTTPS.

What is an SSL?

As mentioned above, the HTTPS works by passing through an SSL (Secure Sockets Layer). When an SSL is installed on a website, it activates the secure lock icon next to the address bar and the HTTPS protocol to create a secure connection from the user’s browser to your website by using something called public key cryptography. This uses two keys which are just randomly generated numbers. One is called a private key and the other a public key. The information passing from your website is locked with the public key, and unlocked with the private key. If someone intercepts the information before it’s unlocked, all they’ll get is nonsense code that doesn’t mean anything.

An SSL also acts as certification to indicate that your website is owned by who it says it’s owned by. There are different levels of SSL Certificates to indicate more detailed levels of authentication. We’re going to concentrate on the free and basic version, which is currently sufficient for encrypting data and improving your SEO. You may consider paying for a more robust SSL Certificate if you’re a larger company and/or host an e-course or members-only areas on your website.

How does migrating to HTTPS improve SEO?

For starters, Google is cracking down on HTTP websites even if they don’t take credit card payments. That means if two websites are relatively equal in SEO, the one with the HTTPS will rank higher in a search.

• HTTPS websites should theoretically load faster (fast load times = better SEO)
• Carry credibility because ownership is transparent (credibility = better SEO)
• Are secure for the visitor to use (better user experience = better SEO)

Those are some great reasons to migrate to HTTPS.

Now that we know the fundamentals of what we’re doing, let’s get cracking on migrating your site to HTTPS and keep your SEO in tact.

Hey, it could be that you’re new to this whole world of HTTPS and you’re not sure if your website is secure. No worries – simply type your website into your address bar with an https:// in front of your normal website domain. Like this:

Here are three possible results you’ll get:

If you see the words “Not secure” in red and a warning from your browser, you don’t have an SSL to make your website secure with the HTTPS in front. Head straight to Step 2

If you were able to get to your website, but the “https” is grey and there is an info icon, you have an SSL, but you’re running mixed content (non-HTTPS content like images and CSS files) on your web page. Skip on down to Step 6

If you see the green lock, you have the HTTPS and SSL encryption!

But don’t celebrate just yet. If you’re on WordPress, double check your redirects are working by typing into your browser: “http://yourwebsite.com” (no “s” on purpose)… If your website loads without the secure lock, you have an issue with the redirect. Double check you have Step 5 applied, then continue to Step 6.

If the http://yourwebsite.com redirects to https://yourwebsite.com and you still have that secure green lock icon – head down to Step 9 to make sure everyone knows to access your site as https://yourwebsite.com to improve your SEO.

If you’re on Wix, Weebly, Square Space, Shopify, or any other hosted website platform, getting a site lock is usually a one-click process. It’s somewhere in the settings but you can check with your individual provider on how to do it. If that is your situation, you’re almost done. Head to Step 9.

Caution: changing to an HTTPS on these platforms can cause third-party plugins or scripts to stop working. Check that you’re not running any unsecured plugins or scripts (either ask your web designer, or look into the plugins you’ve installed in the past)

If you have WordPress, you’re in for some more manual labor. Continue on Step 3.

Your CPANEL is where your website directory is. It can be accessed via your host server like BlueHost, GoDaddy, DreamHost, HostGator, WebSavers, etc – wherever the back end of your website is located (not your WordPress log in). Go log into that area. Below are examples of the BlueHost and WebSavers CPANEL.

Having an SSL process built into your server is ideal and will be the easiest way. You can see right in the CPANEL examples above that BlueHost and Plesk both issue SSL Certificates. Look around your CPANEL for a link that mentions “SSL”. Follow their instructions to apply the SSL to your domain.

Some providers require a day or two to apply the SSL. They should give you a notification that the SSL has been applied. If you haven’t received a notification (or not sure where to find one), type your domain into the address bar of your browser with the https:// in front of it. For example:

If you get a warning that the website is not secure it means the HTTPS has not been applied. Contact your host if it’s been more than 48 hours and your site doesn’t have the SSL applied.

Once you’ve confirmed the SSL is good to go, continue to Step 5.

If your host server does not have a one-click solution for your SSL, you’ll need to get a certificate to deploy on your website. Head over to Let’s Encrypt. They are providers of free SSL Certificates. They have the current instructions for applying their SSL Certificate to your website. I won’t copy/paste it into this blog in case it falls out of date. But the basics will be that you’ll install Certbot in your directory and that allows them automate the SSL Certificate and keep it up to date automatically. Then proceed to Step 5.

After your SSL is installed and ready to go, log into your WordPress Dashboard. On the left hand side select Settings > General. Then change the WordPress Address (URL) and Site Address (URL) by adding an “s” between the “http” and “:” Then hit “save changes” at the bottom of the page. You will be locked out of your website and have to log in again to secure your connection.

For example:
http:yourwebsite.com
becomes
https:yourwebsite.com

Caution: If your SSL is not applied, this will break access to your website. But do not fear! You can reverse your changes via your database. Contact us if you need help with that.

Now for some fun.

When you apply an SSL to a website that was started without the HTTPS, you’ll get what is called “Mixed Content” – which is simply images and files that are still HTTP. You need to convert them to HTTPS. But have no fear! There is a handy plugin for that. Before you start, make sure you have a back up of your website to fall back to if changing mixed content produces unexpected errors.

When you add HTTPS to your website, you’ve essentially made a NEW website. Now you technically have two websites – one with HTTP and one with HTTPS. So now you need to create a 301 redirect so anyone who types your website into their browser as http:// will redirect to https:// automatically.

Luckily there is a handy plugin for both those issues.

You’re going to install and activate a plugin called Really Simple SSL. Once activated, you’ll find it under Settings > SSL in the menu of your WordPress Dashboard.

If it doesn’t prompt you through an automatic set up wizard, click the settings tab and use the following settings:

Depending on how you set up your website, you may need to change your internal links to reflect the upgrade to HTTPS. Most links within your site should not have the domain when the link is created. For example, I don’t write the link to my Contact page as “https://geekunicorn.com/contact”… I just do “/contact” and it adds the front part automatically. That’s how your links should be built. But they might not be done that way on your site. You’ll need to go page-per page to double check and update them as necessary. If you don’t have a lot of time, concentrate on doing your home page and your footer. Then tackle the rest of the site as you’re able.

Head over to Why No Padlock and throw your URL in their search bar to check your website is secure. It will recommend any changes if it’s not.

Visit all your social media channels and directories for your business online and update your website details to include https:// before your domain name. This helps in SEO because all back links are the correct address and don’t slow down page load time by redirecting through http:// to https://

Here are some places to start:

• Facebook
• YouTube
• LinkedIn
• Twitter
• Yelp
• Google Business Page
• Paid Business Directories

Open Google Search Console, log in with your Gmail account (or whatever email you used to register), and click “add property” in the upper right corner. Simply type your website address into the field with https:// in front. Include both the www and non-www version. You should now have four versions of your website listed with Google Console. Two http:// with and without www in front, and two https:// with and without www in front.

Do the same in your Bing Webmaster Console to please Yahoo and Bing. Depending on your demographic, Bing could be a large piece of your traffic.

This is an important step because the https:// website is technically considered a different site than your original http:// website.

If you have Yoast SEO Plugin for WordPress (you should)… generate a new XML sitemap by going to SEO > XML Sitemap and click the link marked “XML Sitemap”. Copy that URL.

If you don’t have Yoast SEO – just go get it. It’s a phenomenal free tool for managing your SEO on site.

If you’re not on WordPress, follow the instructions for getting your XML from your platform provider (such as Weebly, SquareSpace, etc)

Now that you have your XML sitemap, while still in the Google Console, click the website you want to add the XML to (in this case, it’s https://yourwebsite.com). Select Crawl > Sitemaps and add your sitemap with the button in the upper right corner labeled “Add/Test Sitemap”

Do the same in your Bing Webmaster Tools.

Still in the Google Search Console, select Crawl > Fetch as Google, then press the “Fetch” button. You’ll see a grey button come up to “index” your site. Press that button. What you’ve asked Google to do is add your page and all the pages that link from it to be put into Google’s catalog (or index) that it uses to draw from when pulling suggestions in a search result.

You can do the same in the Bing Webmaster Console.

You did it!! Your website is now officially secure and you’ve improved your SEO. Pour yourself a drink because you’ve earned it.