From this article you will learn:
- What are SSL and HTTPS
- Why it’s important to transfer to HTTPS
- What are the cons of migration
- How to migrate from HTTP to HTTPS the right way
- What to do after migration
- What are the common mistakes during migration
- How to migrate to HTTPS using CS-Cart and Multi-Vendor
- The fastest way to migrate to HTTPS
Do you want to protect fans of your website from the theft of personal data and go to the SERP top? Ensure the integrity of information using HTTPS, which is now an industry standard for every popular online resource.
Hypertext Transport Protocol Secure (HTTPS) is an extension of the standard protocol for providing a higher level of privacy and security in the exchange between the user and the site. Three main levels of protection are used:
- Authentication ensures that the client reaches the right online store. Allows avoiding attacks of the intermediary, thereby increasing the trust of users.
- Encryption to prevent interception. Thanks to it, an Internet thief will not be able to access personal information or view the actions of users.
- Data security. The protocol always fixes intentional and accidental changes, as well as distortions.
There is no unambiguous answer to the question whether you have to move to HTTPS because relocation is not an obligatory procedure. However, given its capabilities and advantages, many webmasters decide on this step and transfer their sites to a connection with encryption. Find out further why it is so important to upgrade the project, and how to do it correctly and quickly.
Important! In the first place, the website should be transferred if it has visitors leaving super-important data (for example, payment) that fraudsters can intercept. A secure protocol is a must-have for self-respecting online services, banks, online stores.
The encrypted protocol ensures the integrity and reliable preservation of data, it is responsible for the information security of users of the site. This is a good solution for experts in Internet advertising – potential customers trust the secure connection by default (while the mark in the browser “unsafe” has a negative effect on traffic).
Moreover, setting up HTTPS makes it possible to save and even increase the positions in the search results. Search engines are trying to do everything to make users feel secure on the Web. Therefore, they prefer safe resources. An advanced protocol is a positive factor when sorting sites.
The main blog for webmasters says that HTTPS is also a ranking signal. Now it has much less weight than high-quality content and authoritative incoming links. But Google is determined to change the security situation for the better.
According to the research of SearchMetrics, a statistical correlation was established between the setting up of the protocol and the top positions in Google’s search results. SEO-gurus recommend switching to a secure protocol asap.
As with any major change, setting up encryption requires a time and financial cost to purchase an SSL certificate. In order not to commit gross technical mistakes during setup, you need skills and experience or a strong desire to understand all the subtleties.
A short sagging of positions in the search results is possible, correspondingly, the loss of traffic share. In addition, there is the possibility of slowing down the site and completely deleting the reviews published in the plug-ins.
Incorrect transition to HTTPS often generates broken links, mixed content, and duplicate pages, if 301 redirects are not set up wherever needed.
However, the main difficulty for a webmaster is the decrease in SERP positions by about 20%. Do you probably wonder how to reduce this problem? Read the entire article, and you will learn how to start moving the site to HTTPS without losing positions!
In order for your site to function properly, you need to do the preparatory work, as well as make changes after switching to the encrypted protocol. The owner of the resource has two main tasks:
- Verify that images, style sheets, and scripts are uploaded via HTTPS (otherwise, the browser will not display a protected “green” icon).
- Set up a redirect so that readers used only secure connection.
Important! Before installing HTTPS and changing anything in the project, be sure to backup the database and files.
1. Verify SSL support by your hosting
Many hosts allow you to quickly add the received certificate using the control panel. If you can not manage on your own, you should write to support or hire someone for 30-60 minutes to do everything properly.
The current provider does not support SSL? Then, unfortunately, you will have to look for another one.
Note: changing the hosting and moving the site to HTTPS requires redirecting the old IP address to a new one.
2. Change internal links from absolute to relative
If the page downloaded through the encrypted connection contains the links to the HTTP pages, the browser notifies users of the deterioration of protection.
To avoid the problem of different protocols, you need to replace the absolute links with relative ones.
Links regardless of the domain name:
- – absolute;
- /content/ – relative.
Types of links, regardless of protocol:
- – full;
- //site.ru/content/ – relative.
The owner of the resource would select the last option – so you exclude the name of the protocol. Naturally, we are talking about internal links, you do not need to correct external links.
3. Fix media attachments
Preparing to change the protocol also implies working with presentations, videos and pictures – they must be opened through a secure connection. All addresses must also be transformed into relative ones.
When downloading files from external sites, make sure that they support HTTPS, otherwise, it’s better to refuse using them. YouTube and Facebook widgets, as well as other services that allow you to use the content, have long been working on an extended protocol. Therefore, finding the necessary images and video files will not be a problem.
4. Fix external script connections
Check and, if necessary, correct URLs (change absolute to relative) in external scripts. This applies to rare services, while popular tools function through HTTPS.
Note! Multiple forum SEO experts recommend newcomers to apply HSTS technology – then the browser will request HTTPS-pages, even if the user enters in the HTTP. To use the this, find the web server with its support. However, the implementation of HSTS complicates the rollback procedure.
5. Acquire an SSL certificate
The digital certificate is the standard technology of protection in the Network, used for accident-free connection between the resource and the browser. Without it, you cannot configure HTTPS.
To obtain a certificate, you must make a request for its issuance, providing answers to a number of questions about the company and the domain. Upon successful completion of the operation, your server will create a public and private cryptographic key. The certificate stores information about the owner of the resource and the certification authority, the date of registration and the validity period of the certificate.
How to get a certificate?
The Certification Authority is an organization that has the right to issue SSL certificates based on the results of the data validation in the CSR. In simple certificates, only domain compliance plays a role, in complex and costly, a thorough investigation of the company itself is carried out.
You can buy a certificate in a special center, for example, in Comodo, Symantec, Thawte Consulting or Trustwave. Depending on the complexity of the SSL certificate, the processing time for the application can be several minutes or ten working days.
Want to save money? Then use the service of the company in which you registered the domain name – certificates are cheaper at the expense of bulk purchases with large discounts. Another advantage – you will not have to add more profiles and repeat the payment.
Another option of getting an SSL with a discount or sometimes even free – order one from your hosting provider. High-quality providers offer SSL certificate for free included in the subscription plan.
It is not even necessary to pay money for obtaining a digital certificate, you can generate a free self-signed analog in the web server itself. This option is installed by default in many hosting control panels. However, this option is good only for internal use. The solution does not fit public sites. All browsers will warn users that the resource is not verified.
The best way is to use Let’s Encrypt SSL certificates. Let’s Encrypt is a free, automated, and open certificate authority supported by the major internet companies and regular users to provide the digital world with free certificates.
- DV (domain verification) Entry-level certificates are intended for private, individuals and legal entities who are looking for an inexpensive and quick solution in the design. Webmaster only needs to verify the rights to the domain without providing any additional documents.
- OV (organization verification) Medium-level SSL certificates can be registered exclusively by legal entities within a week period. It will cost a little more. In this case, the certification center checks the documents of the company, and after moving to HTTPS the browser highlights the address of the site in green as reliable.
- EV (extended verification) High-level digital certificates, in addition to the previous version, allow you to use a secure connection even on legacy browsers. They work both on the main domain and on subdomains.
Choose the level of the SSL certificate by the level of control based on the specifics of your project. The insurance firm and payment system should prefer the option with an extended check, and the business card site, entertainment blog or news portal will suit an inexpensive or generally free digital certificate. If the resource stores personal information of users and accepts orders, choose Organization Validated.
Now you need to decide on the type of digital certificate for the number of domains and subdomains. The standard is suitable for protecting one domain name, in case of using subdomains it is worth purchasing a group. You need a variant for several independent domains – choose a multi-domain certificate.
6. Configure SSL on the server and hosting
How do I install HTTPS? Find the “Configuring SSL” section in your administration panel. Then, enter the certificate information from the site.crt file in the “SSL certificate (.crt)” field. If you have a bundle or ca-bundle, you must also add it to the box above. In the line “SSL key (private key)” you must specify the private key received together with the digital certificate. This algorithm works when you configure a certificate issued by a certification authority.
Installation of a self-written or automated version on many hosting services is even easier: just fill out the form or submit a request, then click “Save” (or “Install”).
7. Check if the SSL installation was correct
To analyze if your SSL works correctly use a free SSL Server Test. Enter the domain name and click on “Submit”. After this, the online service will evaluate the security connection settings and provide recommendations based on the identified problems.
If SSL Checker has detected problems with installing a root and intermediate certificate or with a server configuration, you need to resolve them urgently.
8. Verify site public availability via HTTPS protocol
After installing a digital certificate, make sure that the resource is available at http:// and https://. When identifying a problem, immediately look for and eliminate its cause.
Did you see an inscription with an exclamation mark in the yellow triangle? That means that the site has mixed content, that is, links in the text and media files with HTTP. In this case, try to correct the situation yourself (by changing links from absolute to relative). You can contact the provider who gives you the SSL certificate for help.
Now is the time to configure the project itself without the drawdown of traffic. Here are the key recommendations:
- Make a site transfer from HTTP to HTTPS multi-stage – first upgrade part of the pages with rarely updated content and rare visits. Then, check the indexing, the changes in the statistics. After that, transfer the rest of the content.
- When moving with the URL update, run the resource in test mode.
- Schedule a transition to a time when there are few visitors. Especially if the attendance of the site depends on the time period or day of the week.
1. Set up redirections
When setting up the server redirect requires a clear sequence of actions, you need to check the health of the resource after the configuration. Moving does not happen immediately, sometimes you have to wait a few weeks. There is a probability of pages dropping out of the index and further recovery after a while.
Do not forget to designate the main mirror with a trouble-free protocol in the webmaster tool.
2. Set up a new sitemap.xml
The robots.txt file must include a new path to the sitemap with a secure protocol. All pages in sitemap.xml must be with HTTPS.
3. Check rel = “canonical”
This tag helps to eliminate duplicates, and it is also responsible for the correct concentration of reference weight. The attribute is created identically for each CMS: in the page code (HEAD block).
In case of its use, make sure that the canonical address was indicated with a secure connection. If the pages remain with HTTP, this can seriously damage the resource.
4. Check rel = “alternate”
The tag makes it possible to improve the ranking by notifying the search engines about the multilanguage of the site. Your task is to check that links to language versions supported by HTTPS.
5. Check internal linking
All internal links are subject to a new protocol. If you own a small static project, there will be little work – you will only have to update a couple of files by manually typing HTTPS. For sites on the engine, you need to fix the link format in the template and engine settings, and possibly also in the database.
The next step is to check whether all fonts, images, links, scripts and CSS styles are loaded at the updated address.
Note! Each CMS has its own characteristics. On Joomla, for example, problems with moving happen very rarely. Here you just need to enable SSL in general settings, then save, clear the site’s cache and browser. But on WordPress, you need to change internal links from absolute to relative.
6. Check images and scripts
Pictures and external scripts are required to work properly through a secure protocol. If you find problematic pieces, it’s better to put them on the server and run them from there – so they will be 100% downloaded via HTTPS.
The actions are completed, but the browser still does not recognize the connection as “secure”? This is usually due to scripts that come from the pages. Replace the URLs with relative ones without a protocol, and then check the response codes, redirects, and 404 pages.
7. Notify search engines
How do you move a site to HTTPS in Google without losing traffic? Of course, by informing search engine about the actions you performed using the webmaster’s bar. Enter a site with a secure connection in Google Search Console with confirmation of rights. If Google finds a secure protocol, the robot automatically replaces the content from HTTP to HTTPS as it is reindexed. Be sure to check the adjustment in geo-targeting URL options and other sections.
With Google Analytics, everything is simple: you need to change the protocol in the default URL row (Account / Resource / Resource Settings). Also, change the protocol in the URL of the website in the view settings.
You don’t need to reinstall the code of Google Analytics!
8. Check the correctness of redirection
In the end, you need to carefully study each re-indexing, crawling the site with a spider (for example, Screaming Frog SEO Spider).
It will not be superfluous again to check internal links, redirects, canonical and alternative links. All found errors should be corrected in the shortest possible time.
Installing an SSL certificate does not always go smoothly. Very often during the installation, unexpected problems pop up. To protect yourself from unnecessary time-consuming work, read the list of the most common mistakes.
You have chosen an unverified Certification Authority
Not all the certifying centers have a good reputation and are supported by the popular desktop browsers and mobile devices manufacturers. When choosing a certification center, be sure to pay attention to the availability of SSL certificates of the type you need. There are such centers that provide only OV and EV SSL certificates. Some certifying centers are limited to only domain-verified certificates (DV).
You have decided to use self-signed certificates for commercial sites
Self-signed SSL certificates are free, however, for commercial sites, such certificates will not work. Whenever a visitor comes to the site, he will see a warning. As a result, there is a significant loss of traffic, as visitors will immediately leave from such a resource – the level of trust to it will be very low. A commercial resource must be protected by a trusted SSL certificate.
You made a mistake when creating a CSR request
Errors in CSR requests result in the SSL certificate being unable to be generated. You need to carefully check each field. All input data must be correct, meeting the requirements for the CSR representation. It is better to double-check that all the data is entered correctly. This will save you a lot of time and effort.
You have not prepared for the verification process
The certification authority always performs a check of you and/or your organization before issuing the certificate. If the type of validation is set to Domain Validation (DV), then the domain belonging to the person making the request for the certificate will be verified. To do this, use the administrator email associated with the domain (admin/administrator/postmaster/hostmaster/webmaster) or specified in WHOIS. This type of verification is the easiest, it does not require any special training.
However, if you request an OV (organization verification) or an EV (extended verification) SSL certificate, in this case, you will need to provide additional information about your company. Often, organizations make mistakes when filling in all the data, which leads to problems with the passage of inspections. The information contained in the CSR can be outdated and does not reflect the current state of affairs in the company.
There are situations when the company does not have a publicly indicated phone number. It is necessary to provide all this before you receive a certificate – otherwise, there may be delays or the issuance of an SSL certificate with the release of the SSL certificate.
You have lost your private key
In the process of generating a CSR-request, a special file is created on your computer, which is called the Private Key. This key allows you to read encrypted messages that are sent to your server from the visitor’s browser. If you accidentally share a private key with someone, then your site will no longer be protected. If you lose a private key, you will not be able to install the SSL certificate on the site – you will need to reissue it. Take care of your Private Key – store it only in safe places!
You have decided to install the SSL certificate on your own, ignoring the instructions
If you are not an IT expert, then do not even try to install an SSL certificate yourself. Most likely, it will fail and will have to return to a paid service, which will take more time and money.
If you still want to try doing it yourself, strictly follow the step-by-step guides from the trusted resources.
You forgot to test the SSL certificate after installation
The final chord of any process is checking whether everything was done correctly. Make sure to visit your site after setting up SSL to ensure that the certificate was installed correctly.
You forgot about the certificate renewal date
SSL certificates need to be extended. Users often forget about the date of renewal of certificates, which adversely affects the business as a whole – site visitors start receiving a warning that the certificate has expired.
Transferring to HTTPS in CS-Cart is as easy as it can possibly be. You just need to enable secure connection in the administration panel of your CS-Cart or Multi-Vendor store.
- Log in to the administration panel of your CS-Cart or Multi-Vendor store. Navigate to Settings > Security settings.
- Enable HTTPS connection for the entire site and admin panel.
- Done. Check the storefront.
Visit Wiki for a complete guide with illustrations. If you want to use another SSL certificate, please contact us via HelpDesk or online chat.
If all this looks too complicated and overwhelming, there is the easiest way to migrate to HTTPS. Become our client by migrating to AWS Cloud hosting. We provide free Let’s Encrypt DV SSL and renew it constantly. Our experts configure SSL to hit the best score at SSL Server Test. We will create the most secure and fastest environment for your eCommerce business with zero effort from your side.
Do not postpone the transition to HTTPS until better days, because in this case they just will not come: you will only see positions sagging and the decrease in the trust of your target audience.