HTTP to HTTPS

What is SSL and is it necessary for us?

Before you start a migration from HTTP to HTTPS, it’s a good idea to know what the protocol itself is, to decide if you need it and to pre-prepare to avoid the many problems that might arise from an irregular migration.

SSL is an acronym for Secure Socket Layer and is practically a protocol that encrypts the connection between the web server on which a site is located and the client browser that opens the site in question. The standard HTTP connection is unprotected, it has no encryption, the traffic between the two machines can easily be intercepted and read in many different ways as it passes through the network between them. If your site transmits content in one direction only (site to user) or browser-to-site interactions do not involve the transfer of personal or confidential data, this is no problem and you can safely pass without SSL.

An example is the site http://www.bbc.com/ – the BBC media group site – any anonymous user can view and read the news without sending data to the server or using the site’s search engine, in which case the data he is transmitting and is of no consequence to the potential hacker. If, however, he decides to use the personalized options on this site, he / she must log in and log in to his / her profile on the site (in which case he / she needs to fill in a form with some personal details that should be personal). Then it can be seen that the link is redirected through the https://session.bbc.com/ https protocol, which encrypts the link and protects that data.

SSL and Google

Since the beginning of 2017, Google has begun to send warnings to any user using their CHROME browser for an unsecured site each time it tries to open a site that has a form that can transmit such data, and no encryption protocol is installed to protect them. This is the primary purpose of SSL. He accomplishes several things – encrypting the data between the site and his user so that they can listen, protect them from damage or modification without being detected and verify that the link is really with the site in question and not captured and redirected.

It should be borne in mind that HTTPS is not a magic shield and it does not make the site more secure. DDOS attacks, software vulnerabilities, and other hacking do not affect it at all, so first make sure it’s on a server level. SSL itself has also gone through a series of reviews that remove vulnerabilities that have been detected over time in its security. After version 3, the certificate was replaced with TLS (Transport Layer Security), which is actually used and now reaches the TLS 1.3 version for the moment. Due to the nature of its activity, the term SSL is also used for it. This is also the main reason for requiring that the installed certificate be updated over a certain period of time – install and move to a later and more secure version.

Pros and cons of one migration to HTTPS

There are several benefits for such a transfer:

1. The above-mentioned Data Security – password protection, personal data, credit card details, financial operations, and more.

2. Due to the Google Communication already described, users now virtually require such a certificate on any online business site. If your site is such that you do not wonder at all, you can not avoid it.

3. Google has accepted the SSL certificate for one of its criteria when ranking its results, as well as a requirement for site traffic reporting.

Minuses can also be very serious, especially if migration is not done correctly.

1. Decreasing the page speed – encryption of data takes time, albeit minimal – can be felt mostly on mobile devices. However, installing SSL is one of the requirements for installing HTTP / 2, which protocol can significantly speed up the loading of the site. Do it, or ask your hosting provider to do it after migration.

2. Due to the difference in certificates, search engines actually accept HTTP and HTTPS site versions for different sites – you may experience duplicate content warnings. Links from external sites that you have to your HTTP version also do not affect your site after transferring it unless you take the appropriate action. All this may have a negative impact on your ranking.

3. Collected social alerts – like lasks, shares, comments, etc., as well as counters to the HTTP site version are also rarely transferred to its HTTPS version.

4. For all these reasons, even in a well-executed pass, you are likely to experience a drop in your rankings, albeit temporary. In poor performance, your ranking may actually collapse and remain so long after the erroneous mistakes have been removed (or until the rankings of the new page versions have risen organically to their previous level, which may take years).

Switch to HTTPS

1. Preparation. There are a few things that need to be fulfilled before the transition begins.

1.1. Create a backup on your site as well as on your database.
1.2. Navigate your site to know where its site’s name and file name indicates your site’s name (pay special attention to your site’s options and its configuration files) and where its contents contain internal links to http pages, which then will need to be changed, where http resources are used in your url address (pictures, video files, audio).
1.3. Take a look at your console – the page and word rankings, links to http addresses.
1.4. Choose the appropriate certificate: – A standard TLS / SLL certificate – single domain certificates and possibly one or several subdomains to it depends on where you buy it. The most commonly used type of certificates. Suitable for any kind of sites, blogs, online stores, news sites, and more. It is issued quickly and is the cheapest type of certificate. There are many sources that can be obtained (COMODO, LET’s ENCRYPT for example), most larger hosting providers give the opportunity to order through them. It should be noted the free certificate of LET’S ENCRYPT. It expires automatically every 3 months but is easily renewed by visiting a link you receive on your email or automatically through the cron on your site. – Wildcart certificates – certificates issued to a domain and all of its subdomains. Suitable for sites and businesses that use more subdomains. For example, we can give familiarity to any Wikipedia site. Any language version of the site uses its own subdomain en, es, bg … The price of this type of certificate is higher and it usually takes a few days to be issued as the publisher checks the company that wants to obtain such a certificate.

Exteded Validation certificates – the safest or at least the most authoritative certificate issued for the moment. It can only be issued by a small number of institutions, usually only in banking, legal or control institutions. Serious checks are carried out on the applicant for the certificate, from online, through personal to document checking. Issuing such a certificate may take several weeks.

2. Install.

2.1. Once you have completed the pre-training and selected and purchased an SSL certificate, you can proceed to the installation itself. There are many articles and video tutorials on the internet. Most hosting companies maintain sites on the sites, and if you can not help, you can ask for help from them.

2.2. After installing the SSL certificate, your site must also respond to the http: // site and the https: // site. In order to benefit from the transition to https and to avoid all the SEO issues that we described above (duplicate content, links, etc.), the old version should be dropped – redirect 301 to the new one. Еach page must be redirected to its https variants, with 301 indicating that redirection is permanent and search engines have to transfer everything they have about the http page to the https page.

However, before making the redirects, you must first make some edits to your site. You must have found in item 1.2 where your site’s database or (s) in your files has been given the name of your site http: // site. It should be changed to the https: // site in all these locations. If you try to perform the redirects before you make these changes, it is very likely that you will enter an infinite loop between your http and https variants or just your redirects will have no effect.
For example, if you are using WORDPRESS, change to Settings -> General Settings WordPress Address (URL) and Site Address (URL). This would change the address in the mysql database. If your option is locked for some reason, you can perform these edits through phpMyAdmin by editing the siteurl and home values ​​in the wp-options table, or by performing

UPDATE wp_options SET option_value = replace(option_value,
'http://сайт', 'https://сайт') WHERE option_name = 'home' OR option_name
= 'siteurl';

in the mysql console. Check also in wp-config.php whether or not there is a hardcode set to the http address of your site.

While you’re here, change all other internal links and items that use http in your address to load your resources.

For WORDPRESS, you can use the appropriate SQL commands:
UPDATE wp_posts SET guid = replace (guid, ‘http://site’, ‘https://site’);
UPDATE wp_posts SET post_content = replace (post_content, ‘http://site’, ‘https://site’);
UPDATE wp_postmeta SET meta_value = replace (meta_value, ‘http://site’, ‘https://site’);
to make the major database adjustments, but it will still be necessary to crawl your files to make the adjustments there as well.

2.3. Once you have edited your site, you can now perform the redirects themselves.
This can be done in several ways. If you use wordpress or another popular platform, you can find ready-made plug-ins or extensions to perform the corresponding redirects automatically.
Another option is to add a code for the redirect directly to the htaccess file. An example of such a code:

RewriteEngine On
RewriteCond% {HTTPS} off
RewriteRule (. *) https://%{HTTP_HOST}%{REQUEST_URI} [R, L]

It should be borne in mind that a site most often has two options: http://site and http://www.site that respond to its home page when it is called. By adding an SSL certificate they become 4, https://site and https://www.site. Depending on whether you want your site to have www or not in your name, you will need an additional redirect from www to www or vice versa.

2.4. Check your robots.txt file where it has http: and change it to https: (host element, link to sitemap)

2.5. Regenerate your sitemap.xml file to include only https links to your site pages.

2.6. Retract the site again to make sure you have not missed something. Test your site and check if the padlock is visible when you open it in your browser. If it is missing, then you miss something, check your console and fix it.

Pass your site through one (or several) online tools such as https://www.ssllabs.com/ssltest/analyze.html or https://www.whynopadlock.com/. If you have access to tools such as Website Auditor or Sermush, check it out and through them, and pay special attention to mixed content warnings or matching matches.

2.7. Once you’ve made the transition to https at the site level, you’ll also need to make the appropriate adjustments on the web. Apply the appropriate corrections to Google Search Console. Editing your social networking accounts, your sitelinks if you use the App, Google Analytics will also need to change the protocol.

If you have the ability to change external links to your site on other sites yourself, do so. If not, you may eventually contact their administrators for help. Of course, the 301 rows you did should ensure that these relationships are accepted and that their weight is maintained, but it is good to avoid needless transfers.

3. After migration. After completing migration and removing the mistakes that are almost inevitable, it’s a good idea to watch in the Google Console how to re-index your site and how to change your keyword ranking and visibility. Additional actions you may need to take will depend primarily on this data.