There’s no questioning about the importance of a secured website. Even Google made it a point that all website owners comply with its security protocol. Otherwise, you won’t really make it to the top of the SERPs and to make things worse, Google warns all people from continuing to browse through your website in a very shameful way.
The tech giant has obviously been stricter than ever when it comes to web security. It doesn’t want any of its users being in a face to face encounter with risks like malware or phishing and fraud. In fact, Google perviously announced its decision to add cybersecurity in its algorithm.
Google warned people who are entering their personal data in HTTP sites and those who are visiting all HTTP sites in Incognito mode. And it was completely implemented starting October 2018. Google said in its blog:
“Eventually, our goal is to make it so that the only markings you see in Chrome are when a site is not secure, and the default unmarked state is secure. We will roll this out over time, starting by removing the “Secure” wording in September 2018. And in October 2018, we’ll start showing a red “not secure” warning when users enter data on HTTP pages.”
And it still does the same up to this day.
Even before 2018, Google already revealed that it gives an edge to websites that are installed with SSL certificates. When installed on a web server, SSL activates that precious green padlock on the browser and the https protocol. This will then allow a secure connection from a web server to a browser.
For newbies to understand this better, you can only put in mind that SSL certificates add a layer of security that prevents suspicious people from accessing data that your website collects from your visitors. This includes data captured by cookies or those that are saved by users when they make an account on your website. This is especially useful to an e-commerce website that’s trying to earn shoppers’ trust.
It’s not just Google that recognizes the importance of having a secured website. Almost all major search engines today like Safari and Firefox already have their security protocol for better rankings. And their criteria for judging whether your website is safe or not is more thorough when it requires credit card or bank account entry.
Web owners benefit in these security rules in more ways than the visitors, though. Having a website in an HTTPS setup makes it harder to be injected with uninvited ads that contain malware. Its apps are cleaner, hence making its performance faster. Google telling users that your site is safe will boost your credibility and of course, when that happens, you’ll earn your own loyal users, up your ranking, and ensure higher profitability.
So with all those said, let’s now look into the steps on how you can shift your website to a secure setup.
HTTPS setup is simple. But the preparation before shifting from HTTP to HTTPS is a bit arduous.
Before buying an SSL Certificate and setup to HTTPS, you should first prepare these 4 things:
- Sales – If your website already started making money, set a good schedule to convert it to HTTPS. Obviously, you should not choose the peak time in your site. Check your analytics to determine the time when your traffic is slow and that is when you should do the shift. Also, expect some downtime so maybe a night schedule for the shift will be perfect.
- Hosting – Make sure that your host is capable of supporting and HTTPS website. If not, then look for another provider.
- Team – If you are working with a team, be sure to orient them first with what’s going to happen. The persons most important in this shift are the developers, sales team members, and visitors. Be sure to post an announcement on your website about the shift and the schedule so they’d be prepared – for visitors, they can finish their transactions and for your team, they can save whatever they are currently working on.
- You – this will cost you a couple of bucks so check your budget if it’s enough to by SSL certificate or maybe signup with another hosting. This will also take time and effort so once you start the process, you should know that you’ll need to switch links and set up redirects so be sure to have someone in your team who knows to do all these things.
2. Purchase SSL Certificates
Buying SSL Certificates is easy. You just need to find the right place to buy from and there are tons of them online. In fact, to make things more convenient for you, most web hosting providers already include free SSL certificates in their plans.
The popular Hostgator is one of the many web hosting service providers that already include SSL in your subscription. GoDaddy, Hostinger, Bluehost, and HostPapa are others.
If you are buying the certificate because you are already happy with the hosting service but it doesn’t come with free SSL, then know that the least expensive out there can be worth $10.
But you need to check the difference between www.website.com and website.com. A standard SSL certificate won’t cover both but a pricier one will be necessary for the setup.
And here’s the thing, the pricier SSL Certificates display a green lock in the address bar to indicate that your website is safe. Consequently, it increases your credibility and your sales will follow.
3. Configure SSL Certificate With Your Hosting
When your hosting doesn’t come with SSL Certificate, you will have to generate keys from the SSL seller and paste them in your website’s host control panel. After you configured your website properly, warnings popping up about invalid SSL certificates will disappear. That’s when you know that you are doing the right thing. If you aren’t sure, always use the Support of the seller.
After that, clear your website’s cache completely to see if the changes you want are applied. Also, let other people who haven’t visited the site before to check the HTTPS pages.
Note that if you haven’t configured the site properly, it will be redirected back to HTTP site. Also, remember that every web host is a bit different from each other. Some would have an entirely separate folder for HTTPS. So again, if you are doubtful, you should call your provider for confirmation and assistance in setting things up.
4. Convert all your links to HTTPS
Now, this is where the tedious task begins. Using Content Management System (CMS) will be greatly useful here as it makes the work faster with its own generated links.
But for non-CMS generated links, here’s what you should do:
- Get all links that aren’t CMS-generated. Check everything from CDN to links to pages, and images, as well as JavaScript. Create a tracker so you won’t be confused later on, most especially when you are shifting an e-commerce website with a hundred pages in it.
- Change to relative link paths. For example, if the link is “https://www.website.com/link” then it should be listed as “/link”—doing this will save you time from switching everything from HTTPS to the old site setup if you ever think, along the way, that you aren’t ready yet.
Be sure the links start with “/”, otherwise, you will encounter issues in your website.
- Test your new links. Clear the cache and then check every link you changed. HTTP links should be redirected to HTTPS now.
And for CMS-generated links, here are the steps you need to follow:
- Look into your CMS-generated links to see what needs updating. Sometimes, the CMS make mistakes too in creating URL. Watch out for the “{{unsecure_base_url}}website.html. This is a relative link or “/website.html”
- Login to the backend of your website and go to System. Find the Configuration tab and Secure tab to see that the settings are correct:
- Base URL should end in slash like https://website.com/
- Choose yes for:
- Use Secure URLs in Frontend
- Use Secure URLs in Admin
- For WordPress users, you should change the web URL and add some code to inject HTTPS in the admin account.
After doing all these, it’s time to look for errors. At this point, all of your links should have been changed already to HTTPS. But I haven’t heard of anyone who got it right all in first try.
So to find errors, you should visit your link through search engines; right-click an element; then select Inspect Element. This will show you the Console for errors. Another way to look for errors is to inspect the source code of any page and search for HTTP links. Be sure to settle this matter at once because mixed HTTP and HTTPS links will hurt your SEO rankings.
5. Setup 301 Redirects or Use HSTS
Finally, you have to redirect all incoming traffic from your old link to the new ones. This is a crucial step, most especially for websites that already have traffic in all their links. Otherwise, you’ll lose the hard-earned traffic and start from zero.
Set up a redirect for all HTTP to HTTPS. This can be fairly easy by just adding some code in your .htaccess file in your root folder. Add:
- RewriteEngine On
- RewriteCond %{HTTPS} off
- RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
After doing this, test your website if it’s still functional and see to it that any request made on your website are redirected to HTTPS URL.
Another way is to use HTTP Strict Transport Security (HSTS). This forces all connections to be redirected to HTTPS. Most browsers except for Internet Explorer support HSTS.
Final Words
Shifting your HTTP site to HTTPS may require a lot of tasks. If you aren’t tech-savvy or proficient in web development, then you might have to spend extra cash to have it setup to HTTPS.
But don’t worry because your investment will be worth it. Search engines greatly favor secured sites. If you are going to weigh between a heavily invested but safe site and a low-cost site but unsecured, you will certainly see a higher profit from the secured one. Your ROI will be tenfold. So don’t hesitate to spend $10 or $100 a year to make our site safe because ti can mean $10,000 profit per month for you.
