HTTPS is the secure version of HyperText Transfer Protocol (HTTP) the ‘S’ standing for ‘Secure’.
In its most basic form, it establishes an encrypted, secure connection between a user’s browser and the server that hosts a website. The data sent using HTTPS is secured with a Transport Layer Security protocol (TLS), which provides 3 layers of protection:
A secure connection offers greater trust (visitors will be reassured that you are a responsible business), more transparency (your visitors will see that you own the domain name) who owns the domain name and higher conversion rates.
Most importantly, Google has announced that hosting your website on a secure server is a positive ranking factor. HTTPS ranking factor – Google Official Announcement
Dental Design is now offering our clients the opportunity to install HTTPS as part of our hosting package options. If you are interested, please get in touch.
First up you’ll need an SSL Certificate. You can usually get these direct from your hosting company or from a reputable SSL vendor. The advantage of buying through your host is that they’ll most likely help with the installation.
When you start looking, you’ll see that there’s quite a variety of SSL Certificates to choose from. Some of the most popular ones are:
Domain SSL – This is the most common type of SSL. Cheap, instant issue SSL which shows the padlock in the browser bar. Valid for one domain only.
Wildcard SSL – Similar to Domain SSL except also valid on subdomains of the same domain.
Organisation SSL – More expensive SSL which requires basic company verification and takes one or two business days to issue. Domain and company details appear in the certificate and a padlock will be shown in the browser.
Extended Validation (EV) SSL – This is the most expensive type of SSL which requires legal, operational and physical company verification. It takes three to four days to be issued and includes the full green secure browser bar feature.
Don’t get too hung up on the different types of certificate. They all work in exactly the same way. The only thing is that the more expensive ones have more of a verification process in place and the EV SSL has the green browser bar. Don’t think that just because you opt for the cheaper Domain SSL that you’re getting cheaper security – you’re not, they are exactly the same.
Once you’ve purchased your SSL certificate you’ll need to verify it. As explained above with the organization and EV certificates this can involve providing additional information.
Assuming you go for the domain SSL, you’ll need to verify your domain by approving an email that is sent to one of a number of pre-specified email addresses (i.e. webmaster@YOURDOMAIN).
You can also get your SSL with or without www. – it’s purely down to personal preference.
Once you’ve verified, your hosting company can then install it on your domain for you. A dedicated IP address for your SSL is not now strictly necessary, but some hosts may still require that you purchase one. Just check with your host and they’ll help you with this.
As with any task that involves changes to your website, it’s highly recommend that you run a full backup first. If you use a hosting control panel like cPanel you can run this manually from there.
Now the fun starts. As you’re switching to HTTPS any internal links in your site will still use HTTP unless they are changed. If you leave them as HTTP after switching to HTTPS they may return 404 errors when clicked on.
If you’ve got a small site you can probably update these yourself or if you’re not comfortable looking under the hood, then you can get a designer, developer or web professional to do this for you.
On that note it’s worth just pausing and considering this point because it’s important. If you’re genuinely not comfortable with making these types of changes to your website then you should definitely get some professional assistance. You can use this guide to help you understand the steps involved so that you can communicate with them on their level. If you don’t have anyone in mind then start with your hosting company to see if they can recommend anyone or use a freelance site like Upwork or Guru to find someone.
Top Tip: If you do decide to use a freelancer, don’t be frightened to ask them to take a test first using a tool like Test4Geeks. Reject any that score less than 80% – you only want to work with the ‘A’ Graders.
Of course if your site is large and has hundreds, maybe thousands of pages, then it’s not really feasible to do this manually. Fortunately there are tools that can automate this for you, especially if you’re using WordPress.
Once you’ve updated your internal links you should check to see if you have any external links that you control which you can update to HTTPS.
For example your social media profiles will have links to your site as will directory links. Wherever you have links where you have a login, you should go through and update them so they reflect the change to HTTPS rather than linking to the outdated HTTP address.
Of course, if you’ve got dozens or hundreds of external links pointing to you it’s not feasible to go round and ask all website owners to update these links. We’ll cover how to work around that shortly.
For now though, just run through the ones you do control and update them.
A 301 redirect is a way of permanently redirecting traffic from one URL to another. In this case it would be from the HTTP URL to the new HTTPS URL. This is usually something that you might do occasionally on a page by page basis but in this case as you’re moving your entire website to HTTPS, you need a more efficient way to achieve this.
The way that you do this depends on the type of web server that you use. The majority of websites will be hosted on LAMP servers (Linux, Apache, MySQL, PHP). In this case you need to make changes to the htaccess file.
For NGinx this would be the NGinx Config File.
To double check your work there are tools that can scan your site for non SSL links. WordPress users even have their own Insecure Content Fixer plugin. Nice!
Again, if you’re not sure, get a web professional onboard to help you.
If you use a Content Delivery Network (CDN) like Cloudflare then you’ll need to update your CDN SSL.
A CDN is a distributed set of servers across the globe that offers the double benefit of presenting your website files via the closest server to the person browsing, as well as being able to detect and prevent malicious traffic harming your website. Check first with your hosting company if you’re not sure about this. If you are then you’ll just need to contact your CDN provider and they will help you to configure your SSL.
These days running an effective online strategy involves a whole range of additional tools such as email marketing, marketing automation, social media, landing page generators or Customer Relationship Management (CRM) applications. You’ll need to run through them and double check that any HTTP links are switched to HTTPS. Likewise if you’ve got a billing system that sends out invoices or automated emails these will all need updating.
Of course, in step 6 above you’ve already set up the domain level HTTPS redirection so to some extent this step is not really necessary. However, it just looks more professional if you’re using the correct URL especially for billing related links such as invoices and client login areas.
Finally double check any landing pages or paid search.
Nearly there. The final step is to update Google Search Console and Google Analytics and your sitemap.
In your Search Console you’ll need to submit the new HTTPS site. If you use an automatic sitemap generator then that should update automatically but if you have a manually generated sitemap then you’ll need to update it.
With Google Analytics you’ll need to set the default URL to HTTPS.