Buying your HTTPS Certificate

  1. Understand what security certificates are

    To serve secure pages via HTTPS, your site needs to hold a security certificate. This is a file which enables encrypted communication between a browser and your website. Think of it as a digital passport which verifies your site's identity. While researching HTTPS certificates, you may see the terms SSL or TLS, which are technologies used to power HTTPS encryption.

  1. Find a certificate authority

    Just as you can only get a passport from the Passport Office, you can only get a security certificate from a certificate authority. Your web host may have registered to be a certificate authority. Or, your developers or SEO agency may be happy to recommend one. Either way, ensure they are a reliable, trustworthy company and offer technical support. Their help will be invaluable as you migrate your website to secure HTTPS.

  1. Choose a suitable security certificate for your site

    There are three types of security certificate for serving HTTPS webpages: single, multi-domain, and wildcard. Which option is right for you depends on your site structure.

    • A single certificate is suitable if your website is only on one subdomain. (e.g.,
    • A multi-domain certificate is appropriate for sites with a few established subdomains. (e.g., and
    • A wildcard certificate is necessary for websites with dynamic subdomains. (e.g.,,, and so on.)

    Look for a security certificate that offers a 2048-bit key. This ensures your website's HTTPS encryption is as good as impossible to crack. (If you already have a security certificate with a weaker key, you should upgrade it as part of your HTTPS migration process.)

  1. Add the security certificate to your website

    Ask your developers to install the security certificate on your website's server. Your server should use SHA-2, which is the most modern way to verify data is secure. (It's predecessor SHA-1 is no longer supported by many modern browsers. If you use it, upgrade as soon as you can.)

    It is also worth asking if your server supports HSTS. This clever technology makes it easier for users and search engines to find your secure HTTPS pages.

  1. Serve HTTPS content on a test version of your site

  2. At this stage, ask your developers not to serve HTTPS content to your end users. Thorough testing is essential, so see if they can instead serve HTTPS on a test or staging version of your website. (Make sure this testing site is private, and not accessible by your users or search engines.)

    Your test site provides a safe place to complete the next steps of our HTTPS migration guide, and to see how they affect your website.

  3. Typing the URL into the browser address bar for a new HTTPS website

Installing your HTTPS Certificate

  1. Build lists of content on your live and test sites

    When moving to HTTPS, one of the biggest mistakes you can make is poor planning. It's important to work out which URLs on your site will change. To begin, build a list of all addresses on your site, before and after your HTTPS website migration. The most practical and reliable way to do this is with a web crawler, such as Screaming Frog. This visits every link on your website, and lists what each page contains. Run crawls on your live and test sites, so you can compare the two.

  1. Create a map of addresses which will change

    For each address listed in the crawl of your live site, identify the most relevant page on your test website. How easy this is will depend on how much your site is changing when you move to HTTPS. A good way to keep track of these changes is in a spreadsheet ‘map’. Enter the complete list of old URLs in the first column, and their new, secure equivalents in the second. (Make sure the addresses in the second column begin with "https"!)

  1. Work out redirects to match your map

    It is vital that your old on-secure addresses redirect to your new HTTPS addresses. This stops previous visitors – including search engines – from getting lost. Work with your SEO agency or developers to set up a list of rules which rewrite your website's URLs as per your map.

    Best practice is to have just one redirect from HTTP to HTTPS. It is essential this redirect sends a 301 status code, meaning the change is permanent. If you use a 302, search engines will dismiss the change as temporary, and you may lose rankings and traffic.

  1. Test your redirects actually work!

  2. Ask your developers to set up your rewrite rules on the test version of your site. Then, test them! Incomplete or incorrect redirects are among the most common reasons for a failed HTTPS migration. Faulty redirects will break links to your website, reducing traffic and ruining search rankings.

    Reviewing 301 redirects by hand will be impractical for all but the smallest of sites. Instead, use a web crawler to check all old pages now redirect to their secure HTTPS equivalent. Any tool worth its salt will let you paste in a list of old page URLs to review.

  3. A non-secure website URL redirecting to a secure HTTPS webpage
  1. Update HTTP links throughout your site

    Browsers will not display a green padlock symbol unless everything on the page is secure. So, you must reference all files on your website via HTTPS. Be sure to update:

    • Internal links to other pages on your site.
    • Links to images, style sheets and scripts. (Even ones you don't host, such as social media sharing buttons.)
    • Canonical URLs, used to tell search engines the preferred address of each page.
    • hreflang tags, if your site provides content targeting different countries or languages.

    Yet again, the easiest way to find insecure resources is with a web crawler. Screaming Frog, for example, provides a list of all HTTP files and the pages which link to them. Crawlers are invaluable!

  1. Test for warnings on your forms

  2. Because forms send sensitive data, browsers are extra cautious when they are not secure.

    They can warn users submitting an insecure form via dialog boxes, or full-page interstitials. Either style of warning will have a catastrophic impact on your form submission rate. Test all forms with the most common browsers used to visit your website.

    If you use Google Analytics, it's easy to find out which browsers you should test. First, go to Audience > Technology > Browser & OS. Then, in the Secondary Dimension drop-down, type "Browser Version".

  3. Non-secure content warnings from the web browsers Google Chrome and Internet Explorer

Launching your HTTPS Site

  1. Verify your old and new sites in Google Search Console

    Make sure you have added your website to Google Search Console. You should do this twice: once for HTTP, and once for HTTPS. (For instance, if your website is, check you have verified and You should verify both versions of the site within the same Google account. Be sure to verify your live HTTPS site address, and not the test one!

    Setting this up before the migration will help you find and fix any errors. It will also make it easier to submit your HTTPS site to Google.

  1. 3… 2… 1… activate!

    Congratulations on your thorough preparation. You have given your HTTPS migration the best possible chance of success. It's now time to activate your secure website.

    We recommend launching at a time of the week when your analytics suggests traffic will be low. This minimises inconvenience, and reduces the impact of teething problems. As traffic is usually lowest overnight, this may be impractical. In this case, activate your HTTPS site right at the start of a working day. This will give you plenty of time to check everything works on your website!

Testing your HTTPS Site

  1. Check everything works on your site

  2. This stage is vital for a successful move to HTTPS. Repeat all the tests run on your test site, but this time on your live site. Do legacy URLs redirect? If so, is this via permanent 301 redirects? (Remember: if it's via temporary 302 redirects, incoming links to your HTTPS website will carry no SEO value.)

    Again, test forms by hand in a variety of browsers, and use a web crawler to find legacy HTTP resources. A crawler will also identify broken links on your website, and now is a good time to remove them. In particular, look for links to your test site which you'll need to update.

  3. Using the Screaming Frog web crawler to test pages redirect to HTTPS after migration
  1. Check your analytics works, too

    Analytics is invaluable after you make a significant change to your site. Unfortunately, a significant change to your website can easily break analytics. For example, if your tracking code is missing it will stop data being collected. You might miss out event tracking, and lose visibility of your conversions. Or, your tracking code may be fine, but an old filter might block your new data.

    Check you're tracking all the data you want, across your whole site. If you have a web crawler with a search function, there's a quick way to find pages missing your tracking code. (If not, skip ahead.) The search facility looks for text of your choice within your pages. In Screaming Frog, it's found at Configuration > Custom > Search. Find your Google Analytics, Tag Manager, or other analytics tracking ID. This is usually displayed in the admin area. Paste this ID into the search box, and choose to find pages which don't contain it. Finally, crawl your website!

Optimising your HTTPS Site

  1. Transfer your backlink disavow file

    Google penalise sites with low-quality inbound links to discourage underhand SEO tactics. Owners of affected websites must collate their bad links and seek to have them removed. Then, the owner can submit a disavow file. This lists any leftover links and asks Google to discredit them. If any of this sounds familiar, the next paragraph is critical!

    When you migrate your website to HTTPS, your disavow file does not transfer automatically. This can lead to your secure site receiving an instant penalty! It's easy to avoid this common pitfall. First, find your HTTP site within Google Search Console and download your disavow file. Then, upload it via the Disavow Links tool, choosing the secure HTTPS version of your website from the drop-down. This will help protect your HTTPS site from penalties such as Google Penguin.

  1. Generate a new XML sitemap

    Your XML sitemap is a list of all the pages on your site that you'd like to appear in search engines. It lists each page's URL, how often its content changes, and how important it is within the context of your website. Now you've relaunched your site as HTTPS, it is important to generate a new sitemap to match. How you do this will depend on how you manage your website. Quite often, it's toggled from within your content management system.

  1. Submit your sitemap to Google Search Console

  2. Once you have updated your XML sitemap, it's important to submit it to Google Search Console. To do this, go to Crawl > Sitemaps and click "Add/Test Sitemap". Once complete, go to Crawl > Fetch as Google and 'fetch' the new HTTPS homepage. Finally, click "Submit to Index" and select "Crawl this URL and its direct links". These steps help Google detect the changes to your site, and encourage a fresh crawl.

  3. 'Fetch as Google' - fetching the HTTPS website homepage via Google Search Console
  1. Keep an eye out for warnings and bugs

    Google will flag any issues with your website as warnings in Google Search Console. You should check this daily for at least a couple of weeks after launch. Warnings may appear for the retired HTTP site, or the new HTTPS site, so watch both. You should also monitor your analytics. Have any areas of the site lost traffic? Are any channels underperforming? Investigate discrepancies, as they could highlight bugs. If you're confident the website is working well, remember to check your analytics implementation too.

Make your Site Even Better

  1. Forecast your traffic and improve your user experience

    Well done! If you've followed the steps in this guide, your website serves secure content via HTTPS. Pat yourself on the back – and then ask how you make it even better. You could improve your mobile user experience by building Accelerated Mobile Pages. Or, you could forecast your traffic, to help make data-driven decisions about your site.

    Whichever interests you most, RocketMill have great guides and tools for marketers like you.

  2. Our Google AMP microsite, built using Accelerated Mobile Pages

    AMP from Google:

    What You Need to Know About 'Accelerated Mobile Pages'

    Read our blog post

  3. Free statistically accurate traffic forecasts via our Forecaster tool


    Data-driven, Statistically Accurate Forecasting in Seconds

    Launch Forecaster