It is recommended that all websites run under HTTPS even if they do not collect private information or process financial transactions. Even Google says so.
There are a few different ways we implement HTTPS for our clients.
- Traditional
- Let’s Encrypt
- Cloudflare
- Sucuri Web Application Firewall
Traditional HTTPS Implementation
The traditional way to implement HTTPS has always been to buy an SSL Certificate from your web host or domain registrar, validate the information with the Certificate Authority, install the SSL Certificate through cPanel (typically), ensure your site URL is set to https://www.yourdomain.com, and then renew the SSL Certificate every year.
The traditional method is good for all types of websites, including eCommerce and businesses that prefer an Organizational or Extended Validation certificate.
If a basic SSL certificate suits your needs, there are other ways to implement HTTPS, and many of them are free.
Let’s Encrypt
If your web hosting company supports it, Let’s Encrypt is a great way to acquire a free SSL and implement HTTPS. Let’s Encrypt is a service that issues SSL certificates and eliminates many of the complexities of manual implementation.
Sounds great, doesn’t it? It is.
Web administrators generally do not work directly with Let’s Encrypt. Instead, they work through a web host company that offers this option and already has an API that integrates with it.
One of our preferred hosting providers, SiteGround, offers free SSL certificates for web hosting customers through Let’s Encrypt.
So, good news, if you’re a SiteGround customer or would like to become one (just let us know, we can help!). It’s easy to get your site up and running under HTTPS.
Cloudflare
Cloudflare is similar to Let’s Encrypt, but it's a bit easier to use and includes some bonus features. They are another one of the few providers that offer basic SSL protection free of charge.
Free Cloudflare accounts allow you to run HTTPS. They even include a rewrite feature to ensure you are FULLY HTTPS and not serving mixed content (some secure, some not). You can also obtain upgraded SSL certificates through Cloudflare.
Read about mixed content and Automatic HTTPS Rewrites | Cloudflare.
However, because Cloudflare works the way it does, this option provides only partial encryption and should be used only on basic websites without eCommerce.
Sucuri – Web Application Firewall (Smart Solutions Managed Solutions Plan)
One benefit our Magento Managed Solutions Plan and WordPress Managed Solutions Plan customers take advantage of is the Sucuri Website Application Firewall (WAF) and a free SSL. A firewall helps stop website hacks and attacks. Managed Solutions Plan customers receive a free SSL certificate through this service.
Running your site through a firewall delivers many benefits:
- Run sites over HTTPS
- Automatically rewrite non-HTTP content
- Block spam, malware, and other malicious bots from accessing your site
- Add a layer of caching to speed up the delivery of your site to visitors and increase performance
Migrating Your Site from HTTP to HTTPS
1. Acquire an SSL Certificate
For starters, you’ll need an SSL certificate. The section above outlines various options for obtaining an SSL certificate. Regardless of the option you choose, you will need to plan your HTTPS migration and schedule time for it.
2. Check External Scripts and Services
Most sites these days run external scripts or use 3rd-party services such as non-Google analytics tracking, JavaScript libraries, or Google Fonts. 3rd-party code embedded in a website that is not HTTPS can cause validation issues, so have your developer review your site's code when migrating. Review all scripts and ensure they run over HTTPS. If some are not, check whether an HTTPS version is available. Sometimes this is as easy as changing the script's URL from HTTP to HTTPS.
3. Social Share Counts
One side effect of moving to HTTPS is a change in the URL – from http://yourdomain.com to https://yourdomain.com. Social sites often treat these as two different URLs, which can affect your sharing counts. For example, if a blog post has 30 Facebook shares, Facebook will not accurately report the share count. You will need to check whether your social plugin supports “share recovery.”
4. Migrate to HTTPS
If you’re running WordPress and aren't a developer, there are plugins that can simplify the HTTPS migration. We recommend using Really Simple SSL. The plugin won’t do everything for you, but it saves time and is as simple as activating the plugin and enabling SSL.
A plugin is not necessary, however. You can also simply change the URL in the Settings of the WordPress dashboard and update any redirects you may have via a plugin or htaccess.
5. Test and Check for Errors
You’re almost done, and hopefully, everything is working correctly. However, it’s good practice to double-check and make sure there are no hidden problems. An easy way to do this is to use the SSL Server Test tool from Qualys SSL Labs.
The tool will provide a certificate summary that looks something like this:
6. Force a Re-crawl and Update Citations
It’s good practice to let Google know when you make these types of site changes. One way is to force a re-crawl of the site. Google will naturally re-crawl on its own, but you can speed up the process using Google Search Console.
If your site isn’t already set up as a property in Search Console, this is a great time to do that. You simply need to create an account, add the site as a property, and then verify it.
Usually, this is done by uploading an HTML file via FTP or by inserting code into the site's head. If you are running an SEO plugin like Yoast SEO, you can verify your search console (and analytics) connections in the plugin directly.
Updating Citations
You should also update your URL on any local and social properties. These are called citations.
Some typical places you may need to update your URL after you migrate to HTTPS:
- Facebook Business Page
- Google Places
- Google Plus
Best Practices for Maintaining HTTPS on Your Site
Moving forward, you should always be careful when adding new functionality and features to your website, and make sure any external scripts you link to are from a secure source and run over HTTPS. This is the biggest culprit for making a site non-HTTPS. One way to check this is to use the SSL Server Test tool.
How to install SSL certificates
Explore More Resources
