How to Migrate Your Website to HTTPS: A Complete Step-by-Step Guide

Migrating from HTTP to HTTPS is one of the most important technical changes you can make to your website. HTTPS encrypts traffic between your server and visitors, protects user data, satisfies browser security requirements, and is a confirmed Google ranking factor.

Despite its importance, many website owners delay the migration out of concern about losing search rankings or breaking functionality. This guide walks through the complete migration process in a way that minimises risk and ensures you retain your traffic and rankings.

Why HTTPS Is Non-Negotiable in 2025

Chrome and Firefox display a "Not Secure" warning in the address bar for all HTTP pages. This warning is shown to every visitor, on every page, and it directly reduces trust and conversion rates.

From an SEO perspective, Google confirmed HTTPS as a ranking signal in 2014 and has progressively increased its weight since. Sites still on HTTP are at a measurable disadvantage in competitive search results.

From a SiteReveal perspective, HTTP is the only signal that results in an automatic Security score of 0, regardless of all other security measures. It is the single highest-impact change you can make to your Website Intelligence Score™.

Before You Start: Pre-Migration Checklist

Before making any changes, complete these preparation steps:

1. Crawl your current site Use Screaming Frog, Sitebulb, or a similar crawler to generate a complete list of all HTTP URLs on your site. This list will be used to verify that every URL has a working redirect after migration.

2. Document your current rankings Export your current keyword rankings from Google Search Console or a rank tracking tool. You will use this as a baseline to detect any unexpected ranking changes after migration.

3. Record your current traffic Note your current organic traffic levels in Google Analytics. A successful migration should show no significant traffic drop; a drop indicates a problem with redirects or indexation.

4. Identify all internal links and hardcoded HTTP references Search your codebase and database for hardcoded http:// references to your own domain. These will need to be updated after migration.

5. Identify third-party integrations List all third-party services that have your domain registered (Google Analytics, Google Search Console, Facebook Pixel, email service providers, payment processors). These will need to be updated to your HTTPS URL.

Step 1: Obtain an SSL/TLS Certificate

An SSL certificate is the cryptographic credential that enables HTTPS. There are several ways to obtain one:

Let's Encrypt (Free)

Let's Encrypt is a free, automated certificate authority trusted by all major browsers. It is the right choice for most websites.

Via Certbot (Linux servers):

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yoursite.com -d www.yoursite.com

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yoursite.com -d www.yoursite.com

Certbot automatically configures Nginx and sets up auto-renewal. Let's Encrypt certificates expire after 90 days; Certbot handles renewal automatically.

Hosting Provider Certificates

Most managed hosting providers (Cloudflare, WP Engine, Kinsta, SiteGround, Netlify, Vercel) provide free SSL certificates with one-click activation. If you are on managed hosting, check your control panel for an SSL or HTTPS setting before attempting manual installation.

Commercial Certificates

For organisations that require extended validation (EV) certificates — which display the organisation name in the browser address bar — commercial certificates from providers like DigiCert or Sectigo are available. For most websites, Let's Encrypt is sufficient.

Step 2: Configure Your Server for HTTPS

After installing the certificate, configure your server to serve content over HTTPS.

Nginx Configuration

server {
    listen 443 ssl http2;
    server_name yoursite.com www.yoursite.com;

    ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;

    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (add after confirming HTTPS works correctly)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Your existing site configuration
    root /var/www/yoursite;
    index index.html;
}

server {
    listen 443 ssl http2;
    server_name yoursite.com www.yoursite.com;

    ssl_certificate /etc/letsencrypt/live/yoursite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yoursite.com/privkey.pem;

    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (add after confirming HTTPS works correctly)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Your existing site configuration
    root /var/www/yoursite;
    index index.html;
}

Apache Configuration

<VirtualHost *:443>
    ServerName yoursite.com
    ServerAlias www.yoursite.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yoursite.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.com/privkey.pem

    # Modern TLS
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder off

    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

<VirtualHost *:443>
    ServerName yoursite.com
    ServerAlias www.yoursite.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yoursite.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yoursite.com/privkey.pem

    # Modern TLS
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder off

    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>

Step 3: Set Up 301 Redirects from HTTP to HTTPS

Every HTTP URL on your site must redirect to its HTTPS equivalent with a 301 (permanent) redirect. This tells search engines that the move is permanent and transfers the ranking authority from the old URL to the new one.

Nginx redirect:

server {
    listen 80;
    server_name yoursite.com www.yoursite.com;
    return 301 https://yoursite.com$request_uri;
}

server {
    listen 80;
    server_name yoursite.com www.yoursite.com;
    return 301 https://yoursite.com$request_uri;
}

Apache redirect (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Important: Also redirect the non-www version to www (or vice versa) to consolidate your canonical domain:

# Redirect www to non-www
server {
    listen 443 ssl;
    server_name www.yoursite.com;
    return 301 https://yoursite.com$request_uri;
}

# Redirect www to non-www
server {
    listen 443 ssl;
    server_name www.yoursite.com;
    return 301 https://yoursite.com$request_uri;
}

Step 4: Fix Mixed Content

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Browsers block or warn about mixed content, which can break your site's appearance and functionality.

How to find mixed content:

1. Open Chrome DevTools → Console. Mixed content errors appear as warnings.
2. Use the "Security" panel in DevTools to see a summary of mixed content issues.
3. Run a SiteReveal scan — mixed content is detected as part of the Security dimension analysis.

How to fix it:

• Update all hardcoded http:// references in your HTML, CSS, and JavaScript to https:// or protocol-relative //
• In WordPress, use the "Better Search Replace" plugin to update database references
• For images served from your own domain, the HTTP-to-HTTPS redirect will handle them automatically
• For third-party resources, check whether the provider supports HTTPS (most do) and update the URL

Step 5: Update Internal Links and Canonical Tags

Update all internal links in your CMS or codebase from http:// to https://. While redirects will handle these automatically, updating them directly eliminates unnecessary redirect hops and is cleaner for SEO.

Also update your canonical tags:

<!-- Before migration -->
<link rel="canonical" href="http://yoursite.com/page">

<!-- After migration -->
<link rel="canonical" href="https://yoursite.com/page">

<!-- Before migration -->
<link rel="canonical" href="http://yoursite.com/page">

<!-- After migration -->
<link rel="canonical" href="https://yoursite.com/page">

Step 6: Update Third-Party Services

Update your domain in every third-party service that has it registered:

Step 7: Submit Your Updated Sitemap

Update your XML sitemap to use HTTPS URLs and resubmit it to Google Search Console. This accelerates the re-crawling of your pages under their new HTTPS addresses.

In Google Search Console:

1. Add and verify the HTTPS version of your site as a new property
2. Submit your updated sitemap at https://yoursite.com/sitemap.xml
3. Use the URL Inspection tool to request indexing of your homepage

Post-Migration Verification

After completing the migration, verify that everything is working correctly:

Immediate checks (within 24 hours):

• HTTPS loads correctly on all pages
• HTTP redirects to HTTPS for all URLs
• No mixed content warnings in browser console
• Google Search Console shows no crawl errors for HTTPS property

Short-term monitoring (first 2 weeks):

• Organic traffic is stable (compare week-over-week in Google Analytics)
• Rankings are stable (check your pre-migration baseline)
• Google Search Console shows HTTPS pages being indexed

Run a SiteReveal scan after migration to verify your Security score has improved and that HTTPS, HSTS, and other security signals are correctly detected. A successful migration should bring your Security dimension score to at least 60 (assuming other security headers are in place) and your overall WIS into the Modern band or higher.

Verify your HTTPS migration with a free scan.

Common Migration Problems and How to Fix Them

Problem: Traffic drops after migration Cause: Redirects are not passing link equity correctly, or some pages are returning 404 instead of redirecting. Fix: Audit your redirect chain — every HTTP URL should return a 301 to its exact HTTPS equivalent. Use Screaming Frog to crawl both the HTTP and HTTPS versions and compare.

Problem: Google is still indexing HTTP pages weeks after migration Cause: Google has not yet re-crawled all your pages. Fix: Submit your HTTPS sitemap in Search Console and use the URL Inspection tool to request indexing of key pages. This is normal and resolves within 2–4 weeks for most sites.

Problem: HSTS is preventing access to the site Cause: HSTS was enabled before HTTPS was fully working, and the browser is now refusing to load HTTP. Fix: Clear the HSTS cache in your browser (chrome://net-internals/#hsts) or use a different browser. Only enable HSTS after confirming HTTPS works correctly on all pages.