Back to Blogs Back to Blogs

How to Move From HTTP to HTTPS Plus 8 Common Pitfalls to Avoid!

SSL certificates and encryption have been around, well, since long before online transactions. Many sites have been using it for bits and pieces that need protecting, like account settings. In recent years, malware, hijacking, hacking and cybercrime are all terms that the mainstream public have become familiar with. This is something the media has also cottoned on to, leading to a tendency to report on issues surrounding online security. And due to the increase in public awareness, as well as the willingness of search engines and software providers to call it out, some much needed changes have come about. This is why moving from http to https has become so much more important in recent years!


Back in 2013-14, Google and others started publicly taking the subject very seriously. If you had been hacked in Google’s Webmaster Tools back then, you’d receive a notification, with a warning included in the SERPs by your snippet to tell potential customers. Chrome browser added icons to the address bar to alert people that the security wasn’t up to standard, with interstitial pages giving you options about continuing at your own risk!


When Matt Cutts, then head of Google’s web spam team, publicly stated that https would be important for SEO in the search engines, people quickly mobilised. The early adaptors moved in mere days, big corporates added it to their backlog, and SME’s unfortunately found themselves in a position of being in limbo.


The process of changing from http to https is getting easier and easier as time progresses. WordPress has made a function to aid the move, and as it makes up a large percentage of the public web, it’s a massive leap forward.


Here’s a helpful checklist for successfully evaluating whether a move to https is necessary for your site, and how to plan the move!



– Buy and install the correct SSL certificate.
– Make sure all URL’s 301 to the https version. This is usually done at the load balancers.
– Check for broken links. Ensure all links are relative and still work. No hardcoded absolute links here.
– Make the appropriate ‘under the hood’ onsite updates (see below).
– Externally, check all campaigns and references are updated to the https version.

Sounds easy, right?



1) Authorise a new Google Search Console account (which is configured, has your settings copied across, and that everyone is granted access to the new account that needs it.

2) Google Analytics should just continue to work – update the property settings to https (you might need to check if you’re using a different system though).

3) You might be required to update the tag manager settings too for them to still show up. This will depend on the provider you use.



1) Check that all the canonical tags are updated to https. If relative URL’s are already being used, this should be easy.

2) Internal linking: run a crawler on the test site to see if there are any accidental absolute URL’s.

3) Implement strict HSTS to avoid any future security risks.

4) Ensure the robots.txt moves across correctly.

5) XML sitemaps need to publish the newly updated canonical URLs.

6) Easy and normally powerful inbound links. Check and update cross-linking from other friend and family sites.

7) Images, Javascript, CSS and other tech-relative sites need to be updated. See the HSTS comment above. You don’t want to have mixed security requests.

8) Google’s Search Console: validate a new site and add users. Reference new XML sites and move across any Disavow file references. Plus, check that any other settings are re-setup.

9) If you operate multiple versions of sites, then also update the Href langs tag.

10) Check that your CDN’s are capable and then updated to https (most should be fine these days, but commonly overlooked).

11) And check again, that all references to http 301 to https.




– Any other marketing channel that links to the site, such as PPC, targeting etc. If you rely on a 301 you may lose tracking or slow the load time down.

– Any directories, member organisations etc.

– Don’t forget to update all of your social media properties and bios.



– Are there any partnerships or services that use your content? Or any interdependencies with affiliates or an API? They may need to be updated.

– Will any services you offer e.g. widgets, booking modules, social commerce plugins suddenly fail. Do you need to notify anyone?

– If applicable, have you updated your app indexing and relative page encoding from your apps?



When you do this (and we think you should!), you may temporarily experience loss in rankings while the new URL replaces the old one. The good news is that this usually only lasts 1-3 days. The search engines won’t treat it as a new domain, just as a separate protocol. So as long as the page for page 301 remains, and https is the primary site, it should all run smoothly. Just pick the right time. Don’t make the change on your busiest trading day!



We have done this for clients and have been shown and aided others on this move. “Even the best laid plans do often go wrong!”, sometimes knowing where to look can mean to mitigate OR triage a problem.

Here is our in-house ‘first things we check’ list.


1) The certificate itself:

– It’s the wrong SSL certificate, so the user’s browser warns them off (not secure enough).
– It has expired.
– It’s registered to the wrong domain (of you have one for all your various sites and thought it would work).
– You’ll need one certififcate for each host.

2) The wrong status code is given back on the redirects.


3) Blocking https via robots.txt or via a rouge noindex meta tag, that was used on a test site.


4) Wrong URL’s are published in the XML sitemaps. Redirects work. Https works, canonical updated, but http URLs in the sitemap adds confusion.


5) Canonicals are only updated on the main site, and extras like the blog aren’t updated.


6) Speed is affected due to increased ‘handshakes’ / connections. Keep an eye on speed & performance.


7) It’s been done at the wrong time. Sometimes too fast as it was seen as easy. Or, done that affects your busiest trading period.


8) Google Search Console set-up:

– Failing to move across settings & extras like any Disavow files
– Doing it when you have another issue, and it blurs your analytics and insight.
– Forgetting to copy across any settings such as target country.
– Failing to learn from the date in search analytics or fetch and crawl sections before it’s lost


Moving to https is one of the easiest dev projects if things go well. If you have a legacy system or outsource your technical works, it may need some managing. If you have a problem, you need to move fast though!



Do you want to take your business’ website to the next level? Are you ready to grow your online presence and become more findable to potential customers? Do you want to impress Google and its extensive search algorithms?


At GDR, we understand that organisations and businesses like yours understand the importance of digital marketing and website optimisation, but often don’t have the time to do it.

That’s where we can help! We can handle all aspects of your website, from design and build to SEO and moving you to https – we can create the perfect website for your business, which will:

  • Increase reach to customers
  • Offer an engaging user experience
  • Nurture both new and current leads
  • Track ROI


We would love to help!


Related Stories

Website Design

6 Web Design Trends to Consider
6 Web Design Trends to Consider

Digital Marketing

7 SEO Copywriting Tips To Boost Your Website Traffic
7 SEO Copywriting Tips To Boost Your Website Traffic