This is the second article in our three-part series about how to do a site-wide update without demolishing your search ranking. We’ve previously discussed how to excel when launching a comprehensive redesign; in this post, we’d like to tell you how to successfully migrate your site to HTTPS.

don't let https leave you hanging

HTTPS is a secure version of the standard HTTP protocol. It was initially made popular to protect sensitive information during online banking, shopping, and logging into websites. Over the past several years, it has spread to websites of all kinds. And why not? There are lots of reasons to enable HTTPS on your website: it’s a known ranking factor, it improves visitor security, and it’s relatively easy to do. But there are always potential risks to search rankings any time you make a major change to a website, and HTTPS is no exception. We want to help you do this right.

Prior Preparation Prevents Poor Performance, Persistently

Remember this section from the last post? Noticing a theme yet? That’s not an accident. The degree to which a site migration will be successful is largely determined by the amount of preparation that goes into it.

Serving insecure content within a secure environment can make everything insecure.

Start your migration to HTTPS by searching through your existing site for insecure content. You might find it in images on the page, embedded videos, and even in the source code, stylesheets, or web fonts. These items are typically linked with a hard-coded “http://” protocol. For example, an image might be at The easiest way to update insecure addresses like these is to change the “http://” part to a simple “//”. That way, when you make the switch to site-wide HTTPS, those items will automatically load correctly.

This is extremely important. Serving insecure content within the secure environment of HTTPS has the potential to make everything insecure. Some browsers ensure security is maintained by simply refusing to load insecure content. The images, scripts, and fonts on your site might not load if they aren’t updated, which would make your site look broken.

After you’ve manually addressed insecure on-page content, you can run an automated test to make sure there’s nothing you’ve missed. PowerMapper has a paid product called SortSite that can help you with this, but the ten-page free demo version should allow you to catch many basic issues that might be present across multiple pages.

Sorting Out HTTPS Certificate Choices

Enabling HTTPS on your website requires that you get an HTTPS certificate. Because HTTPS is used for all kinds of websites — from restaurants to banks — there are lots of choices and different grades of security available, and this can be really confusing.

There are three major types of certificate available: Domain Validated (which you’ll see marketed on some sites as “DV”), Organization Validated (OV), and Extended Validation (EV). Those are listed in order of trustworthiness, but don’t go out and buy a super-trustworthy EV certificate just yet…

  • DV certificates are perfect for most companies. Typically, they’re $10–30 per year from a reputable provider, called a “certificate authority”, and require little to no paperwork.
  • OV certificates are a step up and, as the name suggests, require some paperwork. The provider will verify the existence and reputability of the company requesting the certificate — that’s you — to assure visitors that any information they submit to the website is actually going to the company associated with that website. These kinds of certificates tend to be a little pricier, from about $50–$200, but they can be worth it if you’re collecting a significant amount of user information.
  • EV certificates are only really needed for companies that process financial transactions.

Most hosting providers will help you pick the right certificate for your website and set it up for you.

HubSpot users will have an easier time getting a certificate because they don’t need to pick from all of these options or manually install the certificate. It is, however, rolling out in a limited capacity. Instructions for getting secure can be found in HubSpot’s knowledgebase.

Testing HTTPS On Your Site

If you’ve fixed all the existing insecure content on your website, and your hosting provider has installed your certificate, it can be very tempting to route all visitors through the secure version of your site. But wait. In an ideal situation, using the secure site will have no noticeable differences. But in a worst-case scenario, something critical might not load correctly over HTTPS and it could have devastating implications to a page, or your entire site. So it’s best that you explore everything yourself first.

Try browsing your website through HTTPS. Visit every page, and make note of things that aren’t working quite right. Pay particular attention to dynamic elements like parallax scrolling, sticky menus, responsive elements, and tools like onpage calculators. Test in multiple browsers — Chrome, Safari, Firefox, on your smartphone — because errors might be handled in different ways.

As you get ready to make HTTPS the default for your entire site, make sure to update your menus and sitewide links to point to the new addresses.

Making the Switch to Secure

When you’re ready to make the site HTTPS-only, put in a call to your hosting provider or support team to make the switch. If you’d like to do this on your own, make sure you put in place a sitewide redirect from HTTP to HTTPS. A simple htaccess rule will suffice.

Next, tell Google Search Console that you’re now on HTTPS by adding your new HTTPS domain and setting it as the preferred domain. Generate a new XML sitemap on your website and submit it to Search Console to trigger a re-crawl.