Updated 10/18/2016
This post is the third installment in our SSL series. This case study discusses the tasks that we needed to do when moving from HTTP to HTTPS and what needed to be done after the SSL migration.
While this post is written primarily for WordPress users, the instructions and concepts will be helpful to non-WordPress users, too.
In Part One of our SSL series, you learned what SSL is and why you might want to install it on your website.
In Part Two, you learned the four steps to configure HTTPS and resolve mixed content warnings.
However, the work doesn’t stop once you’ve successfully completed your SSL migration. You need to remember to tell Google and Bing about the site change. And if you’re using 3rd party tools such as Disqus, Pingdom, Sucuri, or CloudFlare, you’ll need to let them know as well.
None of this work is difficult, but it’s easy to overlook. This purpose of this post is to give you an idea of what we needed to do when moving from HTTP to HTTPS. This case study outlines steps we needed and a checklist of action steps to take after the migration was complete.
You’ll want to create a checklist customized for your website, too. Make sure to take inventory of all third-party services, plugins, and tools you use to manage your website and add them to your list.
So let’s get started!
Moving from HTTP to HTTPS
Steps that we took once we installed our SSL certificate include the following:
Tell WordPress to Use HTTPS
Force All Posts and Pages to Use HTTPS
Resolve Mixed Content Warnings
Set Up CloudFlare and SSL
Add Site to Google Search Console
Add Site to Bing Webmaster Tools
Migrate Disqus Comments from HTTP to HTTPS
Recover Social Shares
Update Pingdom
Update Sucuri
Tell WordPress to Use HTTPS
A few simple setting changes and you’re WordPress site will be ready for HTTPS. Learn more in Part Two of our SSL series.
Force All Posts and Pages to Use HTTPS
It’s important to redirect the prior HTTP version of your pages to HTTPS. You can learn how to do this in Part Two of our SSL series.
Resolve Mixed Content Warnings
This is probably the most difficult task you’ll encounter when moving from HTTP to HTTPS. If any file or image on a web page is not being served securely, the lock icon will not display in the browser bar. Fortunately there are tools and a few tips to help you here.
Set Up CloudFlare and SSL
Note: Not all websites run under a Content Delivery Network (CDN) such as CloudFlare. If you are not on CloudFlare, you can skip this step. If you’re on another CDN, refer to that CDN’s instructions for integrating SSL.
If you are running your website under CloudFlare, there are a few issues specific to SSL and CloudFlare that you should know about.
In an earlier post we showed you how we greatly increased performance by putting our website on the CloudFlare CDN. However, when we activated SSL on our site, we ran into a few obstacles.
As an A2 Hosting (affiliate) customer, I purchased a GlobalSign SSL certificate which was easily installed with one-click. Upon activation of the SSL, I discovered that CloudFlare with SSL is not supported through A2 Hosting cPanel.
In order to complete the migration and test moving from HTTP to HTTPS, I had to deactivate CloudFlare in cpanel. What this means is that I had to remove the website from CloudFlare in cPanel. Next I had to create an account at CloudFlare and then add the website under the free plan.
I needed to ensure an encrypted connection between my site visitors and CloudFlare, and from CloudFlare to the A2 hosting server. This was where things got tricky. I knew that I had to connect my SSL with CloudFlare to complete the SSL migration to HTTPS.
I researched CloudFlare’s website for articles that would guide me on the best (and most affordable) course for my business. And what I discovered was I could sign up for the free Universal SSL and choose one of the CloudFlare SSL options. Depending on your business needs, you’ll want to investigate each of the options.
Option A: This free option is Full SSL (Strict) which encrypts the connection between site visitors and CloudFlare, and from CloudFlare to the A2 Hosting server. This option requires a valid, non-expired SSL certificate that has been signed by a trusted certificate authority and installed on the A2 Hosting server. But since this option is free, the CloudFlare Comodo certificate will show in the browser.
Option B: This option is the upgraded business plan for Full SSL (Strict). Under this plan CloudFlare will consistently show the same certificate as in the origin server. In this case, the GlobalSign certificate will show when a user requests to view the certificate.
Option C: If your site is not on the CloudFlare CDN, your GlobalSign certificate will display in the browser bar.
To illustrate your choices, refer to the diagram below which was created by my colleague, Woei Yu Choo. Woei Yu is also a guest contributor to this blog and wrote Part 1 and Part 2 in our 3-part series on SSL.
Ideally I wanted my certificate to show in the browser bar when a website visitor viewed the certificate in the browser. However, because my website is on CloudFlare’s free plan, I was unable to upload my SSL certificate to CloudFlare. So I signed up for Option A with the understanding that CloudFlare’s Comodo certificate will display to my website visitors.
Once everything was properly installed, visitors could see the SSL lock icon in their browser.
Add Site to Google Search Console
Remember, when moving from HTTP to HTTPS, the URL protocol changes. So you now have a new website with a new address. The search engines also need to be told about this new website.
To learn how to add a site to Google Search Console, click here.
For an in-depth discussion on building and submitting sitemaps to Google, click here.
To make sure your sitemap is found by Google:
Log into Google Search Console (formerly Google Webmaster Tools) and make sure that Google can find your sitemap.
Google will show you the sitemap files it finds:
If you click the sitemap link, you’ll see exactly what Google is indexing.
What to do if the Yoast Sitemap is Missing from Search Console
Once my site had been migrated, I needed to generate a new sitemap with the HTTPS protocol. Yoast SEO does not automatically do this as I discovered when I logged into Google Search Console. I had no sitemap for the new site.
Testing Yoast sitemap_index.xml also returned a 404 error. I can see why this disconnect happens after moving from HTTP to HTTPS and I realized I needed to generate a new sitemap.
Here is what I did to fix it using Yoast SEO:
From the WordPress dashboard.
- Click on SEO>XML Sitemaps.
- Uncheck “Check this box to enable XML sitemap functionality.”
- Click Save Changes.
- Then check “Check this box to enable XML sitemap functionality.”
- Click Save Changes.
This did the trick for me. Toggling the settings off and on forced the plugin to create a new sitemap. I was then able to find my XML sitemap in search console.
You should be able to find your XML sitemap by clicking the XML Sitemap button.
Once the sitemap is generated, you can go back into Search Console and test the sitemap by clicking the red Add/Test Sitemap button on the right side of the Sitemaps screen. If you test your sitemap and it’s found, you’re all set. If not, you’ll need to continue troubleshooting to fix the Yoast 404 error. Once you have your new sitemap, make sure you add it to Google Search Console.
Add Site to Bing Webmaster Tools
Make sure you add your site to Bing Webmaster Tools by following these instructions.
You will also need to add your sitemap to Bing Webmaster Tools. While Google still has the market share on search, there is still value in making sure your site can be found by Bing, Yahoo, and other search engines.
The Bing Webmaster Dashboard is quite easy to learn and navigate, so take some time to become acquainted with it.
A Word of Caution if Your Site Uses SNI
11/20/2015
Since migrating to HTTPS I’ve been troubleshooting issues with Bing not crawling our website. Today I finally received an answer from Bing Webmaster Tool Support.
Here is their response:
Currently, the Bing Sitemap fetcher still uses some legacy MSNBot components –and these components support https:// except for sites that use SNI (Server Name Indication).
Our normal web crawler (Bingbot) has no issues with SNI, so the sites can be crawled without problems.
We expect the Sitemap fetcher to be updated to the latest standards this fall, but as a workaround for missing support for Sitemaps on SNI, the site owner can either temporarily
- a) serve the Sitemap over http:// or
- b) host the sitemaps on a non-SNI server
So there you have it! If you want Bing to crawl your site, you’ll have to use one of the work-arounds mentioned above.
Migrate Disqus Comments from HTTP to HTTPS
Note: if you are not using the Disqus plugin commenting system, you may skip this section.
If this is the first time you’ve changed the URL protocol on your website, you may be wondering what happened to your Disqus comments? Just like Google, Disqus needs to know about your new address so that all the pages with comments work properly. No worries! Disqus has a migration tool that helps you to fix this.
Log into your dashboard at WordPress.com and choose Migration Tools. Then click on Upload a URL Map and follow the steps.
You’ll be walked through a procedure to download a URL list of all of your posts from the Disqus forums. The file is a CSV file that once downloaded, you can easily open and edit in a program such as Microsoft Excel.
You’ll need to map the old URLs that are provided. What I did was copy and paste all of the old URLs in the first column into a second column. Then I did a global find and replace of http to https in the second column only.
Once done, you can upload the URL mapping to Disqus. It can take up to 24 hours for the changes to take effect, but you can see your comments gradually reappearing.
Recover Social Shares
Will your social sharing plugin be able to detect that your website address has changed?
This is a big problem. Most sites will lose all of their social shares with the current plugins on the market. You’ll want to sign up for Social Warfare (affiliate), which is hands down one of the best social share plugins you can purchase.
It has a great social share recovery tool, which will go out and find the share counts from your prior website address (HTTP) and merge them with your new website address (HTTPS). The benefits of this plugin are many and the subject of an upcoming blog post.
Update Pingdom
Since we used Pingdom to monitor our website, be had to be sure to log into the dashboard, click monitoring, and modify the website check to use the HTTPS protocol:
Update Sucuri
Updating the Sucuri website monitoring was less-than-elegant, but we got it done. There is no way to change the website protocol; Sucuri wants you to add it as a new website. And if you’re only on the one-website plan, you can’t add a new website with the HTTPS protocol. So two things happened to us:
- We got an email from the Sucuri scanner telling us that our site couldn’t be scanned. This is because we’ve set up the scanner for an HTTP site, which is now an HTTPS site. So it throws an error.
- So we had to log in to the Sucuri dashboard, click “Add Website”, and then add the HTTPS version of our website.
We could then force a scan at that point, or wait until the next scheduled scan.
In Summary
Every website has a unique set of challenges to identify and correct when moving from HTTP to HTTPS. Make sure you take the time to do an inventory of your website so that nothing is overlooked.
Once you’ve installed your SSL certificate, tell WordPress about it and resolve your mixed content warnings. Then create the appropriate redirects so that the HTTP version of your website pages are redirected to the HTTPS version.
Make sure your Content Delivery Network (CDN) is configured to run with SSL.
Update other third-party services such as Pingdom and Sucuri.
Let Google, Bing, and the other search engines know about the change. Make sure to upload a new sitemap for your website.
Migrate Disqus comments, if applicable.
Make sure to recover your social shares. Remember, those counts were for the HTTP version of your website.
Adding SSL to your website is a wise move to make. It protects sensitive visitor data that might get submitted on your website, readies your site for e-commerce, and offers a slight ranking boost.
While it might seem like a daunting task, having a plan in place will help you ensure a smooth migration.
Photo credits: Fotolia and Pixabay
Leave a Reply
4 Comments on "Moving from HTTP to HTTPS: SSL Migration Case Study"
Nicely written. Updating Disqus platform URL is good point. Thanks for sharing with us.
This is probably the most difficult task you’ll encounter when moving from HTTP to HTTPS. If any file or image on a web page is not being served securely, the lock icon will not display in the browser bar.
Wow, Michelle! What a comprehensive and easy-to-follow 3 part series on how to migrate from http to https! I love that you have included Social Warfare – my new go-to social sharing plugin for WordPress.
Thank you for taking the time to write this series. I will be sharing it/them again!
Hi Robin! Thank you so much for your comment and for sharing the post; I am honored! This is one of those tasks that needed to be done and a few unforeseen issues popped up that others may encounter, too. So I thought I’d turn it into a case study and share our journey 🙂 I’m glad you found it easy-to-follow. I know you’ve been down this path as well and it helps to have a plan, doesn’t it? Appreciate your support, my friend!