All Deployment guides Deployment

Complete HTTP to HTTPS Migration Guide

2026-05-08
migrationhttpshttpseoredirect

Migrating from HTTP to HTTPS involves more than installing a certificate. You need to update redirects, fix internal links, handle mixed content, update external services, and verify search engines recognize the change. This guide covers every step.

Why migrate now? In October 2026, Chrome enables HTTPS-First by default — HTTP sites will show a full-page warning. 86.9% of websites already use HTTPS. If you’re still on HTTP, you’re in the shrinking minority.

Complete migration checklist

Phase 1: Get and install the certificate

  • 1. Get a free certificate from GetHTTPS (5 min, no install)
  • 2. Install on your serverNginx | Apache | cPanel | WordPress | IIS
  • 3. Verify HTTPS works — visit https://yourdomain.com, check the padlock

Phase 2: Redirects and content

  • 4. Set up 301 redirects from all HTTP URLs to HTTPS
  • 5. Fix mixed content — update all http:// resource URLs to https:// or relative paths
  • 6. Update internal links — change http://yourdomain.com/page to https:// or /page (relative)
  • 7. Update canonical tags<link rel="canonical" href="https://yourdomain.com/page">
  • 8. Update sitemap — regenerate with https:// URLs

Phase 3: External services

  • 9. Google Search Console — add the https:// property, submit updated sitemap
  • 10. Google Analytics — Settings → Property → Default URL → change to https://
  • 11. Social media profiles — update website URL on Twitter, LinkedIn, Facebook, etc.
  • 12. Email signatures and templates — update links to https://
  • 13. Third-party integrations — webhook URLs, API callbacks, CDN origin settings

Phase 4: Harden and verify

  • 14. Enable HSTS — start with max-age=300 (5 min), increase after verification
  • 15. Test with SSL Labs — target Grade A

Common pitfalls

Redirect loops

If your HTTPS config also redirects to HTTPS, you get an infinite loop. Ensure only the HTTP server block (port 80) redirects — the HTTPS block (port 443) serves content normally.

Behind a proxy (Cloudflare, AWS ALB): the proxy sends HTTP to your server. Check X-Forwarded-Proto instead of the connection protocol. Details →

Losing SEO rankings temporarily

Normal. Google needs to recrawl and reindex your pages at the new URLs. 301 redirects transfer link equity. Most sites see rankings stabilize within 2-4 weeks. SSL and SEO →

Hardcoded HTTP URLs in database

CMSs like WordPress store absolute URLs in the database. A redirect handles page URLs, but <img src="http://..."> in your content causes mixed content. Run a search-replace:

# WordPress (WP-CLI)
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --all-tables

Forgetting about subdomains

If you redirect example.com but not blog.example.com, that subdomain still serves HTTP. Check all subdomains. Consider a wildcard certificate.

Third-party scripts still on HTTP

Ad networks, analytics, chat widgets, embedded maps — check that all third-party scripts use https://. Most modern services support HTTPS. If one doesn’t, find a replacement.

Verification after migration

# Check redirect works
curl -I http://yourdomain.com
# Should show: 301 → https://yourdomain.com

# Check HTTPS works
curl -I https://yourdomain.com
# Should show: 200 OK

# Check for mixed content (quick scan)
curl -s https://yourdomain.com | grep -i 'http://' | grep -v 'https://'

Browser check: Open each major page in Chrome DevTools → Console → look for mixed content warnings.

SSL Labs: ssllabs.com/ssltest for a comprehensive grade.

Frequently asked questions

How long does the migration take?

Simple sites: 30 minutes. WordPress: 1-2 hours. Large sites with complex integrations: 1-2 days. The certificate itself takes 5 minutes (GetHTTPS) — the rest is updating links and services.

No, if you use 301 redirects. External sites linking to http://yourdomain.com/page will follow the redirect to https://yourdomain.com/page. Link equity transfers through 301 redirects.

Should I migrate during low-traffic hours?

The certificate installation itself causes zero downtime (if you reload, not restart). But testing afterward is easier during low traffic, so you catch mixed content issues before peak hours.

Can I migrate gradually (page by page)?

Technically possible but not recommended. It creates a confusing mixed HTTP/HTTPS state. Migrate everything at once — it’s simpler and Google handles it better.

Related articles

Getting Started 2026-05-08
How to Get a Free SSL Certificate (Step-by-Step Guide)
Get a free SSL certificate from Let's Encrypt in 5 minutes — no software to install, no account to create. Complete guide covering 4 methods, both challenge types, installation on 6 platforms, and troubleshooting.
Deployment 2026-05-07
How to Redirect HTTP to HTTPS
Force all traffic to HTTPS with server-side redirects. Configuration examples for Nginx, Apache, and .htaccess with 301 permanent redirects.
Deployment 2026-05-07
How to Fix Mixed Content Warnings
Mixed content happens when an HTTPS page loads resources over HTTP. Learn how to find and fix mixed content errors to get a clean padlock icon.
SSL & Certificates 2026-05-08
Does SSL Affect SEO? What Google Actually Says
Google confirmed HTTPS as a ranking signal in 2014. But how much does it matter? Real data on SSL's SEO impact, the 'Not Secure' warning effect, and what to do about it.
Get a free SSL certificate in your browser
No installation, no account. Your private key never leaves your device.
Get your certificate