If you run a blog or website you’ve probably heard about SSL certificates and the idea of moving your domain from the old http:// to the secure https:// version. It’s a very important topic.

In fact, this is something that will affect the security, performance and even the search engine rankings of your blog.

Today we’ve got a huge post filled with information about how to get an SSL certificate and HTTPS for your blog, including why people are moving, what Google has been saying about it, and even a detailed checklist on how to get it done.

This is a pretty complicated topic and so I’ve gone into lots of detail to try and make it as pain-free as possible. Have a read and jump in the comments if you’re still unsure.

Note: You’re going to want to press Control + D on a PC or Command D on a Mac so as to bookmark this article for future reference.

What is SSL all about?

The first thing we should do is take a quick look at some of the more technical aspects behind this topic in case you are already finding yourself a little bit confused. So, what exactly is SSL?

SSL stands for Secure Sockets Layer and is the technology now used to create an encrypted link between a web server and a browser. This allows all the data passed between the web server and the browser to remain private.

The idea is that, when you’re shopping or submitting your details into a form on a website, you want to know that the website is secure in the sense that it’s actually the website you think it is and not something else.


Without getting overly technical, HTTP (Hypertext Transfer Protocol) is how information gets transmitted and received across the internet and HTTPS is just the secure version of it. It’s a little more tricky than that, but it’s basically all you need.

When a site has a secure SSL certificate (and is set up properly) you’ll see a little padlock up in the navigation bar, and the URL will have https:// at the start instead of just http:// without the “s”.

But how does the “handshake” work?

The technology behind SSL is quite complicated, but to your visitors everything will just look normal and the website will function as it always has, except that now there will be a little padlock up the top.

It essentially works in five key stages to establish a secure “SSL handshake” between your web server and the browser (Firefox, Chrome, Safari, etc.) that your visitor is using.

To do this, it needs three different types of keys known as the public, private, and the session keys which all talk to each other to establish that secure session we all want. Here’s a quick summary:


For those big old geeks in the audience, here is a little bit more detail to explain the basics of how it all works:

  1. Your new reader visits your secure https website and their browser asks that the server identify itself.
  2. Your server sends a copy of its SSL Certificate which includes the server’s public key.
  3. Their browser then checks the certificate against a list of trusted ones and makes sure it’s valid and up to date, etc.
  4. If the browser is happy with the certificate, it creates a one-time session key with the public key from above.
  5. Your server then decrypts the session key using its private key to allow the secure session to start.

Once that session has begun, everything that is transmitted between the browser and the secure server is encrypted meaning that it is generally safe from people who are trying to spy on or steal that data as it gets sent through forms, carts, and so on.

But remember, while https is important it will not make your website secure by itself as Tony Perez says in his article:

It will continue to be a critical piece to ensuring information in transit is protected from attackers, but that’s the extent of the secureness it’ll offer your website. We do have to start talking about encryption at rest, in addition to encryption in transit. If we look at the number of data breaches, HTTPS did little to stop the exfiltration of data.

Now let’s get into the details on how you can actually implement this on your website or blog, and the resources, tools and different bits and pieces you’ll need to make it happen.

Why are people moving to HTTPS secure domains?

We should be pretty clear, getting an SSL certificate and moving to an HTTPS domain is not really a beginner task and it can involve some really complicated steps if you have a big or multi-faceted site.

And when it comes to important moves like this one, it’s a good idea to know why you are doing it and what the implications will be for you, your visitors, and the Internet landscape in general.

While there are larger implications for things like web security, the main reason bloggers have been switching is because Google has indicated that sites without SSL certificates will rank lower on search results if they come up against an equally valuable site which has an SSL certificate.

This all heated up to a new level in August 2017 when Google sent out an email to all webmasters saying that Chrome would show a security warning on any pages with forms that aren’t HTTPS enabled.

That means any page with an email opt-in form, contact form, shopping cart, etc. will get a warning for any customer on Chrome saying that it might not be secure. Obviously this has huge implications for anyone trying to run a business.

How to set up SSL/HTTPS on your website or blog

You’re probably wondering about how you can actually go ahead and set this up on your blog. As mentioned, it’s a tricky issue that can have some complications.


I reached out to the incredible team from Kick Point (who helped me with Blog Tyrant’s migration) to get their insights on the process and they were kind enough to put together an extensive checklist for bloggers and webmasters to use when they are about to dive in to this process.

They’ve broken down the process into three stages starting with the pre-migration stage of things to prepare before you begin:

  • Consider a staging site. This should be the first thing you put into place. Why? A staging site gives you room to try out your changes in a safe environment before you commit to them live.
  • Make a backup. It’s not possible to take too many backups — you never know when you’ll need to roll back a change in a hurry. You should have a current copy of all your key site files and a full export of your database.
  • Crawl your links. This will tell you whether you’ve got broken links (404s) that need fixing, plus any links that redirect (301s). Fix as many of these as you can.
  • Take the Before picture. Use Google Analytics and Google Search Console to generate organic traffic reports for your most recent three months.
  • Check your site files for absolute (hard-coded) links. As soon as you update your site to https, these will become redirects. Fix what you can now, and flag the rest for during launch. If you’re linking to resources like Google Fonts or jQuery, ensure the URLs use https.
  • Check your pages and posts for content from external resources. This information will be in the crawl you did earlier. If the links don’t use https, update that now.
  • Check your redirects. If your site has any 301 redirects set up, prepare them for the URL change.
  • Check your canonical URLs. These show up in a <meta> tag in your site’s header. Check whether these will update automatically when you change to https, and if not, ensure you know how to update them during the migration.
  • Check your robots.txt. Make sure it’s not disallowing anything important, and prepare a copy linking to your sitemap with an https address.
  • Check your sitemap. Depending on your setup, you’ll either have to prepare a copy that uses https yourself, or you’ll be using a plugin that auto-generates the sitemap for you.
  • Check Google Search Console https domains. You should have a Google Search Console property set up for every version of your site’s domain (both www and non-www, plus now http and https).

Now you are ready to go and there are some things to watch out for while you are in the migration stage of the process:

  • Take another backup of your site. Take a copy of your database plus all your site files. Don’t be tempted to skip this step, and take as many as you need throughout the process.
  • Request and install your SSL certificate. What this involves will vary based on your hosting situation. Follow the directions in your host’s documentation. You’ll need a certificate (or certificates) that covers all variants of your site’s url.
  • Apply your site changes live. Now is the time to apply any updates you made to your theme files, robots.txt and any other files to your live site. This includes your 301 redirect updates.
  • Set up your https redirect. This will ensure visitors to your site are given the https version of your site no matter what.
  • Test your https redirects. Try out all the versions of your URL (non-www, www, with https, without https, with a / at the end, without a / at the end) and make sure they’re all directing to the same canonical version of the URL.
  • Rewrite your internal URLs. Ensure none of the internal links on your site are using anything other than https:// in the URL. This prevents unnecessary 301 redirects as visitors browse your site.
  • Crawl, crawl, crawl. As with backups, crawl your links throughout the migration process. By the time you’re done, none your site’s internal links should be using http:// in the address.
  • Check the status of your SSL certificate. Plug your site’s address into a service like SSL Test. You’re looking for the test to come back Trusted, and ideally with an A rating.
  • Annotate your migration in Google Analytics. Use the Annotation feature to make note of your migration right on the report graphs.

At this point you should be all done, and now we have a final list of step of things to watch out for in the post-migration stage to ensure everything is working well:

  • Make sure all of your pages show the green lock icon. If not, you have a ‘mixed content’ error. Use a service like SSL Check to check your site for anything loading from an insecure URL, and fix these items on all affected pages.
  • Make one more crawl. Verify there are no more insecure internal links, and you don’t have any outstanding 301s or 404s.
  • Update Google Search Console. Make sure the https versions of your URL are verified, their settings match the http versions, and the robots.txt is showing correctly. Submit your sitemap.
  • Update Google Tag Manager. If you’re using tags or triggers, you might have some set up with full URLs. Update all of those to https.
  • Update your ads, affiliates, and any third-party extensions. Point these to your https address going forward.
  • Monitor your site traffic. Watch for big traffic drops. Use Google Analytics’ custom alerts to stay on top of any traffic changes, or set up a rank drop alert in a platform like STAT.
  • Monitor the crawl status of your https URL. Keep an eye on its indexation status, visibility, and watch for any errors on both the http and https site versions.

At the end of all this if you’re feeling a little overwhelmed by the process and you have a complicated site, I really would recommend engaging a firm like Kick Point to help you out with it, if your host won’t do it. It’s not cheap, but when it comes to a big business move like this it is a good idea to get it right.

Some resources to help you migrate to https

I’d like to finish off this post by going through some tips and resources that might help you with the process of migrating your blog or website to a secure domain.

Again, this is a pretty big topic and can seem very overwhelming if it’s something you are not familiar with. It is, however, something that we are all going to need to do sooner or later so it’s probably good to start looking at the options.

What are your thoughts?

Have you moved your blog over to a SSL domain? I’d love to know your experience or any tips that you might have to help people who are about to do it. Alternatively, if you’re thinking about doing it soon, are there any issues you’re worried or confused about?

Please leave a comment below and let us know.


Join in. The comments are closed after 30 days.
  1. Do you need the SSL for a website that does not deal with selling things online?

    1. As the blog post says, SSL helps with rankings. In addition, it stops anyone listening in on the network traffic (for example your local Starbucks wifi) from seeing your username and password.

    2. Visitors will soon start seeing “This website is not safe” type warnings in their browser’s address bar for any page that isn’t secured with SSL encryption. That will scare off a a large number of the visitors who do happen to find their way to your site.

      The fact is every page needs to be encrypted, even if there are no forms of any kind on them.

      Unfortunately, SSL is now more or less mandatory if you don’t want to lose a significant amount of your traffic.

  2. Great post and good timing for me personally. I was in the planning stage to take my blog from http->https but have delayed until the Christmas (busy period for me) is over.

    Reason being I was initially worried about initial drops in traffic that I seem to have seen reports on.

    Have you had/seen any experiences in drops in traffic Ramsay?

    1. Yeah there have been a few reports of that, which was partly why I engaged an SEO firm to help me manage the process. I’ve had it live for about a month and everything things to be about the same. Theoretically it should boost it eventually.

  3. Bill Boushka on November 13, 2017

    How important is https for a page that does NOT require user logon or collect user info? That does NOT process funds, PII, etc.

    I have four domains on BlueHost, which as of now will set up one as SSL (with an enhanced SiteLock passage). I did pick one of the addons (because it is possible to do transactions on it although i do them rarely in practice). In my case that is doaskdotellnotes.com (not the site I have shared most often). I am expecting BlueHost will change things so that all four can be https. Also, Google’s free Blogger will make all free domains https (e.g. https://billonmajorissues.blogspot.com/ but does not with those that have their own domain names (e.g. http://www.billsmovienewsandreviews.com/ ) That is because SSL is by main domain name (e.g. blogger.com int he case of Google). That also seems true of Automattic https://jboushka.wordpress.com/ (there’s not much there — that’s a copy of some old stuff). It would be helpful to know if Google, WordPress, BlueHost etc will do anything soon to make this “easier”.

    1. Bill Boushka on November 13, 2017

      I’ve written a quick comment on Ramsay’s article on my own legacy Internet security blog. I’ll get into a lot more detail later. https://billsinternetsafety.blogspot.com/2017/11/well-known-blogging-consultant-urges.html I sent Ramsay’s link to Electronic Frontier Foundation in San Francisco for comment, maybe a more detailed story from EFF.

      1. Hi Bill.

        Check out Let’s Encrypt – it’s free and renews automatically.

        I think it’s important to do it even if it’s just for the SEO benefits. Google clearly has a plan to make https everywhere and I don’t think there is much we can do about it now.

        There are also more and more plugins coming out on WordPress and so on that make the migration/redirection much simpler.

        Thanks again!

        1. Bill Boushka on November 14, 2017

          Will look into this in detail soon. My situation with BlueHost is more complicated because of the three addons. Also, I have SiteLock on them. I would expect BlueHost to work on this with some systematic solution.

  4. Chuck Bartok on November 13, 2017

    Great article again Ramsay.
    You are on top of it.
    Since I am an old fart and not very savvy when I switched to SSL I asked the staff at our Dedicated Server to handle it.
    Their service 24/7/365 is impeccable and is an example of why we chose a quality system.
    Freinds have said we are paying “too much”, but our cost is very competitive when you factor service and safety

    1. Hey Chuck.

      Would you mind sharing what you pay for this service? Even a private message if you’re not comfortable here.

      1. Chuck Bartok on November 13, 2017

        One set of domains we use VPN service about $500 year.

        The other (main site) and ancillary domains use a 100% Dedicated server.
        Annually paid $2,700, monthly $329
        I have two different companies with different partners reason for the two choices.
        If you want more info I will send an email.

  5. A great guide this is, and also timely! I also added an SSL certificate to my website last week.

  6. Thanks for this article. I needed it! I remember back in the day….

    1. Good old days?

      1. Before we had to worry about SSL and all the little things that add up now

  7. Do you recommend that we do this with brand new sites? Is it easier and less expensive? What’s a ballpark cost in U.S. dollars to do this (for a new, simple site)?

    1. >Do you recommend that we do this with brand new sites?
      >Is it easier and less expensive?

      I’d say the sooner you do it the better. It’s easier and there’s less chance of accidental page rank loss, for example. The certificate costs the same regardless of how many pages you have on the site.

    2. Yep, go with what David says. He’s an expert.

  8. Jennifer Waddle on November 13, 2017

    Thanks for the wealth of information, Ramsay.

    I have a free SSL certificate through BlueHost but have had multiple issues occur around the time the certificate is supposed to be automatically renewed.

    I was informed by BlueHost support that I need to contact them before the certificate expires to ensure a smooth transition. (every 3 months)

    I don’t mind doing this, but I wonder if their system is flawed. I took the SSL Server test this morning and rated a “B.” I’ll be investigating further.

    I appreciate the time you took to write such an important post. It’s definitely one to bookmark and refer to often.


    1. >(every 3 months)

      Sounds like they are using Lets Encrypt. I think it’s stupid that you have to remind them, as if they configured it properly then it would auto-renew which is what LE is meant to do.

      1. Jennifer Waddle on November 13, 2017

        Yes, David, it has been frustrating. Last time, my site was down for half a day. Not fun.

        I’m surprised by BlueHost’s inattention to this. I’ve been with them for 3 years and have been happy with everything else.

        1. Hey Jennifer. I’m going to bring this up with my contact at BlueHost.

          1. Jennifer Waddle on November 13, 2017

            Thank you so much!

  9. Yet another awesome (and very timely) post, Ramsay.

    Now that Google and all the major webs browsers have effectively made SSL encryption mandatory it’s important that folks get it enabled on their sites ASAP if they don’t want to experience a huge drop in their traffic levels.

    I recently enabled SSL on all of my blogs. This post details that experience:


    Again, awesome post my friend.

    1. Thanks Rick. Here’s hoping the traffic increases.

  10. Pls how do one fix for blogger blogspot blogs on custom domain

    1. Check the links at the bottom of the post for some info on that.

  11. SSL is the first step every webmaster, web developer, graphic designer, WordPress whateveryoucallyourselfwhenyoujustclickbuttonsandchargepeoplethousands and anyone everywhere.

    Otherwise you’re going to have to repeat everything associated to that URL from a backend perspective. Webmaster tools for example will require a rework because adding an S to your URL means you need to re-index everything on your website.

    And this is often a very scary thing for people who are new at this – because without doing this early. You’re doing a bunch more clicks – and I just got back from a music studio in Frisco who paid thousands for a website that doesn’t have SSL, Sitemap, and not plugged into webmaster tools/google analytics…

    Now they are out of budget to move forward on anything. Effectively this previous web person also consumed their header one with the same text on 100% of every page they need to rank – it’s really terrible because now they barely even rank because of this sloppy drag and drop job.

    I actually had to tell them not to talk to this person about the mistakes – or they will go and google it and get a bunch of low quality strategies proliferated by link spam..

    One day there’s gonna be quality content on Google – until then – stay here and read everything.

    1. Too kind. As always.

  12. Ahmad Imran on November 13, 2017

    Ramsay, recently moved to HTTPS via SiteGround through their free offering (Let’s Encrypt).

    One question, are there any good SSLs and bad SSLs? I am worried that because I am using the free SSL service, I might be losing out on some benefits or security issues. Please advise.

    1. I think there definitely are, but I’m not at expert. I know some seem to be a bit slower or sometimes have issues connecting.

    2. Chuck Bartok on November 13, 2017

      Some are “insured” other ar not. And yes you can be sued for ‘misleading” and “chicanery”

    3. >are there any good SSLs and bad SSLs?

      Depends on what you mean. There are bad SSL providers, but that’s generally because they offer insecure certificates or one of the certificate providers in the chain are dodgy. Luckily, LE is *not* one of these.

  13. Stephen Walker on November 13, 2017

    Hi Ramsay,

    Another great super-detailed post.

    I have no posts that collect data, so I would upgrade only for the improved ranking.

    I will try it first on one of my newer, smaller blogs.

    Thanks for the info.

    1. Make sure you do a lot of research about how it changes your website before doing the move.

  14. Vishal Ostwal on November 13, 2017

    Recently (it started a few months ago, I suppose) everyone had started talking about SSL.

    I kept wondering what significant difference would it make for sites which don’t sell much, or aren’t subscription-based.

    Later, I somehow felt like Google search results had started giving priority to sites having SSL certificates – but that was just an assumption. I’m still not sure if that’s true.

    But I see it as a possibility that SSL might become a benchmark for proving the security and credibility of websites in near future.

    I personally become sceptical about certain sites, even if they’re genuine, when my browser asks me “whether I wish to continue because the site is insecure.”

    That feels negative.

    I’ll get an SSL – but for now, I’d rather stick to http:// until I *need to * switch to SSL.

    Here’s a quick question: Are there any chances of messing up during the migration? Do hosting sites help with that?

    I just want be sure if that’s something I can do, or I should rather ask for help while doing it.

    P.S. This post was really comprehensive. Before reading it, I hadn’t thought about crawling issues which may occur and other things.


    1. Yeah, I think it’s mostly for the SEO boost but also if you have an opt-in form and Chrome is saying “Insecure” I think it will scare a lot of people who don’t know what’s going on.

  15. Great post, but… I really CAN NOT understand WHY the blogsphere and all bloggers and web-sites cant be agains this business btw google and SSL providers.

    1. Sorry, I’m not sure what you mean?

  16. Lisa Frideborg Eddy on November 13, 2017

    Hi Ramsay, this was interesting and relevant… and it did help me get my butt into gear because, hey… Who wants to lose SEO points, right? However, I went into overhwelm and contacted my web host, TsoHost. I asked if they could help because I’m pretty sure I’d f*ck up trying to do all these steps correctly. Thankfully, if you don’t operate a web store, they can install the SSL certificate for free, so they did that within a couple of minutes of me asking. So far, both sites seem to work great. Yay!

    1. What do you mean by both sites working great?

      1. Lisa Frideborg Eddy on November 14, 2017

        Nothing went wrong with the installation of the certificates. Or so it seems.

  17. SSL is a must these days. Google has already given hint about SSL sites ranking higher in SERP’s. So, no matter how much you delay it, you have to move your site to SSL one day. Then why not right now.

    I see that you haven’t mentioned about losing your site’s Facebook or Twitter shares after moving to SSL and how one can recover it? This is one the major reasons that stop webmasters from moving to SSL.

    1. Rinkesh, the awesome “Social Warfare” plugin will retain your blog’s social media shares when you make the switch from http to https. It actually adds the totals accumulated for the old http pages to the new shares accumulated by the https pages and displays the total. This is an awesome plugin!

      In your WordPress dashboard just click “Plugins>Add New” and search for “Social Warfare”.

    2. Nah, I think mot of the time social shares are brought across okay. Mine seemed to survive. Let me double check on that though.

  18. Robin Khokhar on November 14, 2017

    Hi Ramsay,
    SSL has become an important thing this year for all websites, and you have shared some great knowledge. I think that every kind of websites like blogging, marketing, e-commerce and other websites should have a protection.
    Thanks for the great share.
    Have a good day ahead.

    1. Glad you enjoyed it.

  19. I’ve been considering getting SSL for my website. I’d have a question: how can we manage external inbound links (thousands in my case) pointed to http version? Do we lose them?

    1. Hey there.

      Check the list above as it has some answers, but for the most part if you do the redirects correctly and let Google know about it through Webmaster Tools then they pass along the juice to the new URLs.

  20. My site is not an eCommerce site. Please tell me will SSL help it in Google search?

    1. That is what Google is telling us, yes.

  21. Kwehangana Hamza on November 14, 2017

    Ramsay, I am surprised by the bold step you took to migrate such a big blog like this. Many inbond and outbond links that you risked loosing but then from how you detailed the whole process, seems like it was more an easy process leading to the good only.
    Otherwise, i am proud of you and congrats that you could to it.

    1. I was a little worried as well, but I realized that I’d have to do it at some point, even if just because all of my competitors were doing it.

      1. Kwehangana Hamza on December 9, 2017

        Ramsay, always on top of the game.

  22. Thank You for Guide however you can get free ssl for your wordpress site from Cloudflare

  23. Susan Velez on November 20, 2017

    Hi Ramsay,

    I’m so glad that I decided to move my blog to HTTPS when I had around 10 blog posts. I didn’t actually do it, I outsourced it.

    I just didn’t want to have to deal with the headaches and figured it was easier for me to pay someone to do it. After they were done moving my site, I double checked it on Why No Padlock.

    Everything was good to go. So easy peasy.

    I’ve had to move some of my client’s sites over to HTTPS and I always make sure that I set up a staging site first. It’s much easier to test things out on a staging site before taking them live.

    I had no clue that Google was putting more emphasis on sites that had HTTPS. Thanks for sharing this.

    Have a great day 🙂


  24. Remarkable post!!!! I used to read your post and its help me a lot. Thank you so much for giving us such a relevant information.

BlogTyrant on Tablet and Mobile
Free Ebook Guide
Ultimate Blogging Toolkit + Bonuses

Join our 30,000+ email subscribers for blog updates and get instant access to a 10,000-word guide on how to start a blog and build a sustainable business using keyword research, Google traffic, and a lot of tested strategies. Let us help you build a blog to support your family's income and help the community while you're at it!