Moving your website to https / SSL: tips & tricks


https »
16 April, 2014 – 39 Comments

HTTPS EverywhereIn January I wrote about our plans in moving to SSL. We’ve since done that, with great results from an SEO perspective: we had no negative effect on traffic, whatsoever. Two weeks ago, we also moved our tool Quix to https. There are quite a few things we learned in the process of moving these two sites to SSL that we thought would be worth sharing with all of you. Also, some things happened in the last few weeks that make SSL a hot topic, so we’ll discuss those first.

Ranking benefit for completely SSL sites?

Last month, Search Engine Land reported that Matt Cutts had said about SSL that he’d “personally love to make it part of the ranking algorithm”. The Wall Street Journal picked up on this two days ago. Whether or not this actually happens (or, perhaps, has already happened) doesn’t really make much of a difference to me. A completely SSL site looks more trustworthy than a non-SSL one [reference needed].

From a spam fighting perspective I think I can see why Matt would like it. I don’t think many spam network creators would go through the hassle of setting up SSL for all their sites and buying certificates for all of them. The cost would soon become higher than the profit in many niches.


The recent Heartbleed debacle (if you don’t know what it is, read this and / or this simple explanation) showed us once again how vulnerable the web can be. The good thing about it is that when you think about people being able to “listen” to your web traffic, you suddenly realize it might actually make sense to encrypt a whole lot more of it.

Moving your site to https

In moving completely to https / SSL we figured out there’s a few things you need to be aware of:

  • All of your internal links should start to use https, not just to pages, but for images, JavaScript, CSS, etc. This means going through your theme with a fine comb and cleaning all of those up. Of course you can have your web server redirect http to https (more on that below), but not having to do the redirect is a lot cheaper.
  • Your CDN needs to support SSL too. Of course, we use and love MaxCDN and they can set up SSL for your CDN subdomain very easily.
  • SPDY, a networking protocol primarily developed by Google that you can enable for SSL traffic, is awesome. It makes your website faster and funnily enough that means that your fully SSLed site could actually be faster for those people who visit your site with modern browsers than your plain http site.
  • Not all SSL setups are equally safe. Once you’ve set up your site with SSL, it’s important to then make a conscious decision about how safe you want your traffic to be and act on that, more below.
  • You will need a static and unique IP for your site. This is “logical” if you know how SSL works, but it also means that most shared hosting servers won’t allow you to do this. – As mentioned by David in the comments: if your server supports Server Name Indication you don’t even need a dedicated IP.

https & SSL Web server config

Because is hosted on Synthesis, we didn’t have to do much to allow for SSL with full support for SPDY, as they took care of all the details for that, which is only part of the reason we love them. For we had to do it ourselves, which meant re-compiling our NGINX with SPDY support and a few more bits and bobs. For most people it’s probably a better choice to either go with a smart hosting provider like Synthesis or hire someone to do this for you. If you’re not sure whether your current setup supports SPDY, you can use to check, or simply type spdy in Quix.

Whether your current setup supports SPDY is also something we check in our Website Reviews.

We did tweak our setup quite a bit though, as SSL can require more resources on your server and not setting it up properly could lead to load issues and delays. Below are the specific lines from our NGINX config related to the SSL session cache:

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

The next thing to tweak are the available ciphers. If you’re implementing this, I’d suggest referring to this article about hardening your web servers SSL ciphers as it explains in detail some of the settings below. That article is kept up to date so it’s better to check that than the code below, but for reference, this is what we currently use on

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Add-on: OCSP Stapling

In the comments there was a question from Jesin about whether we’d implemented OCSP stapling. We hadn’t, simply because I didn’t know what it was. I looked it up and saw several very positive mentions of the topic, for instance this CloudFlare post, so I implemented it straight away.

It means that you sent status info about your certificate along with the request, instead of making the browser check the certificate with the Certificate Authority. This removes a large portion of the SSL overhead, the CloudFlare post above explains it in more detail.

I used this guide, but it’s very easy, just add this to your NGINX config (this uses Google’s DNS for resolving and assumes your certificate file contains the entire certificate chain):

ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 10s;

Strict Transport Security header

One of the other cooler things you can do is add a Strict Transport Security header. This will force the browser to load all subsequent requests from the same host over https, even when you’ve linked to http.

In NGINX, you add this like this:

# This forces every request after this one to be over HTTPS
add_header Strict-Transport-Security "max-age=31536000";

For other servers, including Apache, check the WikiPedia page on the Strict Transport Security header, more specifically the implementation section. Note that if you run subdomains, you could also add those, but unfortunately not ALL our subdomains are on SSL yet, so we haven’t been able to do that yet. Luckily, our friends at MaxCDN were nice enough to turn it on for us.

BTW if you’re wondering why I use MaxCDN, their new tools site shows nicely how fast the already blazing fast is in comparison to, which is running at rocket speed, compare the two here. That tool is pretty useful to compare two sites in speed.

SSL test

qualys ssl a+ ratingIf you’ve done the above correctly, you should be able to pass the Qualys SSL test with flying colors, we sure do. If you use Quix, you can run that test on any domain simply by typing the command ssltest. I think you should aim for at least A in this test, though A+ is easily achievable when you add the above Strict Transport Security header.

Actually, we also do these SSL tests in our Website Reviews for you!

Redirect from http to https

This last bit will help you tremendously when you’ve not updated every single link in your site yet. You can just add a straight server level redirect from http to https. In NGINX, we do this by having two servers defined in our config, the “right” one, that listens on port 443 and a simple one that listens on port 80 (normal http) and has just this:

server {
listen 80;
return 301$request_uri;

This seems to be the fastest way of doing this in NGINX, in Apache you’d do something like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

What type of SSL certificate should you get?

In my opinion, if you’re going to invest serious time in doing this, it’s only worth it when you make sure you get the maximum benefit. With Extended Validation certificates you get the green address bar, which is what you want:

extended validation SSL certificate

If you think that’s expensive, think again. For instance here at Namecheap an EV SSL cert could cost you as little as $139 a year, so go for that but be sure to check their different offers if you have multiple domains. Of course if you’re cheap you could get just a domain validation certificate which would cost you like $9 a year.

So… Should you move your website to https?

If you’re a web shop or otherwise transactional website you probably already have SSL for your checkout. If so, moving your entire website to https makes a LOT of sense to me, it’s probably actually easier to maintain and makes sure that you’re doing everything to make sure your SSL traffic (and thus the most important section of your site) is as fast as possible.

If you’re a purely informational website you might not need to make the move, but if some of that information could be privacy sensitive, I think it’d be a good idea to implement SSL anyway.

Would love to hear your ideas on moving your website to https and SSL in the comments!

39 Responses

  1. André Scholten
    By André Scholten on 16 April, 2014

    Great post Yoast. Did some research and testing a few weeks ago,. But as soon as I turn my site to SSL the WPML plugin for WordPress completely messes up the links and posts per language. First some debugging.

  2. Natan
    By Natan on 16 April, 2014

    Thanks so much for the update and advice!

  3. Stijn
    By Stijn on 16 April, 2014

    Am I wrong to assume that, if everyone runs https, you’ll have a hard timing interpreting your analytics and referral data?

    • André Scholten
      By André Scholten on 16 April, 2014

      On the contrary: you will track some extra referrals from other HTTPS sites that you weren’t measuring before. Other than that, nothing will change.

  4. Rene
    By Rene on 16 April, 2014

    Hi Joost,

    Great article again. I have a webshop with only SSL on checkout and account. The reason for this is that I heard that SSL makes the webshop slower, Is this true?

    • Joost de Valk
      By Joost de Valk on 17 April, 2014

      Hi Rene,

      It’s slightly slower if you don’t configure it right and for older browsers it’ll always be slightly slower. For modern browsers it’s actually faster. Tell me, did this site feel slow to you? :)

  5. David
    By David on 16 April, 2014

    Heads up Yoast, you can actually enable SSL on shared hosting environments if they support Server Name Indication

  6. Ryan Smith
    By Ryan Smith on 17 April, 2014

    I’m working on moving my site over now. The one thing I’m not sure about is letting google know about the change. In my webmaster tools I already have the site listed without the http. Do I need to add the https address of my site in webmaster tools and then submit a change of address?

    • Joost de Valk
      By Joost de Valk on 17 April, 2014

      I’ve done nothing like that, just did a 301 and then re-registered with the new address.

      • Tony
        By Tony on 21 April, 2014

        so do you have now and in GWT or did you remove the previous http profile?

        I guess you also changed it in GA?


  7. Ryan Smith
    By Ryan Smith on 17 April, 2014

    Could you also tell us how you did the trick of moving to https on your site without losing your Facebook likes and Google+1s. The Facebook like box in wordpress works on the current page and it views the https site as a different page. Thanks!

    • Joost de Valk
      By Joost de Valk on 17 April, 2014

      I did absolutely nothing for that, so we lost some counts.

      • Edwin van Thiel
        By Edwin van Thiel on 17 April, 2014

        I especially see the benefit of moving to SSL for gaining additional trust with our visitors, but some pages have thousands of likes and those bring trust too. Is it possible at all to move to https AND keeping likes counts (and tweets, G+, etc…)?

        • Ryan Smith
          By Ryan Smith on 17 April, 2014

          Are you sure there isn’t some way that you kept the Facebook likes because it seems like they would be gone for your old posts, unless they are just all new likes. Perhaps your plugin you are using for your social box handled the change automatically and kept showing the likes for http instead of https

          • Joost de Valk
            By Joost de Valk on 17 April, 2014

            No didnt do anything, social buttons are my own code. Facebook does follow 301 redirects though :-)

  8. Clifford P
    By Clifford P on 17 April, 2014

    Great stuff, especially with SPDY information.
    This post from 1.5 years ago is still relevant and might help those who decide to make the switch:

  9. Chris
    By Chris on 17 April, 2014

    Did you lost Domain Authority?

  10. Robert
    By Robert on 17 April, 2014

    Good write up, I’m dealing with the messyness, and the want to move to HTTPS, I am a web shop, and most of my services are Gravity Forms that ask for information that should be transferred over HTTPS, and I’m moving to Stripe and PayPal Pro, so I’m going to need an SSL anyway, so yes it made sense to me a while ago to just do everything in HTTPS.

    It’s downright messy though, and I’m doing it slowly…right now you can load anything on my site in https, but I don’t force it cause half the content is mixed blurg!

    One thing I would add to users who are going through the transition, is that with most embeds [youtube, etc, etc] you can simply leave out the protocol and it works well… I suspect your rewritengine trick does this. I have a lot more to muck around with before I really grok this, but thanks for the info.

  11. Sal Surra
    By Sal Surra on 18 April, 2014

    I’ve been considering this for sites that I manage as well. Not only for the benefit of rankings, if that ever becomes a factor, but for the overall experience and trust. In theory, it makes sense that sites that have ssl are more trusted than sites that don’t and spammers will not likely purchase ssl for sites that they burn-n-turn. This means that the sites that do go through the process of adding ssl will be more legit and trusted than the ones that are fly-by-night. I, for one, don’t see any reason why sites wouldn’t want to move the ssl if they have the budget and audience to support it. Personally, I can see a strong case for Matt and think that it’s only a matter of time before that move becomes official.

  12. Vijayraj Reddy
    By Vijayraj Reddy on 18 April, 2014

    I did not knew SSL sites would rank better in Google… I have to think to upgrade now…

    • Wouter Blom
      By Wouter Blom on 25 April, 2014

      This is not wat google said: They said it would be nice if more websites would go ssl. And they suggested that in the future it might be a ranking signal.

      • Joost de Valk
        By Joost de Valk on 25 April, 2014

        Nor did I say that, for the record :)

  13. Andrew Obrigewitsch
    By Andrew Obrigewitsch on 18 April, 2014

    Great article. I want to do this to my site, but I just don’t have the time right now. What where the speed improvements?

  14. Zak Venturo
    By Zak Venturo on 19 April, 2014

    I know a lot of folks are thinking about this from a web shop perspective. I just wanted to add this thought…

    Running a landscaping business, with clients concerned about a license and bond, SSL has become important even if it is just the public perception benefits.

  15. IT Company Dubai
    By IT Company Dubai on 23 April, 2014

    It’s downright messy though, and I’m doing it slowly…right now you can load anything on my site in https, but I don’t force it cause half the content is mixed blurg!

  16. Jimi
    By Jimi on 24 April, 2014

    My site just recently went live so it may be easier to move to SSL now rather than later. It’s purely informational at the moment but I may soon allow visitors to book reservations. I’m expecting a lot of traffic from mobile devices. How will SSL impact mobile access?

  17. Mandar Karanjkar
    By Mandar Karanjkar on 25 April, 2014

    Very useful information.
    Thanks a lot for sharing in a nice way!

  18. Glenn
    By Glenn on 27 April, 2014

    Just installed Yoast, activated the plugin but when we go to EDIT a page in the page listings in WordPress we get a blank.. i mean nothing… any clues anyone ?

  19. Jesin A
    By Jesin A on 27 April, 2014

    What is your take on OCSP stapling for better performance?
    I find that you have not implemented it.

    • Joost de Valk
      By Joost de Valk on 27 April, 2014

      I actually didn’t know about OCSP stapling, but looked it up and immediately implemented it :)

  20. Neill Watson
    By Neill Watson on 28 April, 2014

    Great post. I’ll be moving Historic Racer to SSL, as I’m planning online sales. A question ref the 301 redirect. Does the line:
    return 301$request_uri;
    Mean that you don’t need to create a huge htaccess file full of redirects? This is one of my key worries, of losing inbound links from other websites / forums that provide traffic

  21. Fred
    By Fred on 28 April, 2014

    I appreciate the article because there is a lot involved I didn’t realize. I recently moved my entire site to https and I’ve been employing an EV SSL since I launched last year. I’ve been using MaxCDN and Cloudflare from the get go, but the other fixes mentioned are over my head. Any suggestions where a guy like me can turn to for professional help?

  22. Kamal Pandey
    By Kamal Pandey on 30 April, 2014

    Great hack! Another SEO tip for ranking higher in search engine.

  23. adriaan
    By adriaan on 20 September, 2015

    Also made the switch to SSL, if i hadn’t installed some stupid “ssl plugins” to help me fix the images instead of just a search -> replace for the absolute url’s of images (why wordpress…., use // instead of hostname!!)

    “trial certificicate” from comodo to test things out, if i didn’t have the trouble with the image links i could’ve done it in less then an hour on my vps. And i’m not even an “it” guy, just a person who is intereseted in the IT business, with no relation to it.

    Got an A mark from SSL labs so i think everything is great now (thanks to your article!!). Also 301’s start to work ( @ google allready shows some https links)

    Thanks Yoast, you made me do the switch to SSL, the certificate costs are reasonable now, a full HTTPS web is wat we should aim for!

  24. Lori Newman
    By Lori Newman on 26 September, 2015

    We also made the move recently. Wish I had read this article first, Went through some issues with which ssl certificate to use and not to but in the end we are glad we did it. Thanks for the tips!

  25. Frank Egberts
    By Frank Egberts on 1 October, 2015

    We are currently working on a move to https. This article is a great help for us.

    So for google webmaster tools just add the new domain to a new account is enough? What about the old account, just let it be?

  26. Paul
    By Paul on 5 October, 2015

    Great article! If I move my site to https, do I need to setup new Google Analytics properties or can I just update http to https in my existing property? Same question with Google Webmaster?