Making the Switch to HTTPS: How and Why

If you’re a regular internet user, chances are you’ve noticed the big green text in your browser window that lets you know a site is safe:

This little green padlock and highlighted https text snippet signals that the site you’re connecting to right now is certified as one that’s using a secured connection to process your data. Anything that you send is sent through an encrypted connection that makes it much more difficult for third-party groups to skim the data off the top and use it for whatever nefarious purposes they’ve got in mind.

This is obviously a good thing for all parties; users can make sure that their data is safe and protected, and website owners can ease themselves of any potential liability for data that gets captured from malicious sources.

Google is pushing for the switch to HTTPS

Google thinks https is a good idea too, which is why they’ve made an HTTPS protocol a positive search ranking factor in their algorithm. At the moment it’s considered a relatively weak signal, but as time goes on they’ve indicated the potential to increase its weight with the goal of getting all sites switched over eventually.

The positive ranking signal though was only step one; step two in encouraging this switch is, as per Google, more transparency to users currently using Google Chrome as their browser of choice by highlighting the fact that the website in question is currently being served up via an HTTP protocol.

Users with a Google Search Console account have started to receive emails like the following warning of the upcoming changes:

Google warning to switch to HTTPS

The relevant part here is as follows:

Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode.

While this is limited only to Google Chrome, it’s worth noting that Google Chrome currently (as of the time of this writing) occupies over 54% of the browser market share.

So what does this mean for the legal industry?

For those in the legal industry, in particular, this change is incredibly important. If your website was built with the intention of optimizing around case intake forms and conversions (which it should be) your primary metric you’re keeping track of will be case evaluation forms.

Consider the following industry standard type case evaluation form:

case evaluation form

Three of the most valuable fields in that form are name, email, and phone number — it’s no coincidence that each of these fields contains sensitive information that will trigger a warning via Chrome when a user begins to type in them.

You know the state of mind many people are in when they’re in search for a lawyer. Emotions are high, and more times than not it’s safe to say that being a bit on edge during the time of inquiry is almost to be expected.

Consider now that a prospective client is about to hand you their personal information in such a state, and receive in exchange a big and bold warning stating that the site they’re giving their information to isn’t secure or safe. If I were a gambling man, I’d bet you’ve got yourself a roughly 70/30 chance of losing that potential client as a result.

So how do I switch to HTTPS?

Armed with this knowledge, and the idea that moving toward HTTPS is the general direction the internet is heading, it makes sense that hopping in and making the switch would be the wisest course of action.

But I’ve got some bad news: It’s a pretty tricky procedure.

Note: We’re working with WordPress Engine as our host, so these directions may differ slightly based on your hosting platform. WordPress Engine tends to make the job a bit easier, so there may be some extra steps you’ll need to do to finish the process.

That said, here are the steps you’ll want to take in the switch to HTTPS.

Step 1: Find yourself a certificate

An SSL certificate is basically like a license that shows you’ve got a valid and maintained proof of a safe connection, and it enables you to activate your HTTPS protocol on your website. There are a few different ways to obtain one of these certificates, most of which should be explained through your site’s hosting platform.

As far as the certificates themselves go, there are a few different options:

  • Let’s Encrypt: These certificates are free, and generally prove to be the recommended type for most websites out there. They’re pretty easy to install and renew, so maintenance is on the lower end. These are only good for one domain at a time, so if you’ve got a subdomain you’re trying to use it on you’ll need one for each variation.
  • RapidSSL: These are the first tier of paid certificates, costing roughly $199/year. If you’ve got a bunch of subdomains or domain configurations, the wildcard setup will let you cover each of them under the single certificate. These will have a renewal process attributed with them that’ll need to be done — and paid for — on a yearly basis.
  • Extended Validation Certificate (EV SSL): These certificates provide the highest levels of encryption, and are said to have the most security and trust. If you’re processing a lot of payments, or similar super-sensitive information on your website, this may be a good choice for you.

In 9 cases out of 10, a Let’s Encrypt standard certificate will be more than plenty to accomplish what you’re going for, and that’s what we use, too. There are more options out there even on top of these, but that gets a bit more complicated the farther down the rabbit hole you go.

Once you’ve made your choice of certificate, you should receive instructions on how to bring that over to your website. WordPress Engine will import it automatically for you if done through their interface, but other platforms might require a manual import.

Step 2: Adjust your DNS settings

You’ll next want to do a quick check of your domain registrar’s DNS settings to make sure that everything there is set up properly. Often, you’ll find the A-record is set up with the site’s address in the @ field; if that’s the case for yours, you’ll want to change that accordingly so it’s as accurate as possible.

With WordPress Engine, all sites are hosted on a address that automatically resolves to your website and fills in the appropriate URL structure. If you’re hosting there, putting in the address into the @ field will automatically swap out any of that information for you no matter how your URLs change and is ultimately more of a fail-proof method in the long run, anyway.

Step 3: Configure SSL in your WPE dashboard

Probably one of the easiest steps in this entire configuration: enabling HTTPS!

First, head on over to the SSL section within your WordPress Engine dashboard, which is found here:

From that point, you should have your domains listed just below. You’ll want to click on your primary domain to expand it, then make sure to select that you want to secure all URLs. You don’t want a mixture of some pages being secure and some insecure, especially if there’s a potential SEO boost with having a secured connection.

If you’ve successfully set your DNS records, then theoretically you should have a site that’s just about ready to work with HTTPS! Don’t get too excited, though — there’s a very high chance your links on your website won’t work. That’s a little problematic.

Step 4: Run a better search-and-replace scan to correct any old instances of the URL, and the SSL content fixer

Better Search Replace is our plugin of choice when it comes to making any sort of database changes, and thankfully it’ll be able to do the brunt of the heavy lifting for you here. As it stands, there’s a good chance that all of your links on your website aren’t working correctly because they’re configured to point toward an HTTP version of the page; we’ll want to fix this to keep everything running uniformly.

After uploading the plugin, you’ll want to head on over to it under Tools ->Better Search Replace. Fill in your boxes as such (with your own website of course), and make sure to select all of your tables so that everything’s fixed everywhere. As far as we’re concerned, the HTTP version of your site no longer exists.

If you’ve got your domain set up to drop the www., you’ll also want to run it that way. Using our domain as an example, the following are the formats you’ll want to search:

  • Find:
    • Replace with:
  • Find:
    • Replace with:

After you’ve finished this, you’ll want to install and run the SSL Insecure Content Fixer plugin that helps to pick up some of the scraps that search and replace may have missed.

Voila! You should now have a working set of links that properly attempt to take you to the secure versions of your pages.

Step 5: Test

At this point, you’ll likely want to do a hard refresh of your browser to make sure that everything gets situated correctly. Check your links, click around a bit, and make sure that everything’s properly handled as far as resolving to the HTTPS version.

While you’re browsing around, there’s a chance you might see that that precious green lock in the top of your browser window isn’t exactly precious or green. There’s another step for that.

Step 6: Run your site through Why No Padlock

The whole point of SSL and HTTPS is to make sure that your entire site is running on an encrypted connection that makes everything on it secure, but oftentimes websites are built with calls to other sites that are necessary to run certain things. If you’re using Google Fonts, your site is making a call to Google to fetch that font. If you’re using a chat program, your site is making a call out to that chat program to make it work.

If any of the sites your website is calling out to aren’t secure themselves, then you can’t quite say that your site is totally secure since it relies on a call to an insecure site to make it function.

This is where Why No Padlock comes in.

This handy site will let you plug in your own site into the bar, run a search, and then spit out a ton of text at you that shows all the calls your site is making externally and internally that may not be secure.

A successful run will result in a bunch of bright green check marks and success messages, whereas a fail will single out the individual problematic files like this:

Once you’ve got a list of these problematic files, it’s time for the fun part: manually digging through your site’s CSS and adjusting them. With this example in particular, it’s just a matter of switching up http://fonts.gstatic.etc. to call on the https://fonts.gstatic.etc. instead, thus making sure that even the external calls are being made to secure sites.

Most calls should have a secure alternative to them, but in the event that you find one that doesn’t, you’ll need to either reach out directly to the company that’s responsible to find a workaround, or potentially get a substitute for whatever it is that’s insecure.

Step 7: Give your site a run through Screaming Frog, or the equivalent

Screaming Frog is a program that allows you to crawl your website and search for errors; in this case, we’re looking to make sure that old versions of the pages were successfully given 301 redirects.

Note: A 301 redirect simply means that the page has been redirected to a new version of it. Google will take the authority of the previous page, and pass it on to the newly-redirected version.

Seeing as the HTTPS versions of your pages are technically entirely different pages, making sure that the old pages have been 301-redirected to the new ones is absolutely vital for SEO if you want to maintain any of your rankings.

Run your site through a program like this, and take a look into everything there. If you’re seeing a bunch of successful 301 redirects, good job — the hosting platform took care of the heavy lifting for you! If, on the other hand, you’re still seeing a bunch of http:// URLs, you’ll need to individually redirect each of these pages to point to the https:// versions of them. This is insanely monotonous, but at the end of the day, extremely important.

Step 8: Speed up the indexing process by resubmitting your site to the Google index

You’ve gone through all this work, so it only makes sense that you’d want Google to recognize you for it, right? Making the switch to HTTPS can be a moot point if Google decides it still wants to show you the HTTP versions of your site, and waiting on a Google bot to crawl your page can sometimes take a chunk of time.

We can speed that process up.

Head on over to Google Search Console, and add in the HTTPS version of your site as a new property.

From here, you’ll want to click Crawl -> Fetch as Google:

Click on the red Fetch button:

Click Request Indexing, and then ‘crawl this URL and its direct links’:

That manual push should send your information to Google, and help see the indexing happen just a bit faster.

Step 9: Cleanup

By this point you should have a fully functioning HTTPS version of your website — you’ve done it. It’s been a chunk of work, but you’ll now be set to avoid any blatant pop-ups from Google that scare away your potential clients, and you’ll get a fancy secure badge tacked onto your URL bar.

Unfortunately, you’re not quite done yet. Almost.

For all intents and purposes, you’ve just gotten yourself an entirely new website. Just like with office moves and address changes, changing your website means some work to make sure your identity across the web is as consistent as possible.

Slowly but surely, you’ll want to start scanning the web for any hints of your website’s URL to adjust these from the old HTTP version to the new HTTPS version. Think along the lines of Facebook, Google, and any other places that may have links back to your site.

Some backlinks will be harder than others to change because they’re simply out of your control; don’t panic here, because either way, the person will still make it to the secure version of your site, but their load time, thanks to the redirect that occurs, might be a bit longer than it normally would be. Backlinks within your control, on the other hand, should be systematically changed so that your presence on the web is as consistent as it possibly can be, and so that you’re delivering the most efficient visit possible.

Once everything’s been adequately cleaned, which can take some time, you should be in the clear. This brings us to our final step.

Step 10: Happy hour

No, really. Go take a break, knowing fully well that your site is in the secure hands of an encrypted connection, and that your visitors’ data is safe from harm. You’ve worked hard for this. Granted, you might spend the next few weeks wondering about other websites you may have missed in the switch, but you can pluck them out as they show up.

Important note: Some fluctuations in rankings may happen for a little while; give the process some time to level out before panicking. It’ll be all right, secure even.

If, on the other hand, all of this sounds like entirely too much work, and you’d sooner skip steps 1-9 and proceed straight to happy hour, feel free to get in touch with us to see about us handling the process for you.