Changing from http to https SEO checklist

David Ashurst Design - SEO & SEM development

SEO checklist to preserve your rankings

  • Make sure every element of your website uses HTTPS, including widgets, java script, CSS files, images and your content delivery network.
  • Use 301 redirects to point all HTTP URLs to HTTPS. This is a no-brainer to most SEOs, but you’d be surprised how often a 302 (temporary) redirect finds its way to the homepage by accident (see note C)
  • Make sure all canonical tags point to the HTTPS version of the URL. (see note A)
  • Use relative URLs whenever possible.
  • Rewrite hard-coded internal links (as many as is possible) to point to HTTPS. This is superior to pointing to the HTTP version and relying on 301 redirects.
  • Register the HTTPS version in both Google and Bing Webmaster Tools.
  • Use the Fetch and Render function in Webmaster Tools to ensure Google can properly crawl and render your site.
  • Update your sitemaps to reflect the new URLs. Submit the new sitemaps to Webmaster Tools. Leave your old (HTTP) sitemaps in place for 30 days so search engines can crawl and “process” your 301 redirects.
  • Update your txt file. Add your new sitemaps to the file. Make sure your robots.txt doesn’t block any important pages.
  • If necessary, update your analytics tracking code. Most modern Google Analytics tracking snippets already handle HTTPS, but older code may need a second look.
  • Implement HTTP Strict Transport Security (HSTS). This response header tells user agents to only access HTTPS pages even when directed to an HTTP page. This eliminates redirects, speeds up response time, and provides extra security. (see note B)
  • If you have a disavow file, be sure to transfer over any disavowed URLs into a duplicate file in your new Webmaster Tools profile.


Note A: Make sure all canonical tags point to the HTTPS version of the URL.

  1. You pick one of your two pages as the canonical version. It should be the version you think is the most important one. If you don’t care, pick the one with the most links or visitors. If all of that’s equal: flip a coin. You need to choose.
  2. Add a rel=canonical link from the non-canonical page to the canonical one. So if we picked the shortest URL as our canonical URL, the other URL would link to the shortest URL like so in the <head> section of the page:

<link rel=”canonical” href=””>

That’s it. Nothing more, nothing less.


Note B: Implement HTTP Strict Transport Security (HSTS)

If a web site accepts a connection through HTTP and redirects to HTTPS, the user in this case may initially talk to the non-encrypted version of the site before being redirected, if, for example, the user types or even just

This opens up the potential for a man-in-the-middle attack, where the redirect could be exploited to direct a user to a malicious site instead of the secure version of the original page.

The HTTP Strict Transport Security feature lets a web site inform the browser that it should never load the site using HTTP, and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

***FIXES you  can add this to php file (instead of .htaccess)


header(‘Strict-Transport-Security: max-age=15768000’); ?>

OR use this plugin

HTTP Strict Transport Security (HSTS) for WP

Here’s a quick plugin that enables HSTS WordPress-wide. HSTS tells the browser to enforce the use of HTTPS on this website after the first HTTPS visit, avoiding possible further use of HTTP by mistake, that could lead to a MITM attack.

It’s available at


Place into your wp directory wp-content/plugin/hsts.php and enable the plugin in the WP plugin interface. Of course, this plugin only makes sense if you serve WP over HTTPS.

For more information about HSTS see: and

Here is the plugin code for hsts.php file:

< ?php


 * @package HSTS

 * @version 1.0



Plugin Name: HSTS – HTTP Strict Transport Security enforcement plugin


Version: 1.0

Author URI:


function hsts_header()


        isset($_SERVER[‘HTTPS’]) && header(‘Strict-Transport-Security: max-age=15768000; includeSubDomains’);


add_action( ‘send_headers’, ‘hsts_header’ );



Note C: Use 301 redirects to point all HTTP URLs to HTTPS.

Side note.. how to have secure admin – add this to wp config

Just make sure it’s placed above the “stop editing” line as shown below:

define(‘FORCE_SSL_ADMIN’, true);

/* That’s all, stop editing! Happy blogging. */



RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%$1 [R,L]

In many cases, you can also just add those lines to a file named .htaccess in the folder that you want to redirect http to https.

Now, when a visitor types the server will automatically redirect http to https so that they go to

Note: You can also redirect a single page from http to http in Apache by using this in your configuration file or .htaccess file:


https just for specific page option 1:

RewriteEngine On
RewriteRule ^apache-redirect-http-to-https\.html$ [R=301,L]

NOTE: <IfModule mod_rewrite.c> … </IfModule>

These  tags are not necessary for mod_rewrite, as unknown directives are not interpreted, so it is more or less a style thing.

The tag can also used to perform test for not available modules with <IfModule !mod_rewrite.c>, so that you can use some other directives in that case.


https just for specific page option 2:

If you are familiar with mod_rewrite and regex a little bit, you should have no problems reading these rules — comments are present explaining what particular rule does. the rest — regex basics:

Options +FollowSymLinks -MultiViews

RewriteEngine On

RewriteBase /

# force https for /login.php and /register.php

RewriteCond %{HTTPS} =off

RewriteRule ^(login|register)\.php$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# don’t do anything for images/css/js (leave protocol as is)

RewriteRule \.(gif|jpe?g|png|css|js)$ – [NC,L]

# force http for all other URLs

RewriteCond %{HTTPS} =on

RewriteCond %{REQUEST_URI} !^/(login|register)\.php$

RewriteRule .* http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  1. These rules need to be placed in .htaccess in website root folder BEFORE any other rewrite rules (if such present). If placed elsewhere some small tweaking may be required.
  2. They will
    • force HTTPS for /login.php and /register.php,
    • do nothing for images, css styles and JavaScript files (to be precise, for files with those extensions)
    • and will force HTTP for all other URLs
  3. You can easily add other URLs to that list — just edit existing rule by adding additional file name to the list (the same text in 2 places: 1) to force 2) to exclude)
  4. File names are case-sensitive. So these rules will not work if /LOGIN.php is requested (Apache will not serve it either, as Linux is case-sensitive OS .. so no need to worry much here).
  5. Obvious thing: mod_rewrite should be enabled and .htaccess files needs to be processed by Apache (some website hosting companies disabling them for performance and security reasons).



Redirect all requests to either HTTP or HTTPS

This method checks if HTTPS is enabled and then redirects all requests to HTTPS:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} on

RewriteRule .*$1 [R=301,L]


Note: edit the to match your own domain. To change this technique instead to redirect from HTTPS to HTTP, change the RewriteCond to off and replace https with http in the RewriteRule.



Now we’re going to set a 301 redirect so that anyone visiting your site will be automatically redirected to your secure site using https instead of http.

Edit your .htaccess file, or create a new one if it doesn’t already exist. If you already have one, place the following code above everything that’s already there.

Don’t forget to replace “” with your domain and make sure that you enter in the correct server port if yours isn’t 80.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L] </IfModule>

Setup SSL and WordPress HTTPS on Exclusive Pages

Now if for some reason, you only want to add HTTPS and SSL on specific pages of your site, then you would need the plugin called WordPress HTTPS (SSL).

Other sources of information

How to Use SSL and HTTPS with WordPress

HTTPS for WordPress

Info from Goggle: Move a site with URL changes

This article describes how to move your site by changing the URLs of the website. In this case, you want Google to index your content under new URLs, and to surface these new URLs in our search results. Examples of this kind of site move include:

  • URL changes from HTTP to HTTPS
  • Domain name changes such as to or merging multiple domains or hostnames
  • URL paths changes: >, or >

Overview of 4 steps

Make sure Google can index and serve your content under your new URLs


Migrating social share counts

When migrating to HTTPS, you often want to preserve you social share counts. These are the numbers that display in social share buttons.

These counts don’t impact your rankings (as far as we know) but they act as strong social proof, and it’s frustrating to migrate a page with thousands of tweets and likes only to see them reset to zeros.


Website references

Website Design and Development toolbox – changing from http to https SEO checklist by professional Graphic Designer and Website Designer. David Ashurst Design, Springwood QLD 4127

Comments are closed.

Affordable creative website, graphic and logo design for small business by Springwood, Brisbane based freelance web developer and graphic designer.