This isn’t about how your website is designed — as you note, the HTML doesn’t change. It’s about how your site is hosted.
When you use https, the connection requested by your browser is different. Behind the scenes, https is a completely different protocol than http. Your web server needs to understand and support that for your site.
How you make that happen isn’t standard, but it is getting easier.
Become a Patron of Ask Leo! and go ad-free!
Https depends on your host
Like desktop computers, internet servers can run any number of different operating systems. A variety of versions of Linux are most common, though there are Windows servers as well as other operating systems.
Just like there are several different word processors available for your desktop computer, there are several different web server packages to handle website management. Apache is the most common, on both Linux and Windows, as is Nginx, and, of course, Windows’ own Internet Information Services (IIS).
To further confuse the topic, there are also server management packages used by web-hosting companies to manage multiple websites hosted on the same server. These packages — Web Host Manager (WHM) (aka cPanel) being the most common — configure specific websites and other website administrivia, including https.
Ask Leo! runs on Apache software running on a Centos (Linux) distribution, managed by cPanel. Setting it up as https was a configuration process within cPanel.
The one thing common across all HTTPS websites is what’s called a “secure certificate.”
In the past, you’ve needed to purchase your own secure certificate, but — again, depending on your web host — there are now automated processes that can generate and install a secure certificate for free.
A certificate is that bit of encryption technology that makes a website secure. It encrypts the data as it travels between the browser and the website. More importantly, a certificate confirms to the browser and website visitors that they are actually connecting to the site they think they are.
Anyone can get a free certificate. If your site is processing payments or otherwise handling sensitive data, you may want to pay for a more rigorously validated certificate to provide additional security assurance to your visitors. If all you do is provide content, however, a free certificate may be all you need.
Is HTTPS necessary?
In the past, the answer has been “only if you’re processing sensitive data”. That answer has changed, kind of.
Search engines, specifically Google, now include your sites’ availability in https as one of the over 200 signals it uses when deciding where to place your site in its search results. All else being equal1, a page delivered via https is said to rank higher than http.
Bottom line: talk to your web host
Exactly how you set up your site to be https, including whether free certificates can be used, depends entirely on your web host. The process can range from simple to complex, but they’re the ones that should be able to help you.
The good news here is that https is more and more common, and most web hosts are ready to help.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 4:27 — 2.1MB)
Subscribe: Apple Podcasts | RSS
Footnotes & References
1: All else is never equal, but the sense is that https is a positive signal to Google, while non-https is a neutral signal.
28 comments on “How Do I Change My Website to Be an https Secure Site?”
Hi, Leo. When I first started using Facebook, I wanted to surf in a secure manner so I simply clicked on the browser and added an ‘s’ to HTTP. Was I changing the site to a ‘secure’ site or just wasting my time? Thx for everything over the years, Leo.
Your username and password can be captured as you log into Facebook, so it would be best to turn on the security feature inside your account. Here’s a great article from Leo explaining how to do that: http://ask-leo.com/how_do_i_turn_on_https_in_facebook.html
A great article! Thanks,Connie :o)
Thank you for this article Leo.
For the last few weeks, GA has been bugging me that I have an “invalid default url”, but I haven’t changed anything in that area for many years (www.spaco.org). I am not very good at all this, so it took me a while to find that (apparently) the problem is that I don’t use https. After reading your article and since I don’t sell more than a few very specialized items (4 or 5), using paypal, I’ll simply put up with the GA complaint.
Must say I am very disappointed. Your post title “How do I change a website to be an https secure site?” gave me hope, but I learned nothing worthwhile…
It’s not true that you necessarily have to purchase a certificate. StartSSL can give you a domain-validated (DV) certificate (the simplest form of certificates) for free. In summer 2015, there will be a new certificate authority, Let’s Encrypt that will also give free certificates and further simplify the process of their installation.
You will only need to purchase a certificate if you want it to confirm something beyond your possession of a domain name (for example, your organization’s name).
On my site I accept credit cards for the purchase of subscription. A friend noticed when singing up it was http;// not https://
I have a certificate from Go Daddy, is this enough?
If you’re transmitting in http not https then the certificate isn’t being used. It can get complex so you want someone who knows what they’re doing to review your setup.
How to get the Certificate free. I have a blogging site but now i decided to open a e-commerce site is this is necessary to buy an HTTPS certificate
Right now certificates cost. I’m under the impression that the EFF (eff.org) is working on a program to make some available free.
Thanks for the article, Leo! I understand that for security of the website, it’s good to have HTTPS; but I’m not sure if I change the http to https, would I lose most or all of the website back links? Most of links from other important websites go to my Homepage. So what do I need to do in order to have https besides keeping the links.
It’s a tad technical, but basically you need your web server to automatically redirect http to https. Every link on askleo.com works as http or https – in part for the backlink reason. It’s just that when an http request is made the server automatically redirects the requesting browser to the same location via https instead.
Why not simply sign up to Cloudflare? They offer highly secure SSL, your site is faster and you go through no disruption. Its a no-brainer.
Google has announced that sites that don’t use HTTPS will appear lower in search results than those that do. I suppose that this is Google being a benevolent Uncle and encouraging us all to do the right thing, but it’s going to mean that lot of charitable web sites (like the one I manage) will have to spend money on a certificate in order to improve their chances of being found on the internet.
Actually there are now services that will provide certs for free. I don’t recall the source offhand, and it’s a tad early (and it’s a tad complicated from what I remember), but I think this problem will solve itself over time.
We have a carpet website hosted by Thomson. I have been told that we need to change from http to https as soon as possible for safety and for google search. However, the cost is £275. Our website is for information only – we don’t take payments etc. Any advice? Many thanks.
You don’t have to. Yes, Google prefers that you do, and https is one (of 200?) different factors affecting where you appear in the search results. But it’s not a requirement.
what about HTTPS everywhere? or is that just for incoming?
A website must first support https in order for https everywhere to work. (All it does is know which sites do support it and quietly send you to the https site if you accidentally type just http.)
GoDaddy just takes your money when you buy an SSL Certificate and provides no assistance to get it installed. They have a page where they tell you to put a file on your site — poorly. It’s gibberish only a web professional can understand. As usual the computer industry seems to think that everybody understands jargon. As best I can tell, for websites that do not sell anything online, SSL is unnecessary and pretty much a scam.
It’s not a scam — it actually does aid some amount in privacy (people can’t snoop in on the questions you might post to my Ask Leo! question page, nor can they see which Ask Leo! pages you’re interested in). More importantly from the web site owner’s perspective, Google simply prefers it.
My hosting company [siteground.org] suggested that I should turn on HTTPS: for my WordPress site. I went into cPanel and turned it on. If I recall correctly, it wasn’t a big deal at all, but if it were, they have good tech support. Now, if someone types my domain it automatically goes to the secure site. Even if they typed in the complete HTTP:// www.*****.***
it would transfer them to the the HTTPS: site.
Once you have a certificate from your host you then need to be sure every absolute reference to things loading from your site; like images, scripts, etc.; all begin with https or the padlock will not display and the address will revert to http. A tech at Go Daddy gave me this site to check for any offending links, whynopadlock.com.
Actually that’s not quite true. There are techniques — I use them here on askleo.com — to automatically redirect any incoming http:// references to the appropriate https:// reference, which means that regardless of how the link is written, you’ll still end up at the https site w/ padlock in place.
im having several horrible issues. a few mths ago an apple ipad and an lk9 phone signed into 5 of my email accts. the ipad is gone but the lk9 gets back in. i ve been a victim of ident theft. my passwrds are changed daily. my settings are constant chngd. my photos,texts,calls, r missing n or exposed. i have no privacy!!!! ive reported it to everyone poss. i own an aristo 2 . nothing else. my lang was changed from eng to japanese. my home wifi and router are both hacked. my voicemail wasnt working. my apps and app permissions are always changed. something has to be done.!!!! bluetooh keeps getting reinstalled. as others i remove. any advive. ??? i am going to file a pol rep as soon as Anyone figures this out
If you can still get into your accounts, to fully make them your own again, follow the instructions in this article:
Email Hacked? 7 Things You Need to Do NOW
I have a small website I use to upload assignments for my students. I recently got an email from my hosting company informing me of my SSL certificate. I didn’t have to do anything. Now my website is https for free.
Some companies supply them for free these days, and they are extremely easy to use. Sounds like you have a good one. I have one client who has to go through a painful renewal and re-certification each year. So it depends totally on the registrar involved.