HTTPS and SSL: Migrate Without Losing Rankings

Publication date: 08.06.2026 10:33

HTTPS is not just a padlock icon. Google confirmed it as a ranking signal in 2014, and Chrome has flagged HTTP sites as "Not Secure" since 2018. Below is a step-by-step migration guide that keeps your traffic and rankings intact.

Contents

  1. What is SSL/TLS and HTTPS: how encryption works
  2. How HTTPS affects Google rankings
  3. HTTPS and user trust
  4. SSL certificate types: DV, OV, EV
  5. Migration checklist: 8 steps
  6. Common migration mistakes and how to avoid them
  7. How to verify your HTTPS setup
  8. What to do after the migration
  9. Case study: 40% traffic loss recovered in 2 weeks
  10. FAQ

What is SSL/TLS and HTTPS: how encryption works

HTTPS (HyperText Transfer Protocol Secure) is HTTP with encryption via the TLS (Transport Layer Security) protocol. The term "SSL" stuck in common use, but SSL as a protocol was deprecated in 2015. All modern websites use TLS 1.2 or TLS 1.3.

When a browser opens an HTTPS page, a TLS handshake takes place:

  1. The browser requests a certificate from the server.
  2. The server sends the certificate, signed by a Certificate Authority (CA).
  3. The browser validates the signature and establishes an encrypted channel.
  4. All subsequent data exchange is encrypted — an attacker cannot read or tamper with data in transit.

From an SEO and security standpoint, your server must support TLS 1.3 (fastest and most secure) and disable outdated SSLv3 and TLS 1.0/1.1. Protocol versions can be verified via SSL Labs — a free tool from Qualys.

TLS Handshake: secure connection diagram Browser Chrome / Firefox Server Nginx / Apache 1. ClientHello (TLS version, ciphers) 2. Certificate + ServerHello 3. Encrypted session key Secured
Simplified TLS handshake: the browser and server exchange keys before transmitting any data

How HTTPS affects Google rankings

In August 2014, Google officially announced HTTPS as a ranking signal. Initially the effect was minor — "less than 1%" of all ranking signals. By 2025, the landscape looks different.

According to Semrush and Ahrefs data, over 99% of sites in Google's top 10 for commercial queries run on HTTPS. An HTTP site ranking in the top 10 is a rare exception for very low-competition niches. HTTPS alone doesn't automatically lift rankings — but its absence is a trust signal deficiency that Google factors into the overall quality assessment.

The more immediate practical impact: Chrome 68+ displays a "Not Secure" warning for every HTTP page. Visitors see this warning and leave — and the rising bounce rate tells Google the page is low quality, which directly affects rankings.

Our experience: among SEO-Factory clients who came to us with HTTP-only sites, 7 out of 10 saw organic traffic grow by 8–22% within 60 days of switching to HTTPS — without any other changes. The prerequisite: correct redirects and zero mixed content.

Make sure that after the migration your Core Web Vitals haven't worsened — LCP, INP and CLS affect rankings alongside HTTPS.

HTTPS and user trust

The padlock in the browser bar is the first thing users notice before entering personal data or completing a purchase. A 2023 GlobalSign study found that 84% of shoppers abandon a purchase when they see a site is not secure.

We saw this firsthand with a plumbing supplies e-commerce client. Before HTTPS, cart-to-order conversion was 1.4%. One week after SSL installation — 2.1%. No changes to UX or pricing. Users simply stopped being deterred by the browser warning.

HTTPS also protects against man-in-the-middle (MITM) attacks, where a carrier or attacker on a public Wi-Fi network injects ads into page content or intercepts form data — a real risk for sites handling any sensitive input.

SSL certificate types: DV, OV, EV

Certificate choice depends on site type and budget. For SEO, the type is irrelevant — HTTPS presence is what matters. For user trust and business reputation, the validation level matters.

Type Validation Cost Best for Issuance time
DV (Domain Validated) Domain only Free (Let's Encrypt) — $10–$100/yr Blogs, landing pages, MVPs Minutes
OV (Organization Validated) Domain + legal entity $50–$300/yr Corporate sites, SaaS 1–3 days
EV (Extended Validation) Full company verification $150–$800/yr Banks, large e-commerce 3–14 days
Wildcard DV or OV for subdomains $80–$500/yr Sites with multiple subdomains Minutes–days

Let's Encrypt is a free CA supported by all major browsers. Certificates are issued automatically and renewed every 90 days. Most hosting providers (cPanel, Plesk, DirectAdmin) integrate Let's Encrypt with one click. For 90% of small and medium business sites, it's the optimal choice.

SSL Certificate Pyramid: DV, OV, EV by validation level DV — Domain Validated Blogs, landing pages, SMBs | Let's Encrypt (free) OV — Organization Validated Corporate sites, SaaS | $50–$300/yr EV Banks
SSL certificate hierarchy: DV covers domain ownership; OV and EV add progressive layers of company identity verification

Migration checklist: 8 steps from HTTP to HTTPS

Migrating to HTTPS is a technical operation. Get it wrong and your site can lose 20–60% of traffic for 1–3 months. Here is the sequence we've refined across dozens of projects.

  1. Back up your site. Save files, the database, and server configuration (nginx.conf or .htaccess). Without a backup, rolling back is not possible.
  2. Obtain and install the SSL certificate. Through your hosting panel (cPanel → SSL/TLS → Let's Encrypt) or manually via Certbot on a VPS. Verify the certificate covers all subdomains if applicable.
  3. Configure 301 redirects HTTP → HTTPS. For Apache — add to .htaccess:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    For Nginx — in the server block on port 80: return 301 https://$host$request_uri;
  4. Fix mixed content. Open Chrome DevTools → Console: look for "Mixed Content" warnings. Replace all http:// in <img>, <script>, and <link> tags with https:// or protocol-relative paths (//). For WordPress, use Better Search Replace or WP-CLI.
  5. Update internal links in your CMS. Run a mass replacement of http://your-site.comhttps://your-site.com in the database. For WordPress via WP-CLI: wp search-replace 'http://site.com' 'https://site.com'.
  6. Update your Sitemap and robots.txt. All URLs in sitemap.xml must use https://. In robots.txt, verify the Sitemap directive: Sitemap: https://your-site.com/sitemap.xml.
  7. Add the HTTPS version to Google Search Console. GSC treats http:// and https:// as separate sites. Add a new property (https://), verify ownership, and submit the updated Sitemap. Keep the old HTTP property — it will continue showing 301 data for several months.
  8. Test the certificate and redirects. SSL Labs (ssllabs.com/ssltest) — target rating A or A+. Redirect Checker — the redirect chain must be single-hop: http:// → https:// (not http → http → https).
Pro tip: If the site runs on WordPress and you have phpMyAdmin access — before replacing URLs in the database, use a serialization-aware tool like WP-CLI with the --precise flag. A plain string replace breaks PHP serialized arrays and causes white screen errors.

Common migration mistakes and how to avoid them

We reviewed 40+ HTTPS migrations in 2023–2025 and found the same mistakes appearing repeatedly — each one capable of causing significant traffic loss.

Mistake Consequence Fix
No 301 redirects HTTP and HTTPS indexed as separate sites, duplicate content, split link equity Configure server-side 301 before submitting the Sitemap to GSC
Mixed content Browser shows "Not Secure" despite certificate; HTTP resource blocked Find via DevTools Console, replace all http:// resource references
Redirect chain http → https → www → another version — each hop loses PageRank and slows load time Make it single-hop; verify via httpstatus.io
Sitemap not updated Slow re-indexing; some URLs remain in index as HTTP Submit updated Sitemap via GSC immediately after migration
GSC property not added No visibility into HTTPS errors; cannot submit Sitemap Add https:// as a separate property in GSC
Backlinks still HTTP Minimal impact while 301 is active; risk increases if redirect is ever removed Contact top referring domains and ask them to update the URL

How to verify your HTTPS setup

After completing the migration, run these four checks:

  • SSL Labs (ssllabs.com/ssltest): audits TLS server configuration — protocol versions, cipher suites, certificate chain. Target: A or A+. Grade B or lower indicates outdated protocols or weak ciphers.
  • Chrome DevTools → Console: open any page, press F12 → Console. Orange or red "Mixed Content" warnings mean a resource is still loading over HTTP.
  • Google Search Console → Coverage: after 2–3 weeks, verify that HTTPS URLs appear in the index and there are no errors related to HTTP versions.
  • httpstatus.io: enter an HTTP URL and confirm the redirect is single-hop — one arrow, HTTP → HTTPS.

What to do after migrating to HTTPS

The technical migration is done, but the work isn't finished. Update the following within the first two weeks:

  • Google Search Console: add the https:// property, verify it, submit the new Sitemap.
  • Google Analytics / GA4: update the site URL in Data Stream settings (Admin → Data Streams → edit URL).
  • Google Ads and Meta Ads: update final URLs in ad creatives and extensions. Without this, ads may fail review or lead users through an extra redirect hop (which lowers Quality Score).
  • Email campaigns: update link URLs in all active email templates.
  • Social profiles and directories: update URLs in Facebook, Instagram, Google Business Profile, and relevant industry directories.
  • Backlinks: reach out to your top 10 referring domains and request URL updates. 301s pass link equity, but a direct HTTPS link is more robust long-term.

Monitor traffic via SEO audit and GSC weekly for the first six weeks. If traffic drops more than 15% and doesn't recover — investigate mixed content or redirect chain issues first.

How to set up GSC after migrating to HTTPS and track traffic recovery — in our Google Search Console guide.

Case study: 40% traffic loss recovered in 2 weeks

A regional online hardware store with around 850 indexed pages migrated to HTTPS on their own: they installed the certificate, updated the sitemap, and added the HTTPS property to GSC. But they skipped 301 redirects — their reasoning was that "Google will figure it out."

Three weeks later, organic traffic dropped 42%. The root cause: Google indexed both versions — http:// and https:// — as separate sites. Link equity split between the two, canonicals pointed to http://, the sitemap pointed to https://. Additionally, 180 pages were flagged as "Duplicate without canonical" in GSC.

Here's what we did to recover the lost ground:

  1. Configured server-side 301 for all http:// → https:// (2 lines in Nginx config).
  2. Mass-updated all canonical tags from http:// to https://.
  3. Removed the HTTP sitemap.xml, kept only the HTTPS version; submitted to GSC.
  4. Requested re-indexing for 50 priority URLs via GSC → URL Inspection.
  5. Audited all backlinks (Ahrefs → Backlinks) — 95% already passing through 301; no critical direct HTTP links found.

Within 11 days, traffic recovered to 94% of the pre-migration level. Full recovery took 18 days. The lesson: 301 redirects are step one, not an optional afterthought.

"We spent 20 minutes configuring redirects and 2 weeks recovering from not doing it on time." — client comment after closing the ticket.

If you're planning a migration, see our website promotion service, which includes technical SEO and migration support.

Traffic timeline: drop and recovery after HTTPS migration without redirects 100% 60% 20% HTTPS migration Redirects fixed Week 0 Wk 2 Wk 5 -42% Wk 6 Wk 9 +94% Wk 12 Organic traffic (relative to baseline)
Traffic timeline: 42% drop caused by missing 301 redirects; full recovery in 18 days after fix

In Practice

The client was a microfinance company running an online loan landing page on WordPress — 14 pages, high-intent traffic (queries like "instant online loan no rejection"). After installing Let's Encrypt and submitting the updated Sitemap, form conversion dropped sharply. GSC showed no crawl errors and redirects were working.

Screaming Frog's JavaScript crawl mode revealed the issue: 340 requests still loading over HTTP — the form's JS processing library was pulling from an HTTP CDN endpoint of a third-party payment validation provider. Chrome was displaying a "Not Secure" warning directly inside the personal data input field. Conversion fell 19% in the week before the fix was applied.

The fix took four hours: Screaming Frog exported the full list of HTTP resource requests, the developer swapped the CDN for its HTTPS endpoint and updated two hardcoded URLs in the form plugin config. Lighthouse went from flagging "page is not fully secure" to a clean pass.

A re-index request was submitted via GSC → URL Inspection. Within 3 weeks the conversion rate returned to baseline and climbed a further +11% — the browser warning inside the input field had been the sole friction point preventing users from completing the application.

A 14-page landing site generating 340 mixed content requests is not unusual when third-party services are involved. Screaming Frog in JavaScript crawl mode catches these across the whole site; Chrome DevTools only shows them for the currently open tab. For financial forms, run both: one for full coverage, the other to see exactly what the user sees at the moment they're deciding whether to submit their data.

FAQ

Is HTTPS required for a small business website?

Yes. Chrome has marked HTTP sites as "Not Secure" since 2018 — this reduces conversions and drives visitors away. For online stores, HTTPS is mandatory since payment processors (Stripe, PayPal) require it. Free Let's Encrypt resolves this in 10 minutes through your hosting control panel.

Does the SSL certificate type (DV, OV, EV) affect SEO rankings?

No. Google does not differentiate between DV, OV, and EV for ranking purposes — having HTTPS is what counts. OV and EV add business identity verification that builds user trust, but the ranking algorithm does not factor this in separately.

How long does it take Google to re-index a site after switching to HTTPS?

Typically 2–6 weeks for full re-indexing of a large site. After submitting the new Sitemap via GSC, priority pages appear in the index within 3–7 days. Request indexing for key URLs via Google Search Console → URL Inspection to accelerate the process.

What if organic traffic drops after moving to HTTPS?

Check three things: 1) are 301 redirects from http:// to https:// in place (test via httpstatus.io); 2) is there any mixed content (Chrome DevTools → Console); 3) has the HTTPS version been added to Google Search Console with the updated sitemap. In 90% of cases, one of these three issues is the culprit.

Switch to HTTPS without risking your rankings

SEO-Factory handles HTTPS setup, redirects, and Search Console configuration — with a traffic preservation guarantee. Free technical audit before migration.

SEO site audit  ·  Google Ads advertising

Denys Feshchenko
Denys Feshchenko
An experienced specialist in business promotion via social media and search engines. I work with Instagram, TikTok, Telegram, YouTube, and Google Ads, helping companies attract target audiences, build their image, and increase sales. Over 7 years in digital marketing. Author of practical guides and articles on SMM, SEO, and PPC.