This post was originally written for and published on Digital Interaction.


Ever since Google announced that they would be updating Chrome to show warning messages in user’s browsers for insecure content, website and Magento store owners have been scrambling for a solution to ensure that their stores will not be affected by the change.

Initially set out for pages that contained forms with password and credit card fields, Google announced on their Chromium blog that this is now being expanded to input fields that are used on pages that are HTTP.

If you’re working with Magento then there is likely to be elements to your site that requires this type of input, including newsletter sign ups, search areas or even simple contact forms.

An example of a not secure message in Google Chrome

Unfortunately, many hold the perception that migrating a site to ensure it is compliant with HTTPS is simple. However, if you are a store owner that relies on a significant amount of organic search traffic and a consistent user experience for your website then you need to be very careful on how you manage the process.

This guide has been put together to highlight the key components required when it comes to the migration of your Magento website from HTTP to HTTPS and areas to consider during that process. For the most part, due to its usage rate I will use Magento 1.x as a reference point, but all of these elements can be transferred across to Magento 2.x.

Before you start running through this process it is recommended you enlist help from your development and marketing agencies and test all changes on a staging environment first. This will help identify potential issues and constraints before rolling it out to a live site.


Managing New and Existing Redirects

Depending on the type of server that you host your Magento store(s) on, or the configuration you have set up, the process of updating your existing redirects may differ. However, the principle is pretty much the same.

Updating exiting redirects

When it comes to migrating your site from HTTP to HTTPS a key element is to modify your existing redirects to point to the new HTTPS URLs. Whether you manage this directly through your server or through an extension this should ideally be tested on a staging site first.

Add HTTP to HTTPS Catch All Rule

The next step you ideally need to make is to add a rule to your server to redirect all HTTP URL requests to go to their HTTPS equivalent.

Note – Changing the secure URL defined in System Configuration will also redirect all Magento URLs.

This is not an absolutely necessary step if you have only a Magento store hosted on your sever. These server rules will implement HTTPS redirects to any other platforms or files that you have on your server outside of Magento.

Examples of this is a WordPress installation, PDF files that sit outside of Magento or any bespoke folders or files that are accessible to users that do not form part of your main store.

Note – Whilst this guide is only for Magento, anything on the same server should also be tested for a full HTTPS migration.

Updating Internal Links

To avoid the number of internal redirects on the site, a common cause of crawl waste and additional load time, any pages that contain internal links should be updated to be HTTPS rather than HTTP. Thankfully, this can be quite an easy change if you’re site uses relative URLs that listens to the configuration of your Magento store.

To update all your internal links log into your Magento Store Admin and go to the following location:

System -> Configuration ->General -> Web

Once here, ensure that the following changes have been made:

Magento Web Base URL Settings

Unsecure ->Base URL contains “HTTPS”
Secure -> Base URL contains “HTTPS”
Secure -> Use Secure URLs in Frontend “Yes”
Secure -> Use Secure URLs in Admin “Yes”

Once you have made these changes you should hopefully have a store where all or at least the majority of your internal links have been updated.

Testing for remaining HTTP Internal Links

Filter protocol in screaming frog

To quickly check that all your URLs have been updated to HTTPS it is recommended that you run a web crawler to test for any URLs that have HTTP requests made.

If you are using Screaming Frog you can check for this by looking at the ‘Protocol’ tab. On this tab you will be able to filter for all URLs that are using the HTTP protocol.

If you do find instances where you have pages being linked to with the HTTP protocol, your next step is to identify where these links are coming from so that you know where to find them in Magento so you can update them.

You can do this by following the below process in the Screaming Frog tool:

  1. When on the Protocol tab, click the HTTP URL that you would like to identify within the address column – use the filter to narrow only HTTP URLs down
  2. In the footer of Screaming Frog click the the ‘InLinks’ section tab
  3. Once you have done this you will be displayed with a list of URLs that link to the URL in question
  4. Navigate to those URLs to understand what element of your store still link to the HTTP version of the URL

Common causes of URLs not updating when changing the secure URL are the following:

  • Hardcoded templates that will require changes in the code
  • Static Blocks that do not use relative URLs
  • CMS Pages that do not use relative URLs
  • Configuration of extensions that are used to manage navigation elements or other widgets on the site
  • Internal links that are added through the management of category and product content

Reviewing on-page resources

When you perform the check for any remaining HTTP URLs, you may find that these come from resource files such as images, videos, JavaScript (JS) or CSS.

As these elements are used and downloaded on your page it is essential that they are updated as they can trigger the warning message in user’s browsers. Like any internal links the way these are implemented can vary and each element will need to be tested.

If you are using any off-page resources, such as 3rd party scripts like Google Analytics and ad management pixels, you will also need to ensure that these scripts are updated to load over HTTPs. If you don’t you may find they stop working entirely.

Additionally if you are using any content delivery networks (CDNs) for your media – loading imagery or video, for example – you will also need to ensure that these are configured so that the resources are available over HTTPS. If you are using something like Cloudflare or Amazon Web Services, this should not be too difficult to update.

Updating META, Link and Canonical Tags

Another item that you may notice within your site, is that your META tags have not been updated to include the new HTTPS domain. As previously mentioned on other elements, these can have their own issues depending on the implementation method.

If you notice that any of these elements are not updated correctly then it’s worth reviewing the extensions used that could be influencing this or reviewing how these have been implemented into the templates that form the framework of your Magento site.

Common causes of incorrect META and link tags are the following:

  • Link rel alternate
  • Link rel stylesheet
  • Link rel canonical
  • Link rel icon/shortcuticon
  • Link rel prev/next
  • Meta property og:url
  • Meta property og:image

Updating Schema and Structured data Tags

Schema tags are an important element of any Magento ecommerce store. Search engines use them to identify what certain elements of a page are. They are also used to deliver you with different search engine result page (SERP) features in organic search, and can help trigger star ratings and an improved CTR if implemented correctly.

Schema being used to trigger featured snippets

When it comes to updating your website schema you will need to ensure that any changes to elements that use HTTP URLs are also updated.

Common elements of schema that will require updating for an HTTPS migration are the following:

  • URL
  • Logo

Update Google Shopping, Affiliate and additional Feed URLS

Whilst this guide touches on many of the aspects that will impact organic search there are other areas to consider depending on how you drive traffic to your site.

For example, if your business uses Google Shopping then you do not want to risk having the performance of your campaigns drop because you are submitting URLs that go through redirects. The same to any affiliate feeds you are running.

Lastly, you will want to make this change to ensure any analytics attribution for these campaigns is not being lost because the URLs are going through redirects.

Update XML Sitemaps

I’d also class your XML sitemaps as a feed element.

When it comes to updating your sitemaps, these should automatically add the HTTPS protocol when you change your Base URL to HTTPS (as mentioned in an earlier part of this post).

You will just need to ensure that you regenerate this file and update any references to the sitemap including Google Search Console and your Robots.txt file.

To regenerate the XML sitemap you can do this by visiting the following within the Magento admin panel:

Catalogue -> Google Sitemap

Generate an updated sitemap in Magento 1.x

Updating Paid Search & Display Campaigns

Along with any feed related advertising it is also recommended that you update any paid search campaigns that you have pointing to your site.

This will include any advertising that you are doing through search platforms like Google and Bing, but also display and paid social networks such as Facebook, Twitter and YouTube.

Site Speed

I read many articles online regarding site speed and how it effects performance on organic search. It’s pretty much agreed that if you have a slow website then you may see performance drop as users bounce back to the search results because of poor load times.

When it comes to HTTPS, there are also considerations to be made about how this can impact your overall load time and user experience. Whilst I could go into a lot more detail on this, the blog by Billy Hoffman in 2014 for MOZ is still relevant today – Enabling HTTPS Without Sacrificing Your Web Performance.

One way you can measure this is by doing before and after tests using various tools, including Google PageSpeed Insights, GTMetrix.com, Webpagetest.org.

Update External Backlinks

Whilst not absolutely imperative, it is also worth checking your external backlinks to see if there are any URLs that you can get updated to your new HTTPS domain.

It is recommended that you take a look at the links that are pointing into your site and outreaching to those that will be able to update to the new protocol for you easily.

This will just ensure that the new HTTPS domain will have some authority being passed straight into the site, rather than relying on the authority to be passed through redirects. This may also help with the rate at which your new HTTPS domain gets indexed, reducing the risk of any fluctuation in rankings.

Social Media Profiles

When it comes to updating references to your domain, one of the easiest places to start is your social media profiles. This will ensure that anyone that is visiting your site from your Twitter, LinkedIn, Facebook profiles etc. will be sent straight to the correct protocol.

Directory Listings and Business Profiles

Another easy place for you to update your links are through any business directories and listings such as Google My Business that you may have referencing your domain. These directory listings can help with building relevance to your domain and if you also rely on local search should be as accurate and consistent as possible across any referring sites.


Migrating your HTTP site to HTTPS can be a daunting task, and should not be something that is done without consideration to the consequences.

If you are planning on making your site fully HTTPS complicit then set yourself up with a checklist and test everything before going through the full process. At We Influence we use internal HTTPS audits that allow us to check each element carefully before we progress to working on the live site.

It’s unknown how much this will effect conversions and user behaviour on your site, however it’s an obvious step to make if you haven’t done so already. If you need any assistance or advice on the best process to migrate your Magento site from HTTP to HTTPS then get in touch. Good luck on your site migration.

Want to know more about what We Influence do? Head over to the We Influence website and have a browse.