Arin Adamson
By Arin Adamson | Web Dev | November 26, 2014

Forcing Site-Wide SSL

SSL LockInstalling an SSL certificate for a website can be troublesome enough, but what if you want to force it site-wide? After you get through all of the verification processes, certificate signing requests, and web host support calls to install your SSL certificate, you may now be looking into establishing site-wide SSL. You may have thought the installation process pretty hard, but forcing an SSL site-wide can be an even more delicate process. Depending on the way your website is configured you could be looking at anywhere from 2 hours to 30 hours of work before your whole website is successfully secured.

Things you need to consider when forcing a site-wide SSL:

  • SEO – search engine optimization
  • Third party unsecured scripts
  • External unsecured scripts
  • Image src attributes
  • Website functionality

Search Engine Optimiztion

Recently, Google announced they would be giving boosts to SSL secured websites in the interest of a campaign to secure the internet. Naturally, every website will move to receive this ranking benefit for securing their website. However, you can potentially do more harm than good if the SSL is not implemented correctly.

Redirects and Canonicals

Many websites who have been focusing on SEO campaigns for the non-SSL version of their website will have 301 redirects and canonicals pointing towards the http:// version of their website. These must all be updated to https:// to prevent crawl errors and 302 redirects, which are considered to not be good SEO practice.

Internal Links

If you are using links in your website that use the absolute path ( and not the relative path (/example/), you may see some 302 redirects upon forcing the SSL site wide. 302 redirects have a negative impact on your SEO and you will want to make sure that all HTTP URLs are updated to HTTPS URLs.

Content management systems like WordPress, Magento, and Drupal automate the creation of some URLs in menus, scripts and content. Typically this is based off on website address settings for the website. This setting will need to be updated to use the HTTPS URL over the HTTP URL.

HTTP to HTTPS Redirects

Search engines have been crawling your website for months (or years) indexing its HTTP URLs. The HTTPS URLs have yet to be crawled by search engines and have a lower (or nonexistent) authority score, while your HTTP URLs have been racking up all the search engine authority points. Because you will now be forcing all traffic to go to the HTTPS version of your website, you want to make sure you retain the ranking authority you currently have from your HTTP URLs. A necessary redirect from all HTTP URLs to HTTPS URLs will preserve the ranking authority on your secured HTTPS URLs.

If you are already forcing your SSL site-wide with a redirect in the .htacces file, you probably already completed this step. If you didn’t, you need to make sure all of your non-secured HTTP URLs are redirected to the respective secured HTTP URLs.

External Unsecured Scripts & Image SRC Attributes

In Google Chrome’s address bar it will display a green lock icon when your website is completely secured, but a yellow triangle hovering over a gray lock when it is not. If you noticed the yellow triangle symbol on your website, it means that your website is not secured. This can have a few causes.

To find out what’s causing your website to be considered unsecured, simply right click anywhere on the web page, click inspect element, and in the top right of the panel that appeared, click the red circle with the x mark in the center (there may also be a yellow triangle with an exclamation point in the center). This will display errors registered for the web page. If you find an error stating that an asset was loaded over HTTP but should be registered over HTTPS, you will need to correct this in order for your website to be 100% secured.

Unsecured Scripts

Today, many websites are calling upon external scripts to run functions on their website. If your website is using one of these external scripts and it is using the HTTP protocol, the browser will show your visitors that your website is unsecured. All scripts need to use the HTTPS protocol to resolve this.

External Script URLs are an easy change if they reside on your domain. Simply change the script from http:// to https:// in the code and you are finished. In content management systems like WordPress, Magento and Drupal, you typically need to update the site address setting from the HTTP URL to the HTTPS URL to update auto-generated script paths.

Third party external scripts may not have the option to run over HTTPS, or may be inserting unsecured content into your website. Contact the third party and ask to receive a secured script. If they cannot supply you with a secured script, you will need to drop the script from your website in order for your website to be completely secured.

Image SRC Attributes

All images using the absolute path ( rather than the relative path (/images/image.jpg) will need to be changed to use the HTTPS. Images using an unsecured path will caused the site to be seen as unsecured by browsers and may even render as a 404 image. This may also be a good time to update all of those attributes to use the relative path instead of the absolute path. It will make life a lot easier for any URL changes in the future.

Any images that you are using from a third party website will also need to use an HTTPS URL. If you happen to have an image you are using from a third party website, but the HTTPS protocol is not available, simply download the image and upload it to your server. This way you can use the same image, but also reap the benefit of a secured website.

Website Functionality

Lastly, but definitely the most important of all, make sure your website works! The last thing you would want to do is cripple your website, so make sure you test every single function of your website before you call the project complete. Websites are fragile and a big change like updating your website’s URL can have major consequences. Any functionality of your website that uses the URL has the potential to break. However, when you complete this step and your website is completely secured, you can breathe a sigh of relief and reap the rewards of your website being fully secured.

background dots

Related Topics

Mastering Your GTM Pt 2: Techniques on How to Improve your GTM

by Ryan Rosati

In part 1 of this series, Master your GTM Pt 1: Auditing Your Google Tag Manager in 3 Steps, I showed you how…

Programmatic Advertising Unpacked: Why You Need it in Your Digital Strategy

by Nick Rennard

Marketers understand the importance of incorporating a digital strategy—leveraging various channels to achieve their performance marketing efforts—into their omnichannel marketing mix. Historically, advertisers…

Navigating Your GA Part 1:
3 Tips for Understanding Your Audience

by Rebecca Berin

So, you’ve spent all this time working on creating the perfect site in hopes it will resonate with your audience and ultimately convert…

In the time it takes to read this sentence, you could be on your way to a well-oiled demand generation machine. Ready for your blueprint?

yes, i want my Digital blueprint