Moving any website from HTTP to HTTPS – securing your site for visitors while improving SEO

For WordPress and Drupal specific instructions please visit Moving WordPress website to HTTPS and Moving Drupal website to HTTPS

Technical:

• Buy and install a SSL certificate
• Backup database and files
• Try to change all absolute references to relative, or change all hard-coded “http://www.yoursite.com…”  into “https://www.yoursite.com…”
  (tip – if you wish to leave both “http” and “https” options but use absolute links just drop the protocol and link with “//www.yoursite.com”. This will adjust the protocol to the one currently used.)
  You need to do this for all your files: use an editor to search and replace in all of the site’s files.
  You need to do this inside your database for content stored in it: There are several ways to do this – you can export the database to an “.sql” file, search and replace in it as in a regular text file and then import the file back as a database.  Another way, which I find very comfortable, is to use PhpMyAdmin. When selecting a database use the “search” tab to search for “%http://www.yoursite.com%” / “%http://yoursite.com%” in the entire database. This will tell you in which tables the phrase was found. Click “browse” next to a table and take note of the field name where the phrase appears.
  Select the tables that have results from the database tables in the left column and use the “search” tab again, but now there will be also an option to “Find and replace”. Here there is no need to use “%” so simply use “http://www.yoursite.com” and “http://yoursite.com…”
  * Pay attention not to replace just “http://” with “https://” since this will affect your outgoing links as well
  * If you’re migrating only part of your website use the entire path in the replace string
• Browse your site and check for warnings about insecure content. Fix references accordingly. There are online tools (Missing Padlock, HTTPS Checker, Why No Padlock?) that crawl your site for such warnings.
• If needed, configure a server referrer policy.
• Consider declaring a Content Security Policy

SEO:

• Set up a 301 permanent redirect to inform Google of the URL change by adding the code below at the top of Drupal’s .htaccess file:
  
  Apache

  # force https RewriteEngine on RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule (.*) https://www.yoursite.com%{REQUEST_URI} [R=301,L]

  1 2 3 4 5

  # force https RewriteEngine on RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule (.*) https://www.yoursite.com%{REQUEST_URI} [R=301,L]

  
  *Change www.yoursite.com above to your Drupal URL.
• Change the view settings in Google analytics from “http://” to “https://”.
• Add an annotation in Google analytics indicating the move to “https”. This will help you to compare traffic before and after.
• Ensure your HTTPS site version is added in Google Search Console and Bing
  Webmaster Tools. In Google Search Console, add both the www and non-www
  versions. Set your preferred domain under the HTTPS versions.
• Ensure canonical tags point to the HTTPS URL.
• Ensure your XML Sitemap includes the HTTPS URL.
• Main external links to your site (from social network etc.) should point to HTTPS.