How to Switch Your Website to HTTPS (SSL Guide)

Learn how to switch your website to HTTPS with a free SSL certificate — exact steps for WordPress, Wix, Squarespace, Webflow, Shopify and custom-hosted sites.

Nasir Uddin
Nasir UddinSEO & Growth Lead · ScoutRival
How to Switch Your Website to HTTPS (SSL Guide) — cover
On this page

If ScoutRival’s SEO Score flagged “Serve every page over HTTPS,” it means one or more of your pages still loads over the old, unencrypted http:// — which browsers flag as insecure and Google ranks below secure equivalents. It’s one of the most important technical fixes you can make, and on most platforms it takes 10–15 minutes with no coding. Here’s how to do it on every major platform.

What is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is the encrypted version of the protocol your browser uses to load web pages. When a site runs on HTTPS, the data travelling between your visitor’s browser and your server is scrambled so no one in between can read or tamper with it. It’s what puts the padlock icon in the browser’s address bar.

Here’s a simple analogy. Sending information over plain HTTP is like mailing a postcard — anyone who handles it along the way can read every word. HTTPS is like sealing that same message inside a locked envelope: only the sender and the intended recipient can open it. Passwords, contact-form entries and payment details all travel far more safely inside that envelope.

The lock is provided by an SSL/TLS certificate — a small digital credential installed on your web host that proves your site is who it says it is and switches the connection to encrypted mode. You’ll hear people say “SSL certificate” and “TLS certificate” interchangeably; TLS is simply the modern version of the older SSL technology. In one sentence: HTTPS is HTTP secured by an SSL/TLS certificate, giving every visitor an encrypted, trusted connection to your site.

Why it matters for your SEO

Switching to HTTPS is one of the few technical changes that pays off in both rankings and conversions:

  • It’s a confirmed ranking signal. Google has publicly used HTTPS as a lightweight ranking factor since 2014. All else being equal, the secure version of a page has the edge over an insecure one.
  • Browsers actively warn visitors away. Chrome, Safari, Firefox and Edge display a “Not secure” label — sometimes a full-page warning — on HTTP pages that collect any input. That warning tanks trust and sends people bouncing before they read a word.
  • Modern features require it. Many browser capabilities (and payment integrations) only work over HTTPS. Staying on HTTP quietly limits what your site can do.
  • AI and social previews trust secure URLs. Secure, canonical https:// links are what you want indexed, shared and cited.

ScoutRival’s SEO Score checks whether each page is served over HTTPS. If a page loads over http://, or mixes insecure resources into a secure page, the check fails as a high-severity technical issue — and the steps below clear it.

How to check if you have this problem

A quick 30-second check:

  1. Open your website in a browser and look at the address bar.
  2. Check the start of your URL and the padlock icon:
  • You see https:// and a closed padlock → your page is secure. Also try typing http://yoursite.com (with no s) and confirm it automatically redirects to the https:// version.
  • You see http://, a “Not secure” label, or a broken/open padlock → that’s the problem this guide fixes. An open or warning padlock on an otherwise-https page usually means “mixed content” (some images or scripts still load over HTTP).

To find mixed content specifically, open your browser’s developer tools (press F12), reload the page, and look in the Console tab for warnings about insecure resources. Running your ScoutRival SEO Score checks HTTPS across every page automatically, so you don’t have to test each one by hand.

How to fix it — step by step

Every fix has the same two goals: get a valid SSL certificate installed, then force every visitor onto the https:// version. Pick your platform.

WordPress

WordPress itself doesn’t issue certificates — your web host does — but almost every host now offers free SSL:

  1. Log in to your hosting control panel (cPanel, Plesk, or your host’s custom dashboard). Find the SSL/TLS or Security section and enable the free Let’s Encrypt certificate for your domain. Many hosts do this automatically; if not, it’s usually one click.
  2. Back in WordPress, go to Settings → General and change both the WordPress Address (URL) and Site Address (URL) from http:// to https://. Save (you may be logged out — log back in).
  3. Force the redirect so old HTTP links land on HTTPS. The easiest route is a free plugin like Really Simple SSL, which detects your certificate and sets up the HTTP→HTTPS redirect and fixes most mixed content automatically. Activate it and follow its one-click prompt.
  4. Update any hard-coded http:// links in your content and theme, and check that images and embeds load over HTTPS.

Wix

Wix includes SSL automatically on all sites — there’s usually nothing to buy or install:

  1. Go to your Wix dashboard → Settings → SEO / Domains.
  2. Confirm SSL is enabled (it’s on by default; look for an “SSL certificate” toggle and make sure it’s active).
  3. Wix serves your site over HTTPS and handles the redirect for you. If you connected a custom domain, allow a little time for the certificate to provision after connecting it.

Squarespace

Squarespace provides and manages SSL for every site at no extra cost:

  1. Go to Settings → Developer Tools → SSL (or Settings → Advanced → SSL in some versions).
  2. Set the security preference to Secure (Preferred) — this serves your site over HTTPS and redirects insecure requests.
  3. Save. Squarespace handles certificate renewal and the redirect automatically.

Webflow

Webflow includes free SSL hosting on published sites:

  1. Open Project Settings → Publishing (or Hosting in newer editors).
  2. Make sure SSL is enabled for your custom domain (toggle it on if it isn’t).
  3. Republish your site. Webflow provisions the certificate and serves everything over HTTPS, redirecting HTTP automatically.

Shopify

Every Shopify store gets a free SSL certificate automatically:

  1. Go to Settings → Domains.
  2. Check that SSL shows as active next to your domain. If you just added a custom domain, it can take up to 48 hours to provision — the status will update to “SSL certificate is available.”
  3. Shopify forces HTTPS across your storefront and checkout automatically; you don’t set up a redirect manually.

Any other website (custom or unlisted CMS)

If you manage your own hosting or use a builder not listed above:

  1. Install a certificate. Most hosts and platforms support free, auto-renewing certificates from Let’s Encrypt — enable it in your hosting or server settings. If you use a CDN like Cloudflare, you can enable SSL there.
  2. Redirect all HTTP to HTTPS. Add a permanent (301) redirect at the server or CDN level so every http:// request forwards to https://. On an Apache server this typically goes in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  1. Update internal links and canonical / Open Graph URLs to https://, and make sure images, fonts and scripts all load over HTTPS to avoid mixed-content warnings.

How to confirm it’s fixed

  1. Reload your homepage and confirm a closed padlock and an https:// address with no “Not secure” label.
  2. Type your http:// address by hand and confirm it automatically redirects to the https:// version — that proves the redirect is working, not just the certificate.
  3. Open a couple of interior pages and check for the padlock too; if one shows a warning, hunt down the mixed content flagged in the browser console.
  4. Re-run your ScoutRival SEO audit. The “Serve every page over HTTPS” item should now pass, and your Technical & Performance pillar score should rise.

Common mistakes to avoid

  • Installing the certificate but skipping the redirect. If both http:// and https:// versions load, search engines may see duplicate pages and visitors can still hit the insecure one. Always force the 301 redirect.
  • Leaving mixed content in place. One image or script loaded over http:// breaks the padlock on an otherwise-secure page. Update those URLs to https://.
  • Forgetting to update internal links and canonicals. Old http:// links create unnecessary redirect hops. Point them straight at the HTTPS version.
  • Not updating Google Search Console. After switching, add and verify the https:// version of your property (and submit your sitemap) so Google tracks the right one.
  • Panicking about a short dip. A brief traffic wobble during migration is normal; it recovers as Google re-crawls the secure URLs.

The bottom line

HTTPS is no longer optional — it’s the baseline for trust, a genuine ranking signal, and a requirement for a professional-looking site. Enable the free SSL certificate your host or platform offers, force every visitor onto the https:// version, tidy up your internal links, and you’ve cleared one of the most important technical items on your SEO checklist.

Want to know exactly which pages are still insecure and what else is holding your site back? Run a free SEO Score with ScoutRival for a prioritised, plain-English fix list across your whole site. Once you’re secure, a fast server is the next technical win — see our guide on how to reduce server response time.

Frequently asked questions

What does switching to HTTPS mean?
It means serving your website over an encrypted, secure connection (`https://`) instead of plain, insecure `http://`. You do it by installing an SSL/TLS certificate and redirecting all HTTP traffic to the HTTPS version of your pages.
Is an SSL certificate free?
Almost always, yes. Most modern hosts, website builders and CDNs include free, auto-renewing certificates (commonly from Let's Encrypt), so you rarely need to buy one for a standard site.
Does HTTPS help with SEO?
Yes. Google has confirmed HTTPS as a ranking signal since 2014, so the secure version of a page has an edge over an insecure one. Just as importantly, browsers label HTTP pages as "Not secure," which hurts trust and conversions.
What is the difference between HTTP and HTTPS?
HTTP sends data in plain text that anyone in between can read; HTTPS encrypts that data with an SSL/TLS certificate so it stays private and tamper-proof. HTTPS is what shows the padlock icon in the browser address bar.
What is mixed content and why does it break the padlock?
Mixed content is when a secure `https://` page still loads some resources (images, scripts, fonts) over insecure `http://`. Browsers treat the page as not fully secure and may show a warning, so update every resource to load over HTTPS.
Do I need to redirect HTTP to HTTPS?
Yes. Installing a certificate isn't enough on its own — you should add a permanent 301 redirect so every `http://` request forwards to `https://`. This gives search engines one secure version to index and stops visitors landing on the insecure page.
Will switching to HTTPS hurt my rankings?
There may be a brief dip while Google re-crawls the secure URLs, but it recovers and usually improves. To smooth the move, update internal links and canonicals to `https://` and add the HTTPS property in Google Search Console.
Nasir Uddin
Nasir Uddin SEO & Growth Lead · ScoutRival

Nasir Uddin is an SEO consultant and ScoutRival's SEO & Growth Lead. He's spent years helping small businesses climb the search results — and now the AI answers too — and writes about SEO, AI-search visibility, and turning organic traffic into real growth.

Your unfair advantage

Stop reading about it. Ship it this week.

ScoutRival turns competitor intel into ready-to-post content and graphics — for a fraction of an agency.