Back in mid-2015, Google started giving a small rankings boost to sites that were encrypted with an SSL certificate. As of this writing, it’s commonly thought that the boost is fairly small, but since Google has committed themselves to higher security on the web, we expect that it will grow in the future. Besides, if you run an e-commerce site, you probably already have an SSL certificate to protect customer addresses and credit card details during checkout. So why not make your entire site SSL-enabled so you can take advantage of any rankings boost?
Almost every Miva Merchant site can run entirely over SSL. The only exceptions are if you integrate with a third party that does not support SSL, because when your main URL begins with https, then everything else you load on that page should also start with https in order to prevent mixed content warnings. We’ve converted a number of sites to full-SSL, and so far, the only third-party integration we’ve run into that can’t be supported is a third-party review platform called Reziew.
So without further ado, here are the steps you need to take to convert your Miva website to SSL.
1. Change Your Site Configuration Settings
Log into your Miva admin interface. Click the Menu button in the top right corner, and in the dropdown, click Domain Settings. Scroll down to the section with the heading Site Configuration. Change the values in all of the boxes that contain URLs, so that they start with “https:”. An example site’s settings are shown below:
2. Change Your Cookie Settings
Scroll further down the same page to the section with the heading Cookie Settings. There is an option labeled Non-secure Miva Merchant Cookie Output. Change this to the third option, Set only on HTTPS connections, with secure flag.
Click the Update button to apply the changes you made in steps 1 and 2.
3. Add a mod_rewrite Rule to your .htaccess File
Because there are likely to be links all over the web to your site that don’t start with https, and because people almost never type in https when going directly to your site, you need to force all non-secure URLs to be redirected to their SSL equivalent. You do this in the .htaccess file using mod_rewrite. Most hosts support mod_rewrite, including Miva. If you are hosted elsewhere you may need to check.
Usually you modify this file by opening and FTP program, enabling it to show (hidden) dot files, and then downloading the file called .htaccess. It should be in the home directory for your website. Open it in a text editor and add the following:
RewriteEngine On
# force https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Your .htaccess file probably already has the line RewriteEngine On, so don’t add it a second time if it’s already there.
After saving your file, upload it back to your server. (Always save a backup of the file before your changes in case you make a mistake, as an error can prevent your website from functioning.) This rule will redirect all pages on your site from http://whatever to https://whatever
4. Change all Links to Begin with “https://”
Next, you need to go through your Miva page templates, headers, footers, and product descriptions to change any hardcoded links that start with http:// to https://. The rewrite rule you set previously will allow the http versions to continue to work, but for SEO, performance, and consistency, you should change all of them as soon as you can. You can use a tool like Screaming Frog to spider your site and find all http links and the pages that refer to them.
You may also need to update URLs in your JavaScript files and CSS stylesheets. If any links to images or files still use http, it will cause a mixed content warning.
5. Update all Feeds and Inbound Links, Where Possible
Finally, make sure to check everything you use to feed your links to other systems. XML Sitemaps and product feeds are common locations that need to be changed. Also if you have the ability to contact other websites that link to you and ask that they change the link to https, it’s a good idea. The mod_rewrite rule will help, but changing it at the source is the best practice.