Back to blog
8 min read
SEO & Security

HTTP to HTTPS migration in 2026: 15% of websites are still unsecured

The step-by-step guide to migrate without losing your SEO — SSL certificate, 301 redirects, mixed content and automatic verification with Orilyt.

Key Takeaways
  • 15% of websites are still on HTTP in 2026 — mostly small businesses, legacy sites and neglected WordPress installations
  • HTTPS migration is a confirmed Google ranking signal, and browsers now display a "Not Secure" warning on all HTTP pages
  • Orilyt automatically detects SSL issues (test #10), missing HTTP→HTTPS redirects (test #11) and mixed content

The state of HTTPS in 2026: where are we?

85% of websites now use HTTPS. That's a major improvement from the 40% in 2016. But it also means 15% of sites — millions of pages — are still accessible over plain HTTP.

Who are these 15%? Mostly small businesses that never touched their hosting since the site was created, forgotten WordPress installations, showcase websites built 5 or 10 years ago by a provider who has since disappeared. And site owners who simply don't know it's a problem.

The cost of inaction has changed. In 2018, not having HTTPS was an inconvenience. In 2026, it's a measurable handicap: ranking loss, trust loss, and regulatory non-compliance.

HTTP to HTTPS migration: address bar, padlock, 9-step checklist

Why HTTPS matters more than ever

Google confirmed that HTTPS is a ranking signal back in 2014. But in 2026, it's no longer a bonus — it's a baseline requirement. An HTTP site is penalized by default in search results.

Browsers have become more aggressive. Chrome, Firefox and Safari all display a prominent "Not Secure" warning in the address bar for any HTTP site. Visitors see the message before they even read your content.

On the regulatory side, GDPR and its international equivalents require encryption of data in transit. Any contact form, any cookie, any personal data transmitted over HTTP is a potential violation.

And beyond the technical: trust. A green padlock in the address bar has become a signal of professionalism. Its absence says "this site is not maintained."

In 2026, a site without HTTPS doesn't say "we haven't migrated yet." It says "we don't maintain this site."

What Orilyt detects

Orilyt runs two dedicated SSL/HTTPS security tests, plus a mixed content check:

  1. Test #10 — SSL Certificate: validates the certificate, expiration date, issuer (Let's Encrypt, DigiCert, etc.) and TLS protocol. An expired or missing certificate = score 0.
  2. Test #11 — HTTP→HTTPS Redirect: checks that all HTTP requests are redirected via 301 to HTTPS. No redirect = both versions coexist, creating duplicate content.
  3. Mixed content: detects images, scripts and stylesheets still loaded over HTTP on an HTTPS page. The browser blocks these resources or displays a warning.

Each detected issue generates an FIA recommendation (Fact, Impact, Action) directly usable in the client report.

9-step migration guide

Here's the complete process to migrate from HTTP to HTTPS without losing your rankings:

  1. Get an SSL certificate — Let's Encrypt is free and accepted by all browsers. Most hosts offer one-click installation.
  2. Install and activate the certificate — Log in to your hosting panel (cPanel, Plesk, N0C). Enable SSL for your domain. The process usually takes less than 5 minutes.
  3. Update WordPress URLs — In Settings → General, change both the WordPress Address and Site Address from http:// to https://. This is the most important change.
  4. Search-replace in the database — Use a tool like Better Search Replace to replace all occurrences of http://yoursite.com with https://yoursite.com in the database.
  5. Set up 301 redirects — Add a rule in .htaccess to redirect all HTTP traffic to HTTPS. This is essential for SEO: Google transfers link equity through 301s.
  6. Update .htaccess / server config — Make sure RewriteEngine is enabled and the redirect rule is first in the file. For Nginx, add a dedicated server block.
  7. Fix mixed content — Inspect every page to find images, scripts and CSS still loaded over HTTP. Replace hardcoded URLs with protocol-relative (//) or HTTPS URLs.
  8. Update Google Search Console and sitemaps — Add the HTTPS property in Search Console. Submit the new sitemap. Update canonical tags to point to HTTPS.
  9. Test with Orilyt — Run a full audit to verify the certificate is valid, redirects work, and no mixed content remains.

Common migration pitfalls

Even with a guide, some mistakes keep coming back:

Redirect chains

http → http://www → https://www → https://. Each extra redirect slows loading and dilutes link equity. Best practice: a single 301 redirect, directly from HTTP to the canonical HTTPS version.

Forgotten mixed content

The site is on HTTPS, but a background image, a Google Maps script or an external font still loads over HTTP. The browser shows a warning or blocks the resource. Solution: inspect with DevTools (Console tab).

Canonical not updated

The <link rel="canonical"> tag still points to the HTTP version. Google indexes the wrong URL. Solution: check every page or use an SEO plugin that forces HTTPS in canonicals.

Certificate expires without alert

Let's Encrypt issues certificates valid for 90 days. If automatic renewal fails silently, the site shows a security error overnight. Solution: regular monitoring with Orilyt (test #10 checks the expiration date).

The SEO impact of migration

A well-executed HTTPS migration has a measurable positive impact on rankings:

On the ranking side, Google treats 301 redirects from HTTP to HTTPS as a full transfer of link equity. There is no "migration tax." The HTTPS ranking signal is added immediately.

On the indexing side, Google re-crawls redirected URLs within days to weeks. Submit a new sitemap to speed up the process. Expect the index to switch over in 2 to 4 weeks for a medium-sized site.

In Orilyt, a successful migration translates to an immediate improvement in the security score (tests #10 and #11 turn green) and often a 5 to 15 point improvement in the overall SEO score.

A well-done HTTPS migration doesn't cost SEO. It earns it. The ranking signal, user trust and regulatory compliance all add up.

Verify with Orilyt: before/after audit

The best way to validate an HTTPS migration is to compare a before and after audit:

  1. Run an Orilyt audit BEFORE migration to capture the baseline score and existing issues
  2. Perform the migration following the 9 steps above
  3. Run a second audit AFTER migration to confirm everything works
  4. Use Orilyt's comparison page to visualize improvements test by test

The before/after report is also a powerful sales tool. Show the client the concrete difference: the green padlock, tests turning green, the rising score. It's tangible proof of the value of your work.

Check any site's HTTPS in 2 minutes
Run a free audit and find out if the SSL certificate, redirects and mixed content are properly configured.
Launch a free audit
HTTPS SSL SEO Migration Security
Previous SSL certificate and HTTPS: 2 tests that can tank your credibility Next SPF et DMARC : les 2 tests email que chaque audit devrait inclure