Changing a website over to secure SSL (https)

This article was written as a resource for the Xara community but equally applies to many websites/hosting in general. Of course if you have software installed such as blogs or e-commerce, they require additional configuration.


I’ve seen a few threads asking about SSL certificates and sitemaps etc. so I thought I would compile an explanation of the best way to go through the process. Note: this advice relates to cpanel/Linux hosting which is by far the most popular hosting type available. Detail for other hosting types such as windows is not covered here.

First off, I am not recommending an SSL certificate is necessary for every site, but as the process is often free, you may wish to consider it for the re-assurance of your site visitors, particularly if you have a contact form or anywhere else a visitor can enter data. Google is very pro SSL, see the following article for more details about that;…-secure-291623

1. Getting an SSL certificate
So first off, you’ll need an SSL certificate. Luckily, many good hosting companies are now offering free LetsEncrypt SSL certificates. If you have hosting with cpanel access, you may find a LetsEncrypt SSL certificate option under Security section, some hosts even automatically create one for you when you setup your domain with them. If your host does not offer this, consider moving! else you may be able to purchase one but don’t pay more than $10 for what you should get for free.

Once you have your SSL installed, you should be able to access your site using – great but there is a bit more to do yet.

2. Update the sitemap
Luckily, Xara does not hard-code your website address in the HTML code it generates, so there is no need to republish your site for that purpose, but in the publish settings, it does have a field where you can enter the address of your website so that it can generate a sitemap file for you. So you will want to put the secure address in this field e.g. ( so that it can generate the sitemap with the https. The default sitemap file is sitemap.xml, you can check in a browser that this has been updated e.g.

So that should now get search engines to start to index the https version of your site, but it may take months for this to stop having traffic come to your http site address and other incoming links are unlikely to automatically update themselves to the https address.

3. Redirect non-SSL traffic
So we now need to get anyone still visiting the http site to be automatically be redirected to the https address.

If you are lucky, there may be an option in cpanel or your hosting account to have it automatically redirect your site to the https version, but for most of us, we need to add a bit of code to a special system file. Because this is a system file, you need to be careful with this as it could (temporarily) stop your whole site working if not done carefully. Seek help from someone confident in such matters if necessary.

The file is named .htaccess and may already exist in your system. If so, back it up before you start.

We need to add a few lines near the top of this file. If there is already a line stating

RewriteEngine On

then don’t duplicate that line, just add the other 2 lines immediately after it

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Check the site straight away to make sure it works properly. If there are any problems, restore the .htaccess file backup or delete it if you created it.

4. Other considerations
* If you use log analysis software in cpanel such as Awstats, the traffic will start to appear in the SSL version of the site stats instead of the normal version.
* If you link to any content that is on non-ssl sites, you will get a browser warning. This could just be including a single image from a non-SSL site. Of course, by default any images in Xara will be just in a subfolder so they will be fine, but if you have done any custom code that references external scripts or images, they could be a problem.
* Another thing you might want to consider while redirecting the non-SSL to SSL is to also force a www. in the url aswell. Because, by default most hosting allows or just, you might want to be consistent and remove the ‘duplication’ by also enforcing the www.
This may be able to be done via cpanel, but the usual method for this is to add a few more lines to the .htaccess file after the code we added above, again backup first!

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]