Did you check your redirects to make sure they are correctly functioning? Most people switching to https have no traffic problems.
The people that do have traffic problems with https migration often find a problem in the redirects.

Did you lose the traffic before Aug 1st? Many people lost a big chunk of Google search traffic when the new algorithm was released on Aug 1st.

Switching back to HTTP isn't horrible today but probably not the best option. Google keeps increasing the downside to being HTTP every few months. I wouldn't be surprised if HTTP sites are eventually given bright red warnings or penalized in serps. It is probably smarter to figure out what is going wrong and fix it so you can be HTTPS instead of migrating back to HTTP.

Hi, goodroi

I masked the name with example. Any access to example.com will be redirected to https://example.com/blog/ because /blog/ is actually the content directory. Before the switch, I don't have line 1,2,3 (there is no line number in .htaccess. I added it here for easy understanding). And before the switch, line 8 should be RewriteRule ^/?$ "http\:\/\/example\.com\/blog\/" [R=301,L]
Yes, I switched my site to HTTPS about two weeks before Aug 1st, 2018.


Here are the redirects in /public_html/.htaccess.
---------------------------------------------------
1 RewriteEngine On
2 RewriteCond %{HTTPS} off
3 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

4 <IfModule mod_expires.c>
5 RewriteEngine on
6 RewriteCond %{HTTP_HOST} ^example\.com$ [OR]
7 RewriteCond %{HTTP_HOST} ^www\.example\.com$
8 RewriteRule ^/?$ "https\:\/\/example\.com\/blog\/" [R=301,L]
---------------------------------------------------

Here are the redirects in /public_html/blog/.htaccess
---------------------------------------------------
1 RewriteEngine On
2 RewriteCond %{HTTPS} off
3 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
---------------------------------------------------

[edited by: not2easy at 5:33 am (utc) on Aug 30, 2018]
[edit reason] example.com for readability [/edit]

In /public_html/blog/.htaccess, should I use

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

instead of

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I think they are no difference, but I am not sure.

[edited by: Robert_Charlton at 5:32 am (utc) on Aug 30, 2018]
[edit reason] Delinked urls [/edit]

should I use

You should use [ code ] markup, as this prevents auto-linking in the rare case where it isn't possible to say "example.com".

R by itself is the default 302, temporary redirect
99 times out of 100, you want R=301, permanent redirect.

Unless you've got a vast number of domains or subdomains sharing the same htaccess, avoid the HTTP_HOST construction and give the actual name.

There's no point in capturing (.*) if you're just going to say REQUEST_URI in the target anyway.

For a linkout from an https site to an http site: Some browsers won't show the referer information to the receiving site's server

@lucy24

I just simplified redirects in /public_html/.htaccess.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mysite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mysite\.com$
RewriteRule ^/?$ "https\:\/\/mysite\.com\/blog\/" [R=301,L]

And I removed local redirect rules in /public_html/blog/.htaccess because it's already been covered by root rules. Hope it will work. Thx.


@aristotle
Yes, I tested with Chrome that is the one most people use. It did not carry over referrer to the server side (NATS).

In the last line, the target (or destination) does not need to be escaped. It can be:

RewriteRule (.*) https://example.com/$1 [R=301,L]

If you have any .htaccess file in the /blog/ directory, the rules do not inherit.

If it happens to be a WP blog, the place to change it is in the Settings rather than a rewrite rule.

@not2easy

Yes, my site is running on a worldpress blog. I use to set up redirects under Cpanel, the rules will be automatically written into .htaccess. But this function was gone after Cpanel upgrades. I can not find it anymore in Cpanel, so I have to edit .htaccess myself.

You are right. I find the redirect rules in /public_html/blog/.htaccess is also needed. Otherwise all direct HTTP access to a page or post still shows "Not Secure". I just tested. e.g,

http://mysite.com/blog/2018/08/abc/

The only thing I hate is I should not use a /blog/ sub directory when I built up my site. It's a pain in the ass to figure out how the .htaccess rules work in root directory /public_html/ and local directory /public_html/blog/. Some rules you have to put under root, while some rules you have to put under local directory to make them work.

Now my redirect rules in /public_html/.htaccess

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mysite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mysite\.com$
RewriteRule ^/?$ "https\:\/\/mysite\.com\/blog\/" [R=301,L]

My redirect rules in /public_html/blog/.htaccess

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

I also tried the one you said:

RewriteRule (.*) https://example.com/$1 [R=301,L] 

Then any access to my page/post becomes very slow. I don't know why. Please let me know if there is anything wrong. Thx

That ruleset you have listed as being

Now my redirect rules in /public_html/.htaccess

still shows the escaped target:

"https\:\/\/mysite\.com\/blog\/"

take those backslash escapes out of the target.

Important - if you are redirecting all traffic to your site to the /blog/ directory using a rule, you are doing it wrong. You can have your wordpress in the /blog/ directory and seen as being in the root. That requires that you change the WP Settings file because WP will always be seen where the Settings directions say it is and badly affected by rewrite rules. There is a recent discussion here: [webmasterworld.com...]

The step by step configurations - the "How To" are at the WP site: [codex.wordpress.org...]

I also tried the one you said:

RewriteRule (.*) https://example.com/$1 [R=301,L]

Then any access to my page/post becomes very slow. I don't know why. Please let me know if there is anything wrong.

I hope you did not paste in example.com. That is the domain name that is used for posting example code. You are supposed to replace that when you use it. there is a chance that these rules are not in the best location to do their job. If you have (or had) the standard wordpress snippet of code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

in your htaccess file, it needs to be the last ruleset, after the domain rules. The domain rules should be just before that WP snippet.

The location setting for your WP installation is in the WP Admin > Settings file, that is where you change to https: for WordPress. WordPress doesn't usually need to have a separate htaccess rule for a change to https because the location is in the Settings. Using CPanel for rules is a bad practice because they default to 302 (Temporary) rewrites - and they can overwrite your other settings in htaccess. I am happy to learn that CPanel no longer does rules.

@not2easy

My site has been running over 8 years. I have over 100,000 file nodes under

https://example.com/blog/

I don't think it's a good idea to change all permanent links to

https://example.com/

So I have a rewrite rule in /public_html/blog/.htaccess to redirect the traffic to /blog/ directory.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>
# END WordPress

I tried the one you said:

RewriteRule (.*) https://example.com/$1 [R=301,L] 

It does not work. Of course I replaced the example with my real domain name.
Firstly, all access to

http://example.com/blog/

becomes very slow.

Secondly, the direct access to

http://example.com/

is not working.

That's why I still use

RewriteRule ^/?$ "https\:\/\/example\.com\/blog\/" [R=301,L]

I guess the reasons for the loss of my traffic could be but not limited to:
1) The surfer who still use old web browsers can not access HTTPS site
2) HTTPS automatically blocked some bots?
3) new google algorithm update on Aug 1st, 2018.
4) old backlinks that use

http://example.com/blog

did not pass the link weight to my HTTPS site, which affects my new SERP rankings. I saw some of my old http pages that rank in page 1 or 2 now move back to page 4 or 5.

Secondly, the direct access to http://example.com/ is not working.

After you move to HTTPS, you should *not* leave access to HTTP page. A properly working redirect will point all requests for HTTP to HTTPS.

http://example.com/blog
did not pass the link weight to my HTTPS site

If your redirect is working properly, the "link weight" will continue to your new HTTPS pages. It may take a few weeks.

@keyplyr

I already redirected the HTTP access to HTTPS. I just test the case that if the surfer still type

http://example.com

in his browser. Then he's supposed to be redirected to

https://example.com/blog/

. But the rule that not2easy said is not working for me. I have tested it a few times.

not2easy has a lot of experience with WP and HTTPS. She'll be back to help :)

I also have addon domains. But as they did not use sub directory /blog/, everything is pretty straightforward. I only need one simple rule for them:

RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

Then it works like a charm.

Only my main site that uses /blog/ as content directory gives me a headache. I need two HTTPS redirect rules under both root and sub directory. It won't be working if any one of two is missing. I have tested alot. :(

You are correct, I thought that you had two sets of conditions rather than rewriting twice. The escapes are because it is an additional step. If no content is in the root directory and all traffic is being rewritten to the /blog/ directory, it can and should be done in a single rule. You are rewriting the domain's root to the /blog/ directory and then rewriting the resulting request.

I have WP installs in directories other than root and they show at the root which is what I thought you were trying to do. If you just want to show all the domain's content from example.com/blog/ that's probably why it would need two rewrites.

If this:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mysite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mysite\.com$
RewriteRule ^/?$ "https\:\/\/mysite\.com\/blog\/" [R=301,L]

is giving you that result, my only concern then would be the headers that the server responds with at each step. Have you viewed the access logs to see the responses?

I was just checking some old links and discovered that a very very large well-known site apparently messed up somehow. The old http link still works, and didn't re-direct to https as I expected. So as a test I changed the URL from http to https, and Firefox showed the following message:

Your connection is not secure

The owner of www.example.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

So the message apparently says that the https connection isn't secure. It looks like they tried to switch to https, but got something wrong.

What you're quoting is the standard FF error message that displays whenever you request an HTTP site using HTTPS. (Or presumably also HTTPS sites that really have something wrong with their certificate.) On smaller sites, it's most likely to crop up when some sites on the server are HTTPS--and therefore the server has to listen on port no. whatever-it-is (443?)--but the requested site isn't.

Personally I find the “configured incorrectly” very annoying because, well, it's a barefaced lie. There's nothing “incorrect” about listening on port 443. The only time you'll get the error message is if someone else erroneously gave a link as https instead of http--or if, as you did, you knowingly and deliberately typed in https.

It looks like they tried to switch to https

Do you have evidence that the site in question thinks it's HTTPS? Is it a big enough site that it lives on its own server, so there would be no reason to listen on 443 unless it really is secure? Or is it one of those ecommerce situations where only the sensitive parts have gone HTTPS,* but they all live on the same server?


* At this point, selective-https is just silly. Go secure everywhere if you're going to do it at all. Unlike the http-to-https redirect, unwanted https requests can't simply be redirected to http, because the certificate is checked before the request gets that far.

Do you have evidence that the site in question thinks it's HTTPS? Is it a big enough site that it lives on its own server

It's a very very very big site, so it surely must have its own servers. My theory is that they tried to switch to https, but saw that something was wrong, so they removed the re-directs and went back to http while they work on the problems with https.

I have seen some sites stumble when they switch from http to https when they didn't first have canonicals in place long before the switch. After they switch it's not http to https they did, it's http to https + non-www to www to https + non-www to www + remove index.php to https etc. Sometimes it's 3-4 redirects before landing on https proper.

If you don't have canonical guidance already in place, or a proper htaccess redirect if you go that route, it seems more things can go wrong. I'd recommend making sure your redirects and canonicals are solid and have propagated before moving from http to https, not after.

Sometimes it's 3-4 redirects before landing on https proper.

If such a basic thing as domain-name-canonicalization or index redirect (when correctly done, it's two rules, but only one redirect) was ineptly coded, there's not a whole lot the rest of us can do to help ... except to hope the affected sites wise up and hire a marginally more competent administrator before browser error messages scare away all their business.