Videos and Webinars

Properly Make my Entire Site HTTPS

By default, your store only goes into secure SSL/HTTPS mode when there are specific actions taken by the shopper to complete an order. These are actions that typically would require security for PCI compliance (actions such as logging into their customer account, proceeding to checkout, entering billing/shipping information, etc). However, it's entirely possible to configure your Shift4Shop site so that it uses HTTPS for the entire store (browsing products, reading blog articles, just viewing the home page, etc.)

If you would like to configure your Shift4Shop store so that it uses HTTPS/SSL for everything you will need to do the following:

Step 1: Purchase and Install a custom SSL

The custom SSL certificate will allow you to have your main domain used for HTTPs and completely move away from using the shared * or * URL for the store. Please click here for information on purchasing a custom SSL.

Step 2: Change your robots_ssl.txt file

Since the default action of the store is to only use HTTPS mode under certain conditions, it's not necessary to have those areas indexed by search engines. Therefore, the default robots_ssl.txt file is written to prevent indexing of any kind. In this case, however, you're looking to make your whole store use HTTPS, so you will need to edit the robots_ssl.txt file to allow indexing. Here's how:

  1. Log into your Shift4Shop Online Store Manager.

  2. Using the left navigation menu, go to Marketing > SEO Tools.

  3. Along the top of the page, you will see a series of tabs. Click on the Robots tab.

This page will have two distinct areas. Within the top half of the page, you will see the Robots.txt section containing your store's regular robots.txt file. It should look like this:

Sitemap: http://[store-url]/sitemap.xml

# Disallow all crawlers access to certain pages.
User-agent: *
Disallow: /checkout.asp
Disallow: /add_cart.asp
Disallow: /view_cart.asp
Disallow: /error.asp
Disallow: /shipquote.asp
Disallow: /rssfeed.asp
Disallow: /mobile/

Within the bottom half of the page, you will see the Shared SSL Robots.txt section containing your store's robots_ssl.txt file. It should look like this:

# Disallow all crawlers access to all pages. SSL
User-agent: *
Disallow: /

4. Copy the content from the robots.txt section (top) and paste it into the robots_ssl.txt section (bottom).
5. Change the Sitemap URL in the robots.txt file to reflect your new secure URL. (i.e. change http:// to https://)
6. Click Save at the top right to commit your changes.

This will allow search engines to index your site properly since it will all be HTTPS enabled.

Additional Information
The robots.txt file will still prevent indexing of certain pages like checkout.asp, add_cart.asp, view_cart.asp and others. This is because these are pages that require actions taken by real visitors (such as someone physically clicking the add to cart button on a specific product).

In other words, these are actions that cannot be performed by a bot and will result in an error if it was just randomly accessed during indexing. To prevent errors from being indexed, we disallow access to these specific pages.

Step 3: Update your store URLs

Next, you will need to update the URLs that the store uses for both main and secure modes.

From your Shift4Shop Online Store Manager, once again use the left navigation menu and:

  1. Go to Settings > General > Store Settings.

  2. Under "Store Information," look for "Store URL and "Secure URL."

  3. Put your domain name in both fields (be sure to use the proper https:// and www prefixes in both).

  4. Click Save at the top right to commit your changes.

Step 4: Review your site for unsecure elements

Lastly, you'll want to check your site for any possible elements that are hard-coded to a non-secure URL

Normally, default Shift4Shop scripts and design elements are made using relative paths so that they work in both secure and non-secure modes. However, in some cases, you may have an additional design that you may have done on your own (or through a 3rd party), or perhaps 3rd party scripts which contain references to non-secure URLs.

When a page containing non-secure elements is viewed in HTTPS/secure mode, the browser may sometimes generate a message stating that the page contains "Secure and non-secure items."

Therefore, you will want to review your site for any elements that could possibly be considered "non-secure" and generate this message. A good tool for checking your site's elements can be found at the "Why No Padlock" site.

Just enter your domain name into the whynopadlock site and it will review your site's various elements for any possible non-secure sections.

By following the above steps, your site will properly and completely be displayed in HTTPS mode only.

After you've completed these steps, it is recommended that you create a new property within Google Search Console and Bing Webmaster Tools for the HTTPS version of your site. This new property will replace the http and will require you to verify the website and re-submit your sitemap as the https:// enabled one.