How to Change WordPress from HTTP to HTTPS

An estimated 70% of all WordPress websites are now using HTTPS. And this number is growing every day. If your website URL doesn’t start with https:// then it’s time to seriously consider making the switch. This step-by-step guide will walk you through the exact process and help you finally move your WordPress site to HTTPS.

What is HTTPS?

First it may be helpful to understand HTTP or hyper text transfer protocol. This protocol is essentially the technology that is used to transfer data from a server to your web browser.

You will have seen this at the start of most old website URLs like http://www.yourwebsite.com. This URL tells your browser to access the website at www.yourwebsite.com using insecure HTTP technology.

HTTPS is simply a more secure version of HTTP – literally meaning hyper text transfer protocol secure. HTTPS uses an SSL certificate to encrypt the data before sending it from the server to the browser and vice versa.

When you access a URL like https://www.yourwebsite.com you know that all data is encrypted between you and the server. This means that if any hackers happen to gain access to the data, they will not be able to interpret it due to the encryption.

Check out these links if you’re interested in learning more about encryption or HTTPS.

Why use HTTPS?

Now you understand the technology it should be clear that a huge benefit of moving WordPress to HTTPS is for the added security. The purpose of your website is to serve your customers, and the best way to serve your customers is through a safe and secure website.

Of course there are many other benefits of using HTTPS. Google rewards secure websites with higher rankings, and HTTPS technology can even load your website faster than HTTP. If you’re not convinced you can read about all these benefits and more in our article about why you need an SSL certificate for WordPress.

How To Move To HTTPS

Before we move forward I want to explain the options. There is an easy way and an optimal way for moving to HTTPS.

If you’re not confident with coding then the easy way is going to be using a plugin. This will ensure the proper changes are made to the WordPress code without having to make any manual edits. There are several WordPress plugins for SSL and HTTPS. You can read our guide on all the best WordPress SSL plugins separately.

Unfortunately none of the plugins do everything perfectly. So if you’re willing to spend a little extra time to get things right then moving over to HTTPS manually is more optimal. The 8 step guide below will run you through the basic steps, although it may vary slightly depending on your web host.

I am sure you’re ready to get started but I just wanted to say I hope you find this guide helpful. If you have any questions please add them in the comments below and I will do my best to answer them. If it’s OK with you I’d also like to quickly share a third option when it comes to moving to HTTPS – our managed WordPress SSL service.

If you find the instructions in this guide too difficult or just too time consuming then please know we can help. We can do all this for you and more with our managed SSL service. We believe this is a great value service and will allow you to focus on the important aspects of your website and business while we handle the security.

To get started with our services we offer a simple free security review to see how we can help you. Just send us your web address using this form and one of our security team will get back to you.



    OK let’s go through the 8 steps to move your WordPress site from HTTP to HTTPS.

    1. Install Your SSL Certificate

    The first part of setting up HTTPS on WordPress is getting your SSL certificate sorted. You need to have chosen and installed an SSL certificate in order to use HTTPS.

    We have compared the best free SSL certificates for WordPress or if you’re looking for something more serious you can check out the best paid SSL certificates for WordPress. With paid certificates you can also choose to get Organisation Validation for additional trust or even Extended Validation to get a green browser bar.

    Once you have chosen your SSL certificate you need to install it on your server. Check out our step-by-step guide on how to install an SSL certificate on WordPress. Once you have installed your SSL certificate you can get started.

    2. Backup Your WordPress Website

    Before you do any work on your WordPress site you need to make sure you have backed it up. Your web host may have a recent backup but it’s best practice to do this yourself.

    If you’re not familiar with backing up your website then check out this guide. It’s something you should make a habit of for all major changes to your website.

    Please proceed with caution if you do not have a backup to work from. It’s not essential but it will make your life a lot easier if something goes wrong!

    3. Force HTTPS In Admin Area

    ­­The most obvious place to start with HTTPS is the WordPress admin. Passwords are one of the most important bits of data we want to protect.

    WordPress has an inbuilt feature to force users to use HTTPS in the dashboard. You can activate it by placing a line of code in the wp-config.php file of your WordPress installation.

    Simply add this snippet of code anywhere before the end of the document, where it says That’s all, stop editing!.

    define('FORCE_SSL_ADMIN', true);

    Anytime you try to login to WordPress it should now take you to the secure version of the URL like https://www.yoursite.com/wp-login.php

    4. Change Site Address To HTTPS

    To make your whole WordPress website use HTTPS you will need to update the site address and WordPress address.

    Navigate to Settings > General in the dashboard and then put https:// at the start of your addresses like so.

    Once you’ve updated the web address fields click Save Changes. You will be logged out of WordPress and redirected to the new secure login URL.

    5. Update References To Mixed Content

    Now you have HTTPS activated on your WordPress installation you need to update any references to unsecure content. If you have any images, files or scripts that are linked with HTTP in your website code, Google Chrome will show an error Your connection to this website is not fully secure and display in information icon in place of the padlock.

    This is what is known as a mixed content error; some of your content is secure but some is not secure. Depending on how complex your website is, you may not have any mixed content at all. The best WordPress plugins and themes will all use relative paths so as soon as you update your site address all your images and files will have the new secure file path.

    That said there is a good chance you will experience a mixed content error when you first activate HTTPS. If you are seeing any of the browser warnings above it may be due to mixed content on that web page.

    To quickly check if you have any mixed content that you need to fix, you can use a tool like the Jitbit SSL Check. This will search through your website and find pages with obvious mixed content errors. If you have a lot of pages on your website this is the best place to start.

    The more thorough option is to use the developer tools in your browser. You can use developer tools to check for mixed content issues in most browsers including Chrome, Firefox, Edge and Safari.

    Combining both of the tools above you can check for mixed content errors on every page of your website. If you have no mixed content then you can move on to the next step, but most likely you have identified a few issues to fix.

    Fixing mixed content is simple in theory. You need to find references to HTTP content and update the URL so it starts with HTTPS. Although it sounds simple this can be quite difficult in practice.

    For best results you should fix your mixed content issues manually. Check out our guide on manually fixing mixed content errors in WordPress. Doing it this way will be more permanent and will not slow down your website with additional plugins.

    That said if you just need a quick fix to get your HTTPS working, then the great thing with WordPress is that there is always a plugin to help. If you want an all in one solution check out our post on the best SSL plugins for WordPress.

    For automatically finding and cleaning simple mixed content errors in WordPress you can use a plugin called SSL Insecure Content Fixer. Once you install this plugin it will find and fix mixed content errors that come from within WordPress content. You may still need to make some manual fixes so refer to the guide above.

    Once your browser is reporting no more fixed content issues then you’re ready to take a few final steps.

    6. Redirect HTTP to HTTPS

    Visitors to your website may still try to access the HTTP (unsecure) version of a page. It’s important to redirect these users to the HTTPS version otherwise they are not getting the benefits provided by the SSL certificate.

    You can do this using 301 redirects in your .htaccess file. This will have the added benefit of notifying search engines like Google see you have moved your WordPress website to HTTPS permanently.

    To create the 301 redirects open the .htaccess file found in the root folder of your WordPress installation and add the following code snippet.

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    </IfModule>

    For more guidance on how to update your WordPress .htaccess file you can check out this guide.

    7. Final Testing

    By now all pages of your website should have HTTPS activated and all visitors are being directed only to secure content. You can run a final check on your website using the Qualys SSL Labs tool. It will provide a score for how well your SSL certificate is running on your WordPress site.

    Depending on the price of your SSL you may see issues here that can’t be solved. Focus on the big issues and do the best you can.

    8. Update Your Web Address Externally

    Your website now has a completely new secure web address. The final step is to tell all third parties about the new address.

    This means using your webmaster tools accounts to alert Google and other search engines to your updated web address using https://.

    You may also need to think about connections to external software. Think about trackers like Google Analytics, and marketing automation software like Mailchimp.

    You might have some premium plugins or themes that need to be connected to your new URL to get automatic updates.

    Anywhere you have previously connected your unsecure http:// address may need to be updated to your new https:// address.

    What to do now?

    If you have had any challenges along the way feel free to add a comment below with your questions or issues. We do our best to answer all comments.

    Or if you just can’t get something sorted and need some assistance then maybe you might consider our more hands on service. Visit our contact page now and enter your website address and email and we will have a look at your website for free and make some recommendations for your specific needs. If that sounds like it might be helpful please contact us now.

    Leave a Comment

    Your email address will not be published. Required fields are marked *