Editor in Chief

Learning how to move your website to HTTPS is an important issue. These days, we share sensitive data like credit card and bank information or login credentials dozens of times per day.

Using the web for shopping gives us many conveniences. We no longer need to go out to run errands, buy groceries, pay bills or talk to others face to face. Hell, right before writing this guide, I was trying on glasses online!

You also no longer have to inadvertently use a corrupted ATM to have your credit card information stolen. This, too, is now possible with the convenience of your home. At no extra costs!

However, there’s a flip-side. As a website owner – especially if you have an online shop and/or deal with financial or other sensitive information – you have a responsibility to keep it safe. One of the most important steps to do so is use HTTPS and SSL encryption on your site. That’s what we will talk about in this guide.

We will first talk about what we mean by HTTPS and SSL and how it works. After that, we will talk about reasons to add encryption to your site. Then we will tell you where you can get an SSL certificate for your site and finally provide you with a step-by-step guide on how to move your site to HTTPS.

Ready? Then put on your safety goggles and let’s talk some security.

Click here to see 8 steps to move your WordPress to https://

How HTTPS Works – A Short Definition

Before diving into how to move your website to HTTPS, let’s first define what we are talking about. Even if you don’t know exactly what HTTPS and SSL are, you have probably seen them at work before.

HTTPS and SSL are Visible on the Site URLs

These days the URL of most big sites (and increasingly also the smaller ones) start with https:// instead of the familiar http://. In fact, if you look into your browser bar while on this very website, you will see exactly that.

website setup move your website to https example

Next to it, you will also notice the padlock symbol. This is how modern browsers show that you are on a site that uses SSL encryption. In some cases, they even include the name of the company. Both are signs that you are on a site that takes the privacy of their visitors seriously.

What Does That Really Mean?

HTTPS stands for Hypertext Transport Protocol Secure. Its cousin, HTTP (which stands for the same minus the Secure at the end), is the communication protocol usually used for facilitating web traffic.

What’s the difference?

The secure version uses an SSL (Secure Socket Layer) certificate to establish a connection between browser and server. That means any information that is exchanged gets encrypted.

move your website to https how encrpytion works
By Munkhzaya Ganbold (Own work) [CC BY-SA 4.0], via Wikimedia Commons
Encryption is the process of replacing plain text information (like usernames and passwords) with random numbers and letters. That way, they are no longer readable by humans and harder to make sense of if someone intercepts them.

Sounds useful, right? But do you really need it on your site? Let’s go over some good reasons to add HTTPS to your WordPress website.

A quick note: Technically SSL is not the correct name anymore. In the late 90s, the name changed to TLS (Transport Layer Security) and SSL was actually retired. However, its name stuck around.

8 Steps to Move Your WordPress Site to HTTPS

Alright, now we are getting to the meat and potatoes of this article: how to move your site from HTTP to HTTPS. We will take this step by step to make sure you can follow along without a problem. After all – we care about your site’s security as well!

1. Back Up Your Website

Whenever making major changes to your site, you should always back it up first. That way, in case something goes wrong (not that we are expecting it) you can go back to the working version.

As this case is no different, backing up your website is your first task. Even better – if you have the possibility, run through the process below on a test server first, not only your live site.

2. Implement Your SSL Certificate

The first thing we will do is get ourselves an SSL certificate. How easy or complicated this process is, depends largely on your host.

For example, while researching this guide, I found out that my current host does not support Let’s Encrypt and doesn’t plan on doing so. Needless to say, I am in the process of switching. Hopefully, yours is a bit more forward thinking, such as the companies on this list.

The optimal scenario is that your host offers an option to move your site to HTTPS right in the management dashboard. For example, to switch your site to Let’s Encrypt in cPanel, you can follow these instructions. Find the same steps for Plesk here.

For everyone else, there is Certbot. If you have administrative shell access on your server, you can simply select the type of web server and operating system you are using. After that, the site will tell you how to implement Let’s Encrypt on your server.

move your website to https using certbot

If you get your SSL certificate from a different source, follow the instructions of your hosting provider to implement the switch (that’s also the reason why turning to them in the first place is not a bad idea).

Once that is done, you need to start making the necessary changes to your WordPress website. This is what we will talk about next. If you feel that the below is too technical, you can also give the plugin Really Simple SSL a try. It takes care of most of the heavy lifting described next.

3. Add HTTPS to the WordPress Admin Area

The first place where you will get to enjoy the new safe connection is the WordPress dashboard. By securing the back end first, you make sure that whenever a user logs in, their information is exchanged securely.

To do so, open wp-config.php in your WordPress root folder and add the following line somewhere before where it says That’s all, stop editing!.

define('FORCE_SSL_ADMIN', true);

Once you have updated the file, it’s time to test if it works. For that, try to access your login page with HTTPS in the URL, for example via https://yoursite.com/wp-admin. If everything worked correctly, you should have a secure connection now. Then continue.

4. Update the Site Address

After moving the WordPress backend over to HTTPS, it’s time to do the same for the remainder of your site. You can do that by updating your site address under Settings > General.

move your website to https change WordPress settings

Add https:// to the beginning of both the WordPress address and site address. Then update your settings by saving. Be aware that you might need to log in again afterward.

5. Change Links in Your Content and Templates

Now it’s time to update any links in your content and database that include the old HTTP protocol. A plugin like Velvet Blues or the Search and Replace script can help with that. However, be careful! If handled incorrectly, they can also screw up your site. Good thing you made that backup earlier, right?

If you have links to external resources and assets in your theme templates and function files with absolute HTTP links, it’s important to correct these, too. Things to consider:

  • Images, videos, audio hosted on your site
  • Web fonts
  • iframes
  • JavaScript and CSS files or assets referenced within those files
  • Internal links

If possible, change your links to // instead of https://. They will then create relative links themselves!

6. Implement 301 Redirects in .htaccess

The next step in moving your site to HTTPS is setting up a redirect that sends visitors automatically over to the secure version. For that, we will use .htaccess. This is the name of an important system file on your server (usually in the WordPress root directory).

It usually contains settings for using pretty permalinks, so your installation probably already has one. To find it, make sure to allow your FTP client to show hidden files because .htaccess is invisible by default. If you don’t have one, just create a plain text file, rename it to .htaccess and upload it to the WordPress root directory.

After that, add the following lines to it:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That’s it. From now on, visitors (including Google bots) should automatically land on the HTTPS version of your WordPress site. Make sure no page is available in both versions. This can lead to problems with duplicate content. Not good for SEO.

7. Test and Go Live

Ok, now that we are done with the main steps, it’s time to test if everything works correctly. For that, head on over to SSL Test. Insert your domain name and click Submit. This will give you an overall score of how well you implemented SSL on your site and details to find out potential issues in order to fix them.

move your website to https ssl test results

After that, crawl your site with a tool like SSL Check. That way, you can catch any leftover links that you forgot. If everything fine, it’s time to go live. Well done! Now you only need update some peripheries.

8. Update Your Site Environment

If that worked fine, now it’s time to do the last few steps to complete the transfer to HTTPS:

  • Update your sitemap — Ideally, your SEO plugin does this automatically. However, it doesn’t always work that way. With Yoast SEO you might have to switch off the plugin once for it to update the sitemap. Don’t forget to include it in your robots.txt file and update all other hardcoded links you might have there.
  • Add site to your webmaster tools — Go to every webmaster tool you are using and add the HTTPS version of your site as a new property. While you are there, upload the new sitemap. You might also consider doing a fetch and crawl and submit any disavow files that are already active for the old version of your site.
  • Update your CDN — If you are using a content delivery network (one of the ways to speed up your site), you also need to switch it to SSL. Many of them have that feature built in and your CDN should have documentation on this. Otherwise, ask their support to help you.
  • Make the switch in your analytics — If your analytics need a default URL, make sure to upgrade it with the new prefix. For Google Analytics, you find the option under Admin > Property Settings > Default URL. Also, note down when you made the switch to HTTPS to understand traffic changes.
  • Preserve social share counts — If you show social share counters on your site, you might have to make some changes in order to keep them up to date. Check this guide for details. Don’t forget to update the links to your site in your social profiles! And do the same in your email templates.

That’s it! You have successfully managed to move your website over to HTTPS. Congratulations, that was no small feat. If everything went fine, all that’s left is patting yourself on the back and celebrating. Should you run into problems, we have some troubleshooting tips up next.

Why Should You Move Your Website to HTTPS?

Currently, only 0.1% of all websites use SSL. Consequently, it doesn’t seem like the technology is essential to run a successful web presence. However, there are still convincing reasons to become part of the minority.

1. Your Site Handles Sensitive Information

First of all, if you have an online shop that handles credit card information or similarly sensitive data, moving your site to HTTPS is an absolute must. Clients want to trust your site and they should be able to. It is your responsibility to make that happen.

For example, if someone uses a public wifi spot to access an unsecured site, others are able to steal their payment details. If they use that information to steal from your client, how likely do you think that person is to come back to your site? Not very.

Without HTTPS it is also possible to alter the data your visitors receive. That way, a third party could add ads, malware or other things you definitely don’t want others to see on your web presence.

In fact, a while ago AT&T was caught doing that (add ads, not malware). However, you can be sure that visitors won’t really care who did the deed. All they will remember that it happened on your site.

However, even if you “only” deal with normal login information, it’s not a bad idea to offer an extra layer of security and keep it safe. Your users will certainly appreciate it.

2. HTTPS is a Sign of Trustworthiness and Authenticity

Speaking of visitors: because of the general push for HTTPS adaptation on the web, encryption has become something that consumers increasingly expect. In fact, by now 28.9% look at the green address bar in their browser a number that will likely increase with time.

study on consumer expectations with https

Why do they care? Because the little padlock doesn’t only mean that their traffic is protected but also that the website is authentic and who it claims to be, not some fake. After all, the same study shows that 77% of end users are concerned about their data being intercepted and misused.

So, if they have the choice between your site without HTTPS and a competitor who has implemented it, chances are good they will decide against you. Especially since major browsers (Chrome, Firefox) now mark sites, which have forms on pages without HTTPS, as insecure.

In the future, they might generally warn you of any site that doesn’t have encryption in place. And you really don’t want to be among those.

3. Benefits for SEO

Not only do consumers expect you to make the move over to HTTPS, search engines do, too. Google officially announced that having an SSL certificate in place is now a ranking factor. What’s more – while weak at the moment, the importance of HTTPS will increase over time.

In addition to that, referral data from HTTPS to HTTP is blocked in Google Analytics. So, if you have a website running on the old protocol and get a lot of referral from sites running on HTTPS, you won’t see it correctly in your web analytics. That way, you might not be aware of platforms that send you lots of traffic and lose out on amplifying your marketing channels.

4. Faster Loading Times

Staying on the topic of SEO, HTTPS is also significantly faster. Don’t believe me? Try it here (use a private window to prevent image caching). When I ran the test, HTTPS was a whopping 83% faster!

http vs https speed comparison

Not bad, right? Especially since page loading speed is also a ranking factor.

Not only that but visitors care about it. In fact, a large chunk will leave your site if it doesn’t load within three seconds. For that and other reasons, check out our guide on how to speed up WordPress.

HTTPS Troubleshooting Tips

Unfortunately, moving your site to HTTPS is not all sunshine and rainbows. Some stuff might come up that needs dealing with.

Mixed Content Warnings

The most common problems that arise after you move your website to HTTPS are mixed content warnings. This happens when the browser finds non-secure links on an otherwise secure page. This is usually a matter of updating links to jquery libraries, custom fonts or similar to their HTTPS version.

You should usually take care of this while scanning your site before publishing it. However, if you find a warning like this, make sure to check what is causing it.

Aside from the aforementioned tools, you can also use Why No Padlock? for single pages. Then, correct whatever is the issue.

Decreased Search Rankings

Making the switch from HTTP to HTTPS can influence your rankings negatively. What?! Didn’t I say earlier that this is good for SEO? Why would your rankings go down then?

Before you go back and kick HTTPS to the curb, hear me out first. If your SEO is affected negatively, this is usually only temporary.

You see, Google treats https:// and http:// URLs as two different entities. Even if you set up 301 redirects (as we have done above), those only transfer 90-99% of the link juice. That’s why your rankings might go down in the beginning.

However, after the initial dip, they should actually increase over time. As mentioned, Google considers the use of SSL a positive ranking factor, so if you move your website to HTTPS, you actually make it more attractive in their eyes. This will benefit you in the long run.

In a Nutshell…

Keeping your site and its traffic secure is one of the most important issues for any website owner. Knowing they can trust you with their sensitive data matters to consumers. In times of increased data theft, that is a huge asset and HTTPS and SSL are the tools to achieve it.

Besides signaling trustworthiness to consumers, when you move your website to HTTPS it also lets you benefit from increased speed and better SEO. Plus, with a free service like Let’s Encrypt, the cost is no longer a deterrent.

Above, you have learned how to obtain a free SSL certificate and implement it on your WordPress website. We have gone through the necessary steps to move your entire site over to HTTP’s secure cousin and also talked about other considerations to take into account when making the switch.

If you have followed along, you are now able to add HTTPS and SSL to your WordPress website. Know that this is a great investment for the future and where the web is moving. Your visitors, users, and your site will thank you.

Want to ask a question or leave a comment?

Ask me anything

  • Avatar
  • Avatar
  • Avatar
  • Avatar
  • Avatar
  • +


Leave a Reply

Your email address will not be published. Required fields are marked *


  1. Avatar

    I had been trying to apply SSL to my website. Sadly, I updated my site’s URL from http to https before installing the certificate. Stupid, I know. Now, my site cannot be reached. I therefore need to revert that change, but am unable to launch the WordPress dashboard as it generates the same error as my website: This site can’t be reached. itsmagicpeter.com took too long to respond.

    So I’m at Catch-22. I need to get to the dashboard to change my site’s URL from https to http, but I can’t launch the dashboard because my site’s URL has been set to https rather than http. My ISP has tried restoring back-ups to revert the change, to no effect. I am unable to edit the files affected, as those files are inaccessible via FTP (I’m told they are the wp_options files, but that may be a red herring). So I am at a loss. Any suggestions would be VERY welcome.

    • Avatar

      Hey Cade, I have been in your situation before, thankfully it’s easy to correct. You can change the URLs inside your MySQL database. You can access it through your hosting provider, usually via phpMyAdmin. Look for “MySQL” in your hosting account.
      Make sure you are editing the right database (you can find the name inside wp-config.php in your WordPress installation where it says define(‘DB_NAME’, ‘[this is the name of your database]’);. Go to the wp_option table (it’s not a file but a part of your database) and find the entries called siteurl and home. Edit them both and change them back to the non-HTTPS version of your URL. Don’t forget to save. After that, you should have access to your site again.

  2. Avatar

    In one site your .htaccess code gave me a loop of 301 errors while in another site your code works. Here’s how I corrected the first case:

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

    Maybe you could update your site by placing both codes.

  3. Avatar

    Hi Nick,
    thank you for your post. I encountered lots of problems to pass from http to https simply because our site is multilanguage and the net of permalinks (Polylang plugin) is complicated.
    One thing that doesn’t work now is the .htaccess: with the config suggested it does not work.

    Do you mean that the rows

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    have to be added to the other rows or fully replace any other row?
    Because it does not work in both cases.


    • Avatar

      Hey Mauro, sorry to hear it’s not working for you. If you have tested both adding the rewrite code and replacing the older .htaccess content with it, there might be a problem with Polylang. Have you gotten in touch with the developers?

  4. Avatar

    This article was SO helpful! Thank you! I am a complete novice to creating a WordPress site and this was an excellent resource when I realized I should convert my site to HTTPS. I am up and running securely thanks to your time and efforts in sharing this information! The explanations of WHY it’s important were especially appreciated as well.

  5. Avatar

    Whew! It was actually way harder than I thought… so thanks for the many tips! In particular, the Really Simple SSL plugin definitely fixed my issues, after using the Better Search Replace plugin to make sure that everything had https in front of it…

  6. Avatar

    Thanks for this thorough and well-reasoned article. I found it to be a really good road map for updating my site to https.

  7. Avatar

    Hi WebsiteSetup Editorial – really useful guide. There is just one comment from step 5 I didn’t really understand what I should do about it “Make sure no page is available in both versions.” I understand what that means both http: and https: versions exist – as you mentioned to someone else, but is the 301 redirect all that need to be done – or does the old http: version somehow have to be removed?

  8. Avatar

    Hi there, thanks for this very informative article. I’m fairly new to this field, and have what might be a big picture question. We currently have a WordPress site and are working on a complete overhaul and rebrand, and are also moving to Square Space. So, this means that some of the overall structure of the site is changing, so quite a lot of the urls will need 301 redirects. It also means that we will be moving from http to https as default, because as I understand it Square Space uses https as default. So, my question is this: should I transition from http to https while still in WordPress, or should I do it all in the Square Space transition? I’m concerned with so many things changing (http to https, many urls, overall structure of site, etc), and don’t want to inadvertently create chaos. Thank you for any insight you have!

    • Avatar
      WebsiteSetup Editorial Verified

      Happy to hear it, Joel! Thanks for the kind words! This will definitely be one of my go-to comments whenever I have a bad day.

    • Avatar
      WebsiteSetup Editorial Verified

      Hi Andro, sorry to hear you are having problems. Did you add the statement in the right place, meaning above That’s all, stop editing!?

      • Avatar

        I added the line define(‘FORCE_SSL_ADMIN’, true); before That’s all, stop editing!?. But when i try to login it says the requested url not found. Can you help me figure it out?

        • Avatar
          WebsiteSetup Editorial Verified

          My first tip would be to talk to your host. They might have some configuration in the server files that clashes with your WordPress settings.

  9. Avatar

    Excellently written. A fine job, sir! (bows)

    Thanks for setting me absolutely straight on migrating from http to https in one go!

    Best wishes,
    Patrick Ellen.

    • Avatar
      WebsiteSetup Editorial Verified

      Patrick, excellent comment! A marvelous piece of work indeed. (dances a short jig)
      Glad we could help!
      WebsiteSetup Editorial

  10. Avatar

    WebsiteSetup Editorial, Thanks for all the info. I am planning to create my entire website on LOCALHOST and then uploading it to the server. Just starting. I will use Bluehost.com . What do I need to change from the most recent WordPress download to have everything HTTPS compliant?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Marlow, thanks for the comment! What you describe is also my development process. However, I’m afraid I don’t understand your question. The steps to use the latest WordPress version with HTTPS are the same as described in the post. Is that what you were asking for? Cheers!

  11. Avatar

    Wow. Great tutorials. I used it to migrate my site from http to https. It was a huge burden but thanks to you, I did it without any issues.

  12. Avatar

    Hi, Thanks for a detailed and publishing one of the best article on http to https.

    I’ve few queries: Do I need to make following changes in Webmaster:

    1) Submit new sitemap
    2) Fetch as Google all the urls again or the key pages
    3) Test robots.txt
    4) Inform Google using Change of Address tool. If yes, then just to confirm, do I need to first add new site, set 301 redirect and then use Change of Address tool?

    Any more changes required, then please recommend.

    Thank you.

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Chandra,

      thanks for the detailed comment! Your list looks complete. Google treats changing to HTTPS as a site move with URL change, so you need to take the appropriate steps laid out in their support section.

      Hope this helps!
      WebsiteSetup Editorial

  13. Avatar

    Thank you so much, i have successfully moved my website from HTTP to HTTPS. I want to add one thing for those who are going to migrate from http to https because i was stuck at that point, keep in mind always put code at the top of .htaccess not in other places otherwise redirect will not work properly.

  14. Avatar
    Desmond De-souza

    Protocols – You currently have TLSv1 enabled.
    This version of TLS is being phased out. This warning won’t break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.

    [redacted for security reasons]

    WebsiteSetup Editorial can you please help with these problems?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey, I cut out some of your comment because you probably should not make that publicly available. It seems like you need an updated SSL protocol soon. In addition to that, the errors that you are seeing all seem to be because some of your assets are still linked to via HTTP links. Check where they are hardcoded and change it to https:// or relative links if possible. This should resolve the issues.

  15. Avatar

    I followed your guide and switched my site from http to https. About 24 hours later, one of my keywords, “best outdoor mosquito killers” which was ranked 4th on Google now nowhere to be found. I am freaking out now. Should it drop that much? Is it normal? Please help. Thank you!

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Lynn, from all I have read, drops are to be expected and it can take anywhere between two weeks and two months for things to go back to normal. Did you make sure you implemented everything correctly and let Google know about the change (redirects, canonical links, etc.)? If so, your rankings should recover over time. Hope this helps!

  16. Avatar


    I,ve done all steps mentioned above. My site is working just fine. The only thing is that google search doesn’t show https:\\ prefix in the search results.
    Am i missing something?

    Thank you in advance,

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Almir,

      did you also set your site to HTTPS is Google Webmaster Tools? Then you should be fine. My guess is that Google just takes a while to update their index. Give it some more time and come back if they don’t pick up the new prefix in a few weeks.

      WebsiteSetup Editorial

  17. Avatar

    Thank you for such an easy-to-follow and informative guide. I had no idea what I was doing wrong and no idea how to fix it until I found this post! My site is now happily buzzing along with HTTPS… and is backed up now too o.O I found out when I started Step 1 that my hosting service backup had stopped backing up about two weeks ago because of a config error, so I am really glad I found that out and was able to correct it before it was too late. So, thank you and keep up the good work.

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Jemma, glad I could help! And good that you caught the backup issue. That could have bitten you in the butt down the line. Thanks for taking the time to comment.

  18. Avatar

    Thanks for this. After following these steps, for some reason my home and about pages still don’t have the secure connection, yet the rest of my pages and content do. How do I fix this?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Angelique, please refer to my answer to Maria and see if it works for you. Feel free to check back with your results. Best, Nick

      • Avatar

        Thanks, I should have read her comment before asking the same thing. I ran the test, and had one item that gave me the “mixed content” warning so I just replaced the image with the exact same image just freshly uploaded it and removed the old one. All fine now. 🙂

  19. Avatar

    Hi! First of all, thank you for this informative and life saving article!
    I started my switch from http:// to https:// only yesterday and I can’t tell you how frustrating it is for me. I have no technical knowledge and I am so new to all this.
    Anyway, I somehow managed to get the green padlock.
    I’ve run checks (both with whynopadlock and ssl test) and everything seems fine; no mixed content or anything.
    But: When I am in some admin areas (editing blog posts on dashboard for example) I don’t see the green padlock, the URL is not secure. Also, when I am in the website as a visitor, although there is the green padlock everywhere, when I click on “Home” it redirects me to the non-secure version of the homepage.
    Do you have any idea why is this happening and how I could fix it?
    Thank you in advance

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Maria, thanks for the comment! Have you used https://www.whynopadlock.com/ to check the pages in question? Also, for the homepage check your WordPress menu. The “Home” link is usually hardcoded. Maybe it still has the http:// in place. Please come back to let me know how it went.

      • Avatar

        Hi WebsiteSetup Editorial! Thank you so much for your immediate reply! I had figured the Home issue out myself shortly after I posted my comment. However, the no-green-padlock issue in my admin area persists. I just checked those pages with whypadlock, as you suggested, and everything seems to be ok. However, all my blog posts in the admin area have the exclamation mark instead of the green padlock (all other areas in my admin area have the green padlock).

        • Avatar
          WebsiteSetup Editorial Verified

          Hey Maria, could it be an issue with images that are still hosted on HTTP like in Angelique’s case? You should be able to find out easily via the HTML editor.

  20. Avatar

    I’m about to move a wordpress site over from a http development sever to an already existing https live site (with a new theme, new content and new plugins). Are these steps the same or are there other things I need to take into consideration?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Lee, I’m not sure I understand. If the existing site already has a theme, content and plugins, what exactly are you moving over?

  21. Avatar

    Hi WebsiteSetup Editorial, really great article for anyone who thought that changing website from http to https is “a piece of cake”. I perspired the moment I bought my SSL Certificate. Literally have to visit Support of my hosting platform and getting the “permission” and paying them to install the certificate into the server where my Domain is residing.

    Then the shock came in knowing that the URL need not necessary turn GREEN because of mixed content or configuration and what’s not. Stumbled upon your article and learnt that it is the simplest and easiest method to get it fixed (not really, I still have many pages of mixed contents to settled with). At least, I felt glad that I saw the GREEN ICON when I was in Admin mode of my WordPress and got Grade A for my SSL Labs Test.

    Looking ahead to collaborating with you someday (but let me settle this thingy first! Lol)

    Have a great day!

    • Avatar
      WebsiteSetup Editorial Verified

      Hey William, thanks for the kind words. I’m glad you liked the article. Yeah, mixed content can be a pain to eliminate. Thankfully, once you have moved your whole site over to HTTPS, things get a lot easier. Have a great day too and please feel free to swing by the blog again. Cheers!

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Ali, I’m sorry I don’t have any experience using Adsense and thus can’t answer that question. However, maybe someone else here can chime in.

  22. Avatar

    Thanks for this guide! Just used it to move our agencies’ site to HTTPS and this was by far the best guide I found.

    Had some issues with it not redirecting correctly, so got someone on Fiverr to fix that for next to no money. All sorted now! Thanks again 🙂

  23. Avatar

    Thank you, very helpful!

    About htaccess: As I figured out (not an expert with the htaccess syntax), the new rewrite rules must appear before the existing ones, not after them, like:

    RewriteEngine On
    RewriteBase /

    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    … it the new rules appear at the end, it did not work.

    And one more thing: If I use custom background and/or header images (get_background_image(), has_custom_logo()… ), they are not automatically updated to https. It is necessary to select them again via the customizer.

  24. Avatar
    yudikrisno wibowo

    Hi WebsiteSetup Editorial.
    I did follow your instructions about edit wp config. Now I’m losing kontrol to my WordPress. I cannot login to my admin account because browser always redirect me to blind page https. Can you help me resolve this problem?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey, did you follow all the steps before? Did you place the code in the right place? If it’s not working, edit your wp-config.php again to revert the changes. This will help you troubleshoot the process. Also, are you trying this out on a test site first?

      • Avatar
        yudikrisno wibowo

        every time I click dasbord, it always redirect me to https wp. Blind page. Just for record, I did backup right before edit wp config. But I cannot restore my backup because it won’t allow me to click the dasbord panel. So, any suggestions?

    • Avatar

      I have the same problem too..

      But I didn’t do step 1 at first.
      I changed from http to https in wordpress settings.
      And now I cannot access my website .

      I changed wp-config but nothing worked me…

      Please help fast

      • Avatar

        you can fix this from the database tables. Go to your websites control panel, go to phpmyadmin click on the database for the wordpress you want to fix, then click on the wp_options table and edit the URLS back to http://

  25. Avatar

    Hey WebsiteSetup Editorial, good article. I wonder, for smaller blogs isn’t better to reinstall from scratch over https (avoiding all these tweaks)? and import the xml content after? My blog is based mostly on funny images, so i wonder the content will be imported right to https? i don’t know… I have tested a little bit on my xampp localhost and my plugins were screwed up… kind of complicated this migration 🙁

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Vlad, that is a good question. Personally, I would probably run test to see what works best for me. I recently moved a clients’ WordPress website to a subdirectory. Before doing it on the server, I ran about 6-8 different ways on my local installation to see which one works best and will produce the most reliable results. For your case I would probably do the same. Thanks for the comment!

      • Avatar

        This is incredibly helpful. Thank you.

        We have a live site (www.abc.com) so do you recommend copying the site to a sub directory (www.abc.com/test) and testing out the steps above first?

        Our SSL certificate is live, and when we access it the CSS is broken across the site. So I’d like to do a test run on these steps before implementing on the live site. What do you recommend?

  26. Avatar

    Thanks very much for making this information available. I’ve worked my way through the steps to move our webpage (now https://www.cantorionsydneychoir.com/) from HTTP to HTTPS to the point where SSL Labs has given the site A grades.

    Your instructions were such that I knew exactly what to do and felt confident while doing it.

    Thanks again!

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Alan, thanks a lot for taking the time to comment. I’m happy the guide worked well for you. Have fun with your encrypted website!

  27. Avatar

    Hi WebsiteSetup Editorial, I just want to say thank you for this great tutorial

    I always wonder what should I do after switched my site to HTTPS. But you explain it clearly and it’s so easy to understand.

    Btw, I’m curious about the step 5 (Change Links in Your Content and Templates). Since we’ll be going to redirect all HTTP to HTTPS in step 6, could we actually skip this step? I wonder what the difference between using the HTTPS link directly and redirecting it to the HTTPS version of it?

    • Avatar
      WebsiteSetup Editorial Verified

      Hey Syafiq, thanks for taking the time to comment. I’m glad you liked the article.

      Maybe there is a misunderstanding. In step 5 you make sure that from now on all links on your site will use the SSL protocol. This is not only to make sure all your traffic is encrypted but also in order to avoid “mixed content” warnings in your users’ browsers.

      In step 6 you then point incoming visitors towards using those links. If you skip step 5, you will send them to URLs that don’t actually exist. Probably not a good idea that will confuse visitor browsers and search spiders alike.

      I hope this answers your question. Cheers!

      • Avatar

        Hi WebsiteSetup Editorial, thanks for your reply

        Quoting your answer, “If you skip step 5, you will send them to URLs that don’t actually exist.”

        and I re-read your article again and find this sentences in step 6, “This can lead to problems with duplicate content.”

        Does it mean that link in HTTP and link in HTTPS are two separate things? I guess this is where I misunderstand it. It makes sense then why I shouldn’t skip step 5.

        • Avatar
          WebsiteSetup Editorial Verified

          Yes, those two are different things, especially for search engines. They even see the www and non-www version of a page as two different pages. It’s easy to misunderstand. Thanks for helping clear it up for everyone.

  28. Avatar

    WebsiteSetup Editorial, this is a terrific guide on how to optimize a WordPress site to be SSL compliant and if you follow the above steps (roughly in order) and have a bit of technical expertise to address any issues that may come up along the way, you should be golden. No problems with your guide to https glory and would definitely recommend as it’s so clean and easily laid out.

    • Avatar
      WebsiteSetup Editorial Verified

      Thanks a lot! I’m very happy to hear that the post helped you. Thanks for taking the time to leave a comment.

  29. Avatar

    Hi WebsiteSetup Editorial, great article, I was wondering, I’m using Cloudflare which has backend options to automatically redirect to https.

    Do I still need to update my site address in the wordpress back-end? I’m paranoid that if I change it I’ll break the site?



    • Avatar
      WebsiteSetup Editorial Verified

      Hey Simon, unfortunately I have no experience with Cloudflare. I recommend you ask them directly. Thanks for the comment!

  30. Avatar

    Very thorough tutorial!

    From setting up the website SSL, giving guide on changing old http protocols to https in the URL and content, and also setting up in Search Console and Google Analytics and finally 301 redirect guide.

    Quick and easy red tutorial 😉

  31. Avatar

    In case if the host doesn’t support let’s encrypt. Is there a solution to move site from http to https without changing host.

    • Avatar
      WebsiteSetup Editorial Verified

      That’s a good question. I have the same problem with one of my hosts and so far my best solution was to change hosts. There are other free SSL certificates out there, however, as far as I know Let’s Encrypt has the best reputation. Hope this helps!