| WordPress

Moving a WordPress Site to HTTPS

Moving your WordPress website over to https has never been more important. If you don't, major search engines will penalize your site with a lower ranking.

In this blog post, you will look at why https is so important and at what you need to do to move your WordPress site to https.

Why is https important?

Many browsers now clearly label all sites that are seen as insecure, and even if you don’t store sensitive information or accept online payments, Google rankings are tied to your security status. Https also provides a faster connection.

Chrome labels sites without an SSL certificate as ‘Not secure’.

How to Move a WordPress Site to HTTPS

This important enough that some monitoring services will notify you of expiring SSL certificates.

SSL certificates

The good news is that many web hosting companies now provide free SSL certificates. Contact your web host to check before starting the process. If they do provide an SSL certificate to ensure any information between browser and server is encrypted, ask them to enable the SSL status and follow our step-by-step guide.

WordPress changes

Before you start, make a backup of your website. You can usually do this through your web hosting control panel.

Once your SSL certificate is enabled, you will need to make changes to your WordPress configuration and .htaccess file.

Go to your WordPress dashboard and click on Settings on the left-hand sidebar. Then select General.

Where you have the WordPress Address and Site Address, change http://yourdomainname to https://yourdomainname. And click the ‘Save Changes’ at the bottom of the page.

Now you need to make changes to your .htaccess file so that all links to the old insecure address are redirected to the new, secure address. You may be able to edit your .htacess files through Cpanel or whichever interface you use through your hosting company. This can usually be done through a file manager facility. If you are unsure, ask your hosting company how you can edit the file.

You can also make changes to the .htaccess file using FTP (file transfer protocol) if you are comfortable with that process.

Add the following to the bottom of your .htaccess file and save.

 RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you want to make your admin area secure as well then you also need to edit the wp-config.php file. You can do this through your hosting company’s file manager or by using FTP.

Simply add the following line to the bottom of the file and save:

define('FORCE_SSL_ADMIN', true);

If you are logged in to your dashboard you will now have to log in again.

It is a good idea to go to Settings on the left-hand sidebar and click Permalinks. Then click Save Changes.

Now your site is using https but you will probably see something like this on:

This is a mixed content error and means that some of the images or other links are still using http instead of https.

If you want to see exactly what is causing the error, you can inspect the page. In Chrome, if you right click on a web page you will find a little menu. Click on the last item: Inspect.

A toolbar at the bottom of your screen will now provide all sorts of information about the page. Click on ‘Console’.

Click on the arrow to the left of Mixed Content and you will see a list of all the errors.

Usually, this is because images are using http:// address instead of https://

In order to correct this, you need to change all these addresses in the database. This is not as scary as it sounds.

  • Got to plugins and search for the ‘Better Search Replace’ plugin. Install and activate.

  • Now under Tools on your dashboard’s left-hand sidebar, you can select ‘Better Search Replace’.

  • Now you can replace all instances of http://yourdomain with https://yourdomain.

Make sure you select all the tables.

The ‘dry run’ option is clicked by default and you may want to run this to see how long it is likely to take, but make sure it is not clicked when you are ready for the actual replace.

Your website should now be fully secure and you should see a little padlock on the address bar.

You may find that some plugins continue to use http:// and you want to contact the plugin developer directly if this is the case.

Last step

Make sure Google knows that you are now using an SSL certificate.

  • Go to your Google Analytics account and click on Admin (bottom of the left-hand sidebar) Then select property settings and update to https://
  • Scroll to the bottom of the page and save.

You are now finished and ready for a more secure online future.

About the author

Born in Zambia but living now in Cape Town, South Africa, Libby Young started out as a journalist. She taught herself HTML when the company where she was an sub-editor made the transition from CD-Rom to the web 20 years ago. Since then she has developed content-rich websites using a variety of open source content management systems.