how to migrate wordpress to https

Are you thinking about moving your WordPress website to HTTPS?

If you are running a wordpress website smaller than a million pages, you may safely follow this guide easily to help you shift it onto a secured environment easily and fast, problably less than an hour.

If you are handling a very large website with a complex architecture layers and numerous existing legacy redirects in place, likely over a million pages, that’s a different monster altogether and you may want to take a more systematic, orthodox  approach.

First of, does everyone need to migrate WP to HTTPS?

Well, nobody obliges you to switch to a secure environment, but it will boost your performance for sure.

Every day, we share so much personal information that, basically, ourselves are just pieces of puzzle lost in the cyberspace. That’s exactly why you should migrate WP to HTTPS if you are working on WordPress.

If someone ever managed to put together these puzzle pieces we leave behind us, stealing our personal information would be just a matter of time. So, either it is a personal e-mail password or a credit card number, a secure connection is definitely more preferred.

If you have an e-shop and customers share sensitive information with you like their credit card numbers or their addresses, they will most likely check if your domain name has an SSL certificate.

However, even if you do not run a website based on user information (like an e-Commerce WP site) there is a good reason for you to migrate WP to HTTPS too.

So, now that you know about the importance of HTTPS let’s take a look at how you can make it work in your favour too. It will only allow you to have more customers and visitors at the same time.

But let’s take it from the beginning.

Figuring Out SSL and HTTPS

I know how intimidating terminology related to online marketing can be sometimes but you seriously have to worry about nothing. I am here to explain everything to you.

Before you migrate WP, you need to know what you are migrating it to, right?


These are the two main terms we will be looking into today so clarifying them is super important:

  • SSL (Secure Sockets Layer) is the technology used to establish an encrypted link between a website’s server and the user’s browser and makes sure that all data shared remain private.
  • HTTPS simply gets the browser to use SSL for protection purposes.

To break it down to you, SSL defines how HTTPS encrypts connections.

Understanding How SSL Certificates Work

No matter how fancy it sounds, getting an SSL certificate is as simple as buying it online for $50 a year, or less. The certificate includes your site’s domain name, your name, and some basic contact info.

When you are entering an SSL certified website, in nanoseconds, your browser checks it. Is it still valid? Did a trustworthy certification authority issue it? Is it connected to the website you are visiting?

If the browser figures out that there is a positive answer to every question I mentioned above, you are free to enter the site. If not, a warning message will appear on the screen.

As you may have guessed, you don’t just need to migrate WP to HTTPS but also keep it up to date.

Now, It Is Time to Migrate WP to SSL

Let’s take it step by step:


Step #1: Get the Right SSL Certificate

The majority of WP hosting providers today have some special SSL offers for ‘Domain validated certificates’ (DV), if you go for a yearly plan. Moreover, some other providers even offer free SSL with their plans and they will only charge you after you decide to renew your subscription.

If the company does not come with an integrated SSL plan but you are too satisfied to let it go, you can always look for another SSL provider. Your “too-good-to-let-go” hosting company will install it to your cPanel or Plesk. SiteGround is one of them. They allow to easily set up your certificate via cPanel.

Tip: these days you can even get free SSL ‘DV’ certificates with global certificate authorities like ‘Let’s Encrypt‘.

So far so easy, right?

Step #2: Configuring WordPress

Edit the WordPress settings

If your site is new and you want to use HTTPS right from the beginning, the only thing that you have to do is change the settings.

Simply, go to Settings >> General. Fill in the “WordPress Address (URL)” and “Site Address (URL)” fields with your website’s URL including the “s” letter after “http”, eg: would become

Write down the “WordPress Address (URL)” and “Site Address (URL)” in these fields with your website’s URL including the “s” letter after “http.” After, all this is what makes the difference, right?

Step #3: Edit your .htaccess file

If you want to add SSL to an existing site, you have to work with a code in order to actually migrate WP. Login to your FTP account and search for the .htaccess file. Just copy and paste the code below and you’ll be good to go:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

You will also need to force all urls to 301 redirect from http to their https equivalent across the site.

Step #4: Add some more https powerhorse

To ensure that all incoming requests are redirected to https, you may want to install a https plugin like ‘Really Simple Redirect‘. Even the free version shifts your site from http onto https. It handles a lot of issues that WordPress has with ssl. It also checks if your site url and home url are changed to https. It’s a real handy tool that will even do for you Step #2 above.

Step #5: Fix ‘Mixed Content’ Issues

This is where it starts getting a bit more complicated. The thing is, although you may have succeeded at serving all your html content via https, you still probably have images or other site resources like CSS or JS being served through http. That’s what’s called ‘mixed content’. Ideally you would serve everything via https.

Mixed content can be detected easily with browser toolds like Google Dev Tools, Console

So you have two options:

  1. manual realignment of the resources flagged still all of them are running under https
  2. automate the process with a WP plugin again.

You may still use ‘Really Simple Redirect’ for this, but you will be expected to upgrade to Pro if you want it to solve your Mixed Content issues. Cost is for $25 if you only run one site, or $59 or more if you have five sites. Upgrade this gem of of plugin to pro will also give you access to stronger features such as:

audit your website for mixed content

Step #6: Review and realign previous redirects

You may have a long list of legacy redirects that you worked on in the past and that will need to realigning to avoid the chain redirect effect. Make sure these are addressed, particularly if you are dealing with a large website.

Step #7: Test your site for HTTPS compliance

At the end of the process you may be wondering if you have done it properly. You can check your website on Qualys SSL Labs.

Nevertheless, if you still don’t want to setup SSL to the whole thing, you might want to consider adding it to some exclusive, important pages. Maybe the ones on which your visitors actually share their information with the World Wide Web.

These pages usually include:

  • Cart Pages
  • Password Pages
  • Checking-Out Pages
  • Terms of Service
  • Contact Info Pages
  • Subscription Pages

So, how do you do it? How do you migrate WP pages to HTTP instead of the entire website? I’ve got you covered here, too.

That’s all. This is how you migrate WP to HTTPS.

Do you want an extra layer of security?

Since you are taking the leap adding SSL, don’t forget to migrate WP backend (like your login and admin pages) to a safer environment too. Find your wp-config.php file and add the code below, just above the “That’s all, stop editing!” line:

define(‘FORCE_SSL_ADMIN’, true);

This will just create an extra layer of security. This time not for your visitors, but for the person who keeps the website alive. You.

Or alternatively, install a Security plugin. For this I have tried several. I am not going to name and shame any. Instead I will tell you the one I currently use: Secupress Pro. It’s a premium plugin. After many hack issues with WP, I decided a long time ago that I would not be skimping on Security.


Post-implementation SEO Checklist

Ok, congratulations you are now running a safe, trustworthy website that will attract thousands of users. However, you need to help it move in order for it to generate more traffic and keep your SEO on the safe side.

Here is what you got to keep an eye on:

Google Search Console

Create a new account under GSC with the new domain name (yes, exactly like the one you have with http but in “https” this time). Go to your profile and click on “Add a Property.” As you can imagine, all you have to do is write down your new URL. The rest is just the same.


If you are using sitemaps, submitting a brand new version with urls in https under the new account would be a wise decision.


If you havent submitted new sitemaps in https for some reason now it’s time to fetch. This will just make Google want to crawl your new domain much sooner than it would on its own. On Google Search Console, submit your homepage, click “Fetch” and then “Submit to index.”

Update your Rel Canonical urls

Usually when you use a WordPress SEO plugin, this will take care of all canonicals ensuring they get updated, but I like to add this one to the list anyhow.

Update your Robots.txt file

If you mention your sitemap main url in your robots, you will want to update this to reflect the new url protocol: https

Re-upload disavow file

If you have had to submit a disavow file in the past, you may want to reupload the exact same file or an updated version on to the https version of your site in GSC. Some may say they can’t be bothered with this well considering how little attention this gets amongst Googlers.

Social Media

I’ve seen this happening so many times I’ve lost count. When you change your website’s URL you MUST update the links on your social media profiles. This way you will offer an easy update to your audience and you will give your users a feeling of engagement

All because you let them know about a URL change.

Look At Your Internal Links

Just do what the heading above says. Every link to any piece of content on your website has to be linking to a valid, new and improved, safe URL. If you are using the SSL plugin I mention above, or any other, you should be ok about this, but just to make sure 100% I suggest you crawl the entire site to fully audit this.

So, have you been there?  Jump into the conversation by commenting below, or get in touch with me.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

eleifend dolor massa libero. nec efficitur. Phasellus lectus tempus suscipit