How to migrate WordPress website from HTTP to HTTPS

If you’re a WordPress website owner, you might have recently heard a lot about the need to migrate your WordPress website from HTTP to HTTPS. While most people know that they’re supposed to do this, few people actually understand what HTTPS really is or why it’s important. And even fewer people understand how to go about making the shift from WordPress HTTP to HTTPS.

Importance of HTTPS in WordPress

WordPress HTTPS — HTTPS means that your communication with the website is secured against eavesdroppers.

HTTPS stands for Hyper Text Transfer Protocol Secure. It’s the same as HTTP, but with the added ‘Secure’ at the end. And that makes all the difference.

When you visit a website with the standard HTTP, your communication with the site is un-encrypted. That’s alright if you’re simply reading public information on the website. However, if you intend to provide some information — payment details, billing information, login info, contact details, etc — the data you transmit can be easily compromised because it’s sent in plaintext.

Google is Pushing All Websites to HTTPS

In recent years, due to an increase in cyber attacks and digital spying, Google has pushed its HTTPS Everywhere campaign in order to incentivize website owners to migrate from HTTP to HTTPS in WordPress (and across other platforms). As such, if you don’t have an HTTPS website, Google will show a “not Secure” warning on the header next to your URL, dissuading viewers from taking action.

In this article, we’ll show you how to keep your website secure and Google-friendly by migrating WordPress from HTTP to HTTPS.

Checklist to Migrate WordPress HTTP to HTTPS

Before you start the process of migrating WordPress from HTTP to HTTPS, you need to have the following details sorted:

Buy an SSL Certificate: You need an SSL certificate that digitally binds a cryptographic key to your website, enabling secure connections from the web server to a browser. You should select a 2048-bit key certificate or higher. Some of the popular vendors for SSL certificates are Comodo, RapidSSL, DigiCert, and others.
Generate CSR and Private Key: You’ll need to generate a certificate signing request (CSR) and key before you can generate your SSL certificate. Most web hosting platforms (like cPanel) provide a simple interface for you to complete this. You’ll need to upload your CSR with your provider to generate your SSL certificate.
Install the SSL: Provide your web host with your certificate and private key to finalize installation of SSL into your WordPress. Once done, make sure everything is alright by running an SSL Server Test.

The Process to Migrate a Website from HTTP to HTTPS in WordPress

Now that your hosting account is SSL-enabled, you can start the process to migrate WordPress itself from HTTP to HTTPS in WordPress.

Update WordPress Settings

You need to inform WordPress that you’ll be using HTTPS from now on. To do so, log into wp-admin and go to Settings > General Settings. In the WordPress Address (URL) and Site Address (URL), enter the HTTPS URLs for your website, like this:

Redirect all HTTP requests to HTTPS

Now that you’ve made that update, your website is (at least somewhat) functional with both the unsecured HTTP and the secured HTTPS version. You need to make your website and all associated files accessible exclusively via HTTPS. As such, you need to ensure that whenever someone enters the HTTP URL, they are automatically redirected to the new HTTPS URL. As such, all your HTTP links will continue working, but visitors will still only have access to its HTTPS counterpart.

To achieve this, go to .htaccess and add the following rules:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Tweak your SSL Settings

If you need, you can modify your SSL settings to your liking. One recommended change is enabling an HTTP Strict Transport Security (HSTS) which protects your website from protocol downgrade attacks and cookie hijacking.

To achieve this, go to .htaccess and add the following rules:

# Enable HSTS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

Fix Mixed Content Warning

You receive a mixed content warning like this if the HTML of your site still contains images and media files with an HTTP URL:

You need to ensure you’re not getting any mixed content warnings if you want that secured lock icon.

To achieve this, go to your PhpMyAdmin (or the database tool offered by your hosting provider) and run commands to automatically update http urls to https:

# Update self-hosted embeds (images, iframes, scripts, etc.)
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yoursite.com', 'https://yoursite.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.yoursite.com', 'https://www.yoursite.com');

# Update internal pingbacks
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://yoursite.com', 'https://yoursite.com');
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://www.yoursite.com', 'https://www.yoursite.com');

# Update YouTube embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.youtube.com', 'https://www.youtube.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://img.youtube.com', 'https://img.youtube.com');

# Update Vimeo embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://player.vimeo.com/', 'https://player.vimeo.com/');

# Update Flickr embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://farm', 'https://farm');

# Update Slideshare embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.slideshare.net', 'https://www.slideshare.net');

If you have other external embeds that are HTTP, you’ll need to find and update them also.

Enable HTTPS for CSS & JavaScript

Even after the complete transition, it’s possible that your CSS and JavaScript will still appear under the HTTP URL path. To fix this, go to .htaccess and add the following rules:

# BEGIN WordPress
<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{SERVER_PORT} !^443$
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
</IfModule>
# END WordPress

After you incorporate all the aforementioned changes, your WordPress site will be completely migrated from HTTP to HTTPS.

How to Migrate Your WordPress Website from HTTP to HTTPS

Importance of HTTPS in WordPress

Google is Pushing All Websites to HTTPS

Checklist to Migrate WordPress HTTP to HTTPS

The Process to Migrate a Website from HTTP to HTTPS in WordPress

Update WordPress Settings

Redirect all HTTP requests to HTTPS

Tweak your SSL Settings

Fix Mixed Content Warning

Enable HTTPS for CSS & JavaScript

Related Posts

Common Forms of identity fraud and How to Avoid Them

5 Best OSINT Tools for Research & Penetration Testing

8 Reasons to Implement TLS Security on Your Website

What Is Transport Layer Security in Cyber Security?