How to migrate WordPress website from HTTP to HTTPS

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...

If you’re a WordPress website owner, you might have recently heard a lot about the need to migrate your WordPress website from HTTP to HTTPS. While most people know that they’re supposed to do this, few people actually understand what HTTPS really is or why it’s important. And even fewer people understand how to go about making the shift from WordPress HTTP to HTTPS.

Importance of HTTPS in WordPress

HTTPS stands for Hyper Text Transfer Protocol Secure. It’s the same as HTTP, but with the added ‘Secure’ at the end. And that makes all the difference.

When you visit a website with the standard HTTP, your communication with the site is un-encrypted. That’s alright if you’re simply reading data on the website. However, if you intend to provide some information — payment details, billing information, contact details, etc — the data you transmit can be easily compromised because it’s sent in plaintext.

In recent years, due to the increase in cyber attacks, Google has pushed its HTTPS Everywhere campaign in order to incentivize website owners to migrate from HTTP to HTTPS in WordPress (and across other platforms). As such, if you don’t have an HTTPS website, Google will flash a “not Secure” warning on the header next to your URL, dissuading viewers from taking action.

In this article, we’ll show you how to keep your website secure and Google-friendly by migrating WordPress HTTP to HTTPS.
 
wordpress http to https
 

Checklist to Migrate WordPress HTTP to HTTPS

Before you start the process of migrating WordPress HTTP to HTTPS, you need to have the following details sorted.

  • Buy SSL: You need an SSL certificate that digitally binds a cryptographic key to your website, enabling secure connections from the web server to a browser. You should select a 2048-bit key certificate or higher. Some of the popular vendors for SSL certificates are Comodo, Trustwave, DigiCert, amongst others.
  • Generate CSR and Private Key: Your SSL provider will need a CSR code and a private key. You can use an online CSR and Key Generator tool for that purpose. You also need to upload your CSR with your provider to generate your SSL certificate.
  • Install the SSL: Provide your WordPress host with your certificate and private key to finalize installation of SSL into your WordPress Once done, make sure everything is alright by running an SSL Server Test.

The process to Migrate a Website from HTTP to HTTPS in WordPress

Now that your WordPress website is SSL-enabled, you can start to migrate a website from HTTP to HTTPS in WordPress.
 

Update WordPress Settings

You need to inform WordPress that you’ll be using HTTPS from now on. To do so, log into wp-admin and go to Settings > General Settings. In the WordPress Address (URL) and Site Address (URL), enter the HTTPS URLs.
 

Redirect all HTTP requests to HTTPS

Currently, your website is basically functional with both the unsecured HTTP and the secured HTTPS version. You need to make it accessible exclusively via HTTPS. As such, you need to ensure that whenever someone enters the HTTP URL, they are automatically redirected to the new HTTPS URL. As such, all your HTTP links will continue working, but visitors will still only have access to its HTTPS counterpart.

To achieve this, go to .htaccess and add the following rules:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

Tweak your SSL Settings

If you need, you can modify your SSL settings to your liking. One recommended change is enabling an HTTP Strict Transport Security (HSTS) which protects your website from protocol downgrade attacks and cookie hijacking.

To achieve this, go to .htaccess and add the following rules:

# Enable HSTS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

 

Force SSL for wp-admin

Ensure that wp-admin is only accessible over HTTPS. To achieve this, go to wp-config.php and add the following text:

define('FORCE_SSL_ADMIN', true);

 

Fix Mixed Content Warning

You receive a mixed content warning if the HTML of your site still contains images and media files with an HTTP URL. You need to ensure you’re not getting any mixed content warnings if you want that Green Secured Lock Icon.

To achieve this, go to your PhpMyAdmin (or any tool offered by your hosting provider) and add the following text:
# Update self-hosted embeds (images, iframes, scripts, etc.)
UPDATE wp_posts SET post_content = REPLACE(post_content, ‘http://yoursite.com’, ‘https://yoursite.com’);
UPDATE wp_posts SET post_content = REPLACE(post_content, ‘http://www.yoursite.com’, ‘https://www.yoursite.com’);

# Update internal pingbacks
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://yoursite.com', 'https://yoursite.com');
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://www.yoursite.com', 'https://www.yoursite.com');

 

# Update YouTube embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.youtube.com', 'https://www.youtube.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://img.youtube.com', 'https://img.youtube.com');

 

# Update Vimeo embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://player.vimeo.com/', 'https://player.vimeo.com/');

 

# Update Flickr embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://farm', 'https://farm');

 

# Update Slideshare embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.slideshare.net', 'https://www.slideshare.net');

 

Enable HTTPS for CSS & JavaScript

Even after the complete transition, it’s possible that your CSS and JavaScript will still appear under the HTTP URL path. To fix this, go to .htaccess and add the following rules:

# BEGIN WordPress
<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{SERVER_PORT} !^443$
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
</IfModule>
# END WordPress

 
After you incorporate all the aforementioned changes, your site will be completely migrated from HTTP to HTTPS WordPress.
 

Important Resources

  • Enable an SSL certificate in WordPress Multisite Network
  • Impotance of SSL Certificate for website security
  • Difference between Comodo Positive SSL vs. Let's Encrypt SSL
    Understanding Comodo Root Signing Certificate and Comodo Intermediate Certificate