How to Migrate Your WordPress Website from HTTP to HTTPS

3 votes, average: 3.67 out of 53 votes, average: 3.67 out of 53 votes, average: 3.67 out of 53 votes, average: 3.67 out of 53 votes, average: 3.67 out of 5 (3 votes, average: 3.67 out of 5, rated)
Loading...

If you’re a WordPress website owner, you might have recently heard a lot about the need to migrate your WordPress website from HTTP to HTTPS. While most people know that they’re supposed to do this, few people actually understand what HTTPS really is or why it’s important. And even fewer people understand how to go about making the shift from WordPress HTTP to HTTPS.

Importance of HTTPS in WordPress

WordPress HTTPS

HTTPS means that your communication with the website is secured against eavesdroppers.

HTTPS stands for Hyper Text Transfer Protocol Secure. It’s the same as HTTP, but with the added ‘Secure’ at the end. And that makes all the difference.

When you visit a website with the standard HTTP, your communication with the site is un-encrypted. That’s alright if you’re simply reading public information on the website. However, if you intend to provide some information — payment details, billing information, login info, contact details, etc — the data you transmit can be easily compromised because it’s sent in plaintext.

Google is Pushing All Websites to HTTPS

In recent years, due to the increase in cyber attacks, Google has pushed its HTTPS Everywhere campaign in order to incentivize website owners to migrate from HTTP to HTTPS in WordPress (and across other platforms). As such, if you don’t have an HTTPS website, Google will flash a “not Secure” warning on the header next to your URL, dissuading viewers from taking action.

In this article, we’ll show you how to keep your website secure and Google-friendly by migrating WordPress from HTTP to HTTPS.

wordpress http to https

Checklist to Migrate WordPress HTTP to HTTPS

Before you start the process of migrating WordPress from HTTP to HTTPS, you need to have the following details sorted:

  • Buy an SSL Certificate: You need an SSL certificate that digitally binds a cryptographic key to your website, enabling secure connections from the web server to a browser. You should select a 2048-bit key certificate or higher. Some of the popular vendors for SSL certificates are Comodo, RapidSSL, DigiCert, and others.
  • Generate CSR and Private Key: You’ll need to generate a certificate signing request (CSR) and key before you can generate your SSL certificate. Most web hosting platforms (like cPanel) provide a simple interface for you to complete this. You’ll need to upload your CSR with your provider to generate your SSL certificate.
  • Install the SSL: Provide your web host with your certificate and private key to finalize installation of SSL into your WordPress. Once done, make sure everything is alright by running an SSL Server Test.

The Process to Migrate a Website from HTTP to HTTPS in WordPress

Now that your hosting account is SSL-enabled, you can start the process to migrate WordPress itself from HTTP to HTTPS in WordPress.

Update WordPress Settings

You need to inform WordPress that you’ll be using HTTPS from now on. To do so, log into wp-admin and go to Settings > General Settings. In the WordPress Address (URL) and Site Address (URL), enter the HTTPS URLs for your website, like this:

WordPress Site Address

Redirect all HTTP requests to HTTPS

Now that you’ve made that update, your website is (at least somewhat) functional with both the unsecured HTTP and the secured HTTPS version. You need to make your website and all associated files accessible exclusively via HTTPS. As such, you need to ensure that whenever someone enters the HTTP URL, they are automatically redirected to the new HTTPS URL. As such, all your HTTP links will continue working, but visitors will still only have access to its HTTPS counterpart.

To achieve this, go to .htaccess and add the following rules:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 

Tweak your SSL Settings

If you need, you can modify your SSL settings to your liking. One recommended change is enabling an HTTP Strict Transport Security (HSTS) which protects your website from protocol downgrade attacks and cookie hijacking.

To achieve this, go to .htaccess and add the following rules:

# Enable HSTS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

 

Fix Mixed Content Warning

You receive a mixed content warning like this if the HTML of your site still contains images and media files with an HTTP URL:

Mixed Content Warning HTTPS Example

You need to ensure you’re not getting any mixed content warnings if you want that Green Secured Lock Icon.

To achieve this, go to your PhpMyAdmin (or the database tool offered by your hosting provider) and run commands to automatically update http urls to https:

# Update self-hosted embeds (images, iframes, scripts, etc.)
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://yoursite.com', 'https://yoursite.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.yoursite.com', 'https://www.yoursite.com');

 

# Update internal pingbacks
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://yoursite.com', 'https://yoursite.com');
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, 'http://www.yoursite.com', 'https://www.yoursite.com');

 

# Update YouTube embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.youtube.com', 'https://www.youtube.com');
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://img.youtube.com', 'https://img.youtube.com');

 

# Update Vimeo embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://player.vimeo.com/', 'https://player.vimeo.com/');

 

# Update Flickr embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://farm', 'https://farm');

 

# Update Slideshare embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://www.slideshare.net', 'https://www.slideshare.net');

If you have other external embeds that are HTTP, you’ll need to find and update them also.

Enable HTTPS for CSS & JavaScript

Even after the complete transition, it’s possible that your CSS and JavaScript will still appear under the HTTP URL path. To fix this, go to .htaccess and add the following rules:

# BEGIN WordPress
<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteCond %{SERVER_PORT} !^443$
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
   RewriteBase /
   RewriteRule ^index\.php$ - [L]
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule . /index.php [L]
</IfModule>
# END WordPress

After you incorporate all the aforementioned changes, your WordPress site will be completely migrated from HTTP to HTTPS.

Important Resources

Difference between Comodo Positive SSL vs. Let's Encrypt SSL
Understanding Comodo Root Signing Certificate and Comodo Intermediate Certificate