7 Steps to Move Your WordPress Site to HTTPS

Alright, now we are getting to the meat and potatoes of this article: how to move your site from HTTP to HTTPS. We will take this step by step to make sure you can follow along without a problem. After all – we care about your site’s security as well!

1. Back Up Your Website

Whenever making major changes to your site, you should always back it up first. That way, in case something goes wrong (not that we are expecting it) you can go back to the working version.

As this case is no different, backing up your website is your first task. Even better – if you have the possibility, run through the process below on a test server first, not only your live site.

2. Implement Your SSL Certificate

The first thing we will do is get ourselves an SSL certificate. How easy or complicated this process is, depends largely on your host.

For example, while researching this guide, I found out that my current host does not support Let’s Encrypt and doesn’t plan on doing so. Needless to say, I am in the process of switching. Hopefully, yours is a bit more forward thinking, such as the companies on this list.

The optimal scenario is that your host offers an option to move your site to HTTPS right in the management dashboard. For example, to switch your site to Let’s Encrypt in cPanel, you can follow these instructions. Find the same steps for Plesk here.

If you get your SSL certificate from a different source, follow the instructions of your hosting provider to implement the switch (that’s also the reason why turning to them in the first place is not a bad idea).

Once that is done, you need to start making the necessary changes to your WordPress website. This is what we will talk about next. If you feel that the below is too technical, you can also give the plugin Really Simple SSL a try. It takes care of most of the heavy lifting described next.

3. Add HTTPS to the WordPress Admin Area

The first place where you will get to enjoy the new safe connection is the WordPress dashboard. By securing the back end first, you make sure that whenever a user logs in, their information is exchanged securely.

To do so, open wp-config.php in your WordPress root folder and add the following line somewhere before where it says That’s all, stop editing!.

define('FORCE_SSL_ADMIN', true);

Once you have updated the file, it’s time to test if it works. For that, try to access your login page with HTTPS in the URL, for example via https://yoursite.com/wp-admin. If everything worked correctly, you should have a secure connection now. Then continue.

4. Update the Site Address

After moving the WordPress backend over to HTTPS, it’s time to do the same for the remainder of your site. You can do that by updating your site address under Settings > General.

 

move your website to https change WordPress settings

Add https:// to the beginning of both the WordPress address and site address. Then update your settings by saving. Be aware that you might need to log in again afterward.

5. Change Links in Your Content and Templates

Now it’s time to update any links in your content and database that include the old HTTP protocol. A plugin like Velvet Blues or the Search and Replace script can help with that. However, be careful! If handled incorrectly, they can also screw up your site. Good thing you made that backup earlier, right?

If you have links to external resources and assets in your theme templates and function files with absolute HTTP links, it’s important to correct these, too. Things to consider:

  • Images, videos, audio hosted on your site
  • Web fonts
  • iframes
  • JavaScript and CSS files or assets referenced within those files
  • Internal links

If possible, change your links to // instead of https://. They will then create relative links themselves!

6. Implement 301 Redirects in .htaccess

The next step in moving your site to HTTPS is setting up a redirect that sends visitors automatically over to the secure version. For that, we will use .htaccess. This is the name of an important system file on your server (usually in the WordPress root directory).

It usually contains settings for using pretty permalinks, so your installation probably already has one. To find it, make sure to allow your FTP client to show hidden files because .htaccess is invisible by default. If you don’t have one, just create a plain text file, rename it to .htaccess and upload it to the WordPress root directory.

After that, add the following lines to it:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

That’s it. From now on, visitors (including Google bots) should automatically land on the HTTPS version of your WordPress site. Make sure no page is available in both versions. This can lead to problems with duplicate content. Not good for SEO.

7. Test and Go Live

Ok, now that we are done with the main steps, it’s time to test if everything works correctly. For that, head on over to SSL Test. Insert your domain name and click Submit. This will give you an overall score of how well you implemented SSL on your site and details to find out potential issues in order to fix them.

Source: https://websitesetup.org/http-to-https-wordpress/