WPBeginner - WordPress Tutorials for Beginners

Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Properly Move WordPress from HTTP to HTTPS (Beginner’s Guide)

By Editorial Staff | | Reader Disclosure

Shares 1.7k ChatGPT Perplexity X LinkedIn WhatsApp

Have you ever seen that scary “Not Secure” warning in your browser and worried what it means for your website? It’s a common concern, and the technical terms like SSL and HTTPS can make finding a solution feel overwhelming.

We’ve guided thousands of users through this exact process, and the good news is that securing your site is easier than you think. It’s a simple change that builds visitor trust and even gives you a small boost in search rankings.

In this guide, we’ll walk you through moving your WordPress site from HTTP to HTTPS, step by step. We’ll explain everything in plain English, so you can get that secure padlock icon next to your domain name.

Moving WordPress from HTTP to HTTPS / SSL

Quick Summary: How to Move WordPress to HTTPS in 4 Steps

  1. Get an SSL certificate.
  2. Install and activate an SSL plugin like Really Simple SSL.
  3. Update your site settings to use HTTPS.
  4. Set up redirects and fix any mixed content errors.

Here is a quick overview of the topics we will cover in this article:

What Is HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) is an encryption method that secures the connection between a user’s browser and your website’s server. This added security makes it much more difficult for hackers to intercept the data being transferred.

To create this secure connection, you need an SSL (Secure Sockets Layer) certificate. While “SSL” is the common term people use, the modern, more secure technology sites use today is called TLS (Transport Layer Security).

Each website receives a unique SSL certificate for identification. If a server tries to use HTTPS without a valid certificate or if the certificate doesn’t match, most modern browsers will alert users and advise them not to proceed.

Your connection is not private error in Google Chrome

Why Do You Need HTTPS and SSL?

Back in 2018, Google announced an initiative to boost web security by urging site owners to switch from HTTP to HTTPS. To support this move, their Chrome browser started marking all websites without an SSL certificate as “Not Secure.”

Chrome Warns Users When the Connection Is Insecure

This “Not Secure” warning is especially prominent when someone tries to enter information, like filling out a contact form. Seeing this warning can leave a negative impression and damage trust in your business.

This is why all websites need to transition to HTTPS and install SSL. Here are the main benefits:

  • Improved Security: It encrypts data exchanged between your visitors and your server, protecting sensitive information like login credentials and personal details.
  • Better SEO Rankings: Google gives a slight ranking advantage to secure HTTPS websites.
  • Builds User Trust: The secure padlock icon in the browser’s address bar instantly signals to visitors that your site is authentic and safe, which can improve conversion rates.
  • Required for Online Payments: If you want to accept online payments on your eCommerce site, then SSL is required by payment providers like Stripe, PayPal Pro, and Authorize.net.

We ensure all our own sites use SSL, including WPBeginner and our partner companies.

Requirements for Using HTTPS/SSL on a WordPress Site

The requirements for using SSL in WordPress are not very high. All you need to do is purchase an SSL certificate, and you might already have it for free.

The best WordPress hosting companies are offering free SSL certificates for all their users:

For more details, see our guide on how to get a free SSL certificate for your WordPress website.

If your hosting company does not offer a free SSL certificate, you’ll need to purchase one.

We recommend Namecheap because it offers the best SSL deal for regular and wildcard SSL certificates.

Once you have purchased an SSL certificate, you’ll need to ask your hosting provider to install it for you.

Setting Up WordPress to Use SSL and HTTPS

After your host enables an SSL certificate for your domain name, you will need to set up WordPress to use the SSL and HTTPS protocols on your website.

We will show you two methods for doing that, and you can choose the one that best suits your needs.

Method 1: Set Up SSL/HTTPS in WordPress Using a Plugin

This method is easier and is recommended for beginners.

First, you need to install and activate the Really Simple SSL plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, you need to visit the Security page. The plugin will automatically detect your SSL certificate and show you the ‘Activate SSL’ option.

Activate SSL

Once activated, the plugin will take care of everything, including the mixed content errors.

Here’s what the plugin does behind the scenes:

  • Checks for a valid SSL certificate
  • Sets WordPress to use https in all URLs
  • Sets up redirects from HTTP to HTTPS
  • Looks for URLs in your content that are still loading from insecure HTTP sources and attempts to fix them.

Note: The plugin attempts to fix mixed content errors by using an output buffering technique. This can have a negative performance impact because it replaces content on the site as the page is loaded. This impact is only seen on the first page load, and it should be minimal if you are using a caching plugin.

While the plugin says you can keep SSL and safely deactivate the plugin, it’s not 100% true. You will have to leave the plugin active at all times because deactivating the plugin will bring back mixed content errors. See our Really Simple SSL review for more details.

Method 2: Set Up SSL/HTTPS in WordPress Manually

This method requires you to troubleshoot issues manually and edit WordPress files. However, it is a permanent, performance-optimized solution, and it’s the method we’re using on WPBeginner.

If you find this method difficult, you should hire a WordPress developer or use the first method instead.

As part of this method, I may need to edit theme and code files. If you haven’t done this before, see our guide on copying and pasting code snippets in WordPress.

First, you should visit the Settings » General page. From here, update the WordPress Address and Site URL fields by replacing http with https.

WordPress site URL settings

Then, click the ‘Save Changes’ button to store the new settings.

Once the settings are saved, WordPress will log you out, and you will be asked to re-login.

Next, set up WordPress redirects from HTTP to HTTPS by adding the following code to the .htaccess file. This code is for Apache servers:

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>

If you’re on an NGINX server, then you’ll add the following code to redirect from HTTP to HTTPS in the configuration file:

server { listen 80; server_name example.com www.example.com; return 301 https://example.com$request_uri; }

Don’t forget to replace example.com with your domain name.

By following these steps, you will avoid the WordPress HTTPS not working error because WordPress will now load the entire website using HTTPS.

To force SSL and HTTPS on the WordPress admin area or login pages, you need to configure SSL in the wp-config.php file.

Add the following code above the “That’s all, stop editing!” line in the wp-config.php file:

define('FORCE_SSL_ADMIN', true);
Hosted with ❤️ by WPCode
1-click Use in WordPress

This constant acts as a fail-safe. It ensures your WordPress login page and dashboard are always encrypted, adding an extra layer of security for the site administrator. It also works on WordPress multisite networks.

Once this is done, the website is fully set up to use SSL / HTTPS, but you might still encounter mixed content errors.

Fixing Mixed Content Errors

Mixed content errors are caused when some content (like images, scripts, or stylesheets) is still loading over the insecure HTTP protocol instead of HTTPS.

Think of it like having a secure, armored front door (HTTPS) but leaving a window unlocked (an HTTP resource). That single unlocked window makes the whole house vulnerable.

When this happens, you won’t see a secure padlock icon in your website’s address bar.

Chrome Warns Users When the Connection Is Insecure

You can find out which content is served through an insecure protocol by using your browser’s Inspect tool.

The mixed content error will be displayed as a warning in the console, with details for each item.

Mixed content error

You will notice that most URLs are images, iframes, and image galleries, while some are scripts and stylesheets loaded by WordPress plugins and themes.

Fixing Mixed Content in WordPress Database

Most of the incorrect URLs will be for images, files, embeds, and other data stored in the WordPress database. Let’s fix them first.

You need to find all mentions of your old website URL in the database that start with HTTP and replace them with your new website URL that starts with HTTPS.

You can easily do this by installing and activating the Search & Replace Everything plugin.

Upon activation, visit the Tools » WP Search & Replace page. You need to add your website URL with http in the ‘Search’ field and your URL with https in the ‘Replace’ field.

Search and replace http URLs in WordPress

Then, select all database tables to run a thorough check and click the ‘Replace All’ button. The plugin will now update all old URLs in the database.

Fixing Mixed Content Errors Caused by WordPress Theme

Any decent WordPress theme following WordPress coding standards will not cause this issue. However, some may still hard-code insecure URLs.

First, you will need to use the browser’s Inspect tool to find the resources and where they are loading from. After that, you will need to find them in your WordPress theme and replace http with https.

This will be a little difficult for most beginners, as you may not be able to see which theme files contain these URLs.

Fixing Mixed Content Errors Caused by Plugins

Some mixed content resources will be loaded by WordPress plugins. Any WordPress plugin following WordPress coding standards will not cause mixed content errors.

I don’t recommend editing WordPress plugin files. Instead, I would contact the plugin author and let them know. If they do not respond or are unable to fix it, then I would find a suitable alternative.

Note: If, for some reason, you’re still encountering a mixed content error, we recommend temporarily using the Really Simple SSL plugin so your users are not impacted while you fix the issue on a staging website or hire a developer.

Submit Your HTTPS Site to Google Search Console

Search engines like Google treat https and http as two different websites. To avoid any SEO issues, you will need to let Google know that your website has moved.

To do that, you just need to go to your Google Search Console account and click on the ‘Add property’ button.

Google Search Console - Add property

This will bring up a popup where you need to add your website’s new HTTPS address.

Google offers several ways to verify your site, but we recommend the URL prefix method because it is more flexible.

Select propety type option in Google Search Console

After that, Google will ask you to verify ownership of your website.

There are several ways to do this, but we recommend using the HTML tag method. You will get an HTML code snippet to add to your WordPress site.

Google Search Console verify ownership
Add Search Console Verification Code using All in One SEO

First, install and activate the All in One SEO for WordPress plugin. For more details, see our tutorial on how to install a WordPress plugin.

Expert Tip: At WPBeginner, we use All in One SEO on all our websites. The Webmaster Tools verification feature saves us a lot of time, as we can just paste the code and AIOSEO automatically adds it to the correct place in our site’s header.

Upon activation, go to the All in One SEO » General Settings page and click on the Webmaster Tools tab. From there, click on Google Search Console.

AIOSEO's Webmaster Tools settings

Here, you need to add the verification code you copied earlier from the Google Search Console website. Don’t forget to click on the ‘Save Changes’ button to store your settings.

Next, switch back to the Google Search Console tab and click the ‘Verify’ button. Once your site is verified, Google will start showing your Search Console reports.

You also need to ensure that both the https and http versions are added to your Search Console.

This tells Google that you want the https version of your website to be treated as the primary version. Combined with the 301 redirects you set up earlier, Google will transfer your search rankings to the https version of your website.

Frequently Asked Questions About Moving to HTTPS

How much does an SSL certificate cost?

An SSL certificate can be free. Most top WordPress hosting companies offer free SSL certificates to all their customers through Let’s Encrypt. If your host does not offer a free one, you can buy one from a provider like Namecheap for a low annual fee.

What is the difference between SSL and HTTPS?

SSL (Secure Sockets Layer) is the technology that encrypts the data. HTTPS (Hypertext Transfer Protocol Secure) is the result of using that SSL technology. When a website has a valid SSL certificate, its URL begins with https://, and a padlock icon appears in the browser, showing the connection is secure.

What happens if I don’t use HTTPS?

If you don’t use HTTPS, modern browsers like Google Chrome will display a “Not Secure” warning to your visitors. This can erode trust, hurt your brand reputation, and cause you to lose potential customers. Additionally, not having HTTPS can negatively impact your search engine rankings.

Additional Resources for WordPress Security

The following are a few additional resources that can help you fix common WordPress problems and learn more about website security:

We hope this article helped you add HTTPS and SSL in WordPress. You may also want to see our ultimate WordPress security guide with step-by-step instructions to keep your WordPress site secure or our guide on how to renew your SSL certificate.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Popular on WPBeginner Right Now!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Download Now

Reader Interactions

407 CommentsLeave a Reply

  1. The Search and Replace Everything plugin is literally a miracle. I used to fix everything directly in the database, but now I can easily change http to https using this plugin. Previously, I handled mixed content issues with the Really Simple SSL plugin. It was a small plugin, but it has changed significantly and grown a lot (now its more security plugin, than mixed content solution I think). Unfortunately, this started to slow down my websites. That’s why I decided to fix everything in the database using Search and Replace, and I’m completely satisfied. The URLs in the database are correctly set to https, and I no longer need any plugin to fix mixed content. It’s truly a must-have plugin because it does exactly what it was designed to do, perfectly. I highly recommend it to anyone facing a similar issue.

    Reply

  2. This is a great point! An unsecured website, especially an e-commerce site that collects payments, can create a negative experience for visitors. It’s crucial to have an HTTPS website to build trust and ensure security. Many hosting providers, like Bluehost, offer free SSL certificates and even free domain names for the first year. With Bluehost, you don’t even need to install the SSL certificate manually – it’s a breeze! Thanks for sharing this important information. thanks for sharing this post with us

    Reply

  3. This is really fantastic.
    Notinhy is bad as a visitors seeing a website insecured especially an ecommerce that collect online payment from users, this is definitely a bad experience.

    That’s why it’s always advisable to have https Website. Choosing one of the hostings you have listed like Bluehost and others gives free SSL and free domain for the first year.
    With Bluehost, you don’t need to manually installed the SSL certificate on your website.

    Thanks, sharing this.

    Reply

  4. one of my clients recently purchased a shared hosting from GoDaddy and then asked to make his website.
    I started making one and realised that it doesn’t come with inbuilt one click SSL installation like that of hostinger, bluehost and other hosting services providers mentioned above.
    The value of having good hosting was evident when I had to go through the painstaking process of getting SSL certificate installed.
    it is very advisable that one must choose good hosting service.

    Reply

  5. Having https for websites is a must for securing the trust of the visitors on the website.
    just curious if we have already enabled SSL for our websites, is it necessary to change everywhere from http to https?
    or it will automatically take one.

    Reply

    • It would depend on how you enabled SSL and your hosting provider as some will automatically update your site to https while others wont. You would want to check your site to see if it was updated and if not you would need to manually update the site address.

      Reply

      Admin

    • It is usually necessary to manually change everything to https or use the really simple SSL plugin. If part of the site will be http and part will be https, it is called mixed content and will end up with error and problems.

      Reply

  6. If you are beginner and do not know much about coding I recommend you use the first method.
    editing your Wordpress code is very risky much especially for no coders. After all, the plugin is easier to use and it also have a free version.

    Reply

  7. Most of the hosting providers now a days give free ssl certificate to your site with a one click install as you have mentioned there.
    having ssl certificate installed on website is of utmost importance as it gives a sense of security to the visitors and they can be sure about every thing they do on SSL certificate installed website is secure .
    thank you for making a detailed description about http and https.

    Reply

  9. I followed Method 2. The only thing I modified was using the WordPress redirect method. My web host has a tool that creates a redirect (for Windows Server hosting) which adds redirect rules into the web.config – allowing the redirect to HTTPS to happen at the web server level vs at the WordPress level. Works good and is 1 level of abstraction higher. Thanks!

    Reply

    • Thanks for sharing, not all hosting providers offer that but glad your host was able to help :)

      Reply

      Admin

  10. Thank you very much for this excellent tutorial.

    I recently installed an SSL cert and was dreading the change-over with WordPress and Google. Not saying there wasn’t any pain, but your step-by-step instructions helped immensely!

    Really appreciated the .htaccess code too, that’s just perfect. I was worried that Google would index both the insecure http and secure https variants of the old vs new website and give me a ranking penalty, but that trick completely avoids serving up insecure legacy http content — a real plus!

    Reply

  11. I have a mix of domains (all HTTPS) on my WordPress site. Can this plugin go through my site and set them all to my current domain?

    Reply

    • You would want to check with your hosting provider as some have tools for what it sounds like you are wanting to do.

      Reply

      Admin

  12. There are just no ‘Wordpress Address’ and ‘Site Address’ in ‘General Settings’.

    Now I use wordpress multisite, one site is https and another is http. This wordpress installation is new, I have already set https at the previous wordpress installation in my sitegroud.

    Reply

    • You would need to go to the network admin to change the URLs of your sites on a multisite installation.

      Reply

      Admin

  13. I am Using the First Method So Is There Any Need to Make Changes in WordPress and Site Address URL ??

    Reply

    • So long as there are no hiccups with the plugin you shouldn’t need to edit your address and URL as the plugin would handle that for you.

      Reply

      Admin

  14. I followed the steps in method 2, but once I reached the step “Once the settings are saved, WordPress will log you out, and you will be asked to re-login.” instead of just logging me out it also now says that “this site is not avalible” when I try to log in to wp-admin again, making the next steps impossible to do.

    So how can I access the wp-admin site following the url change?

    Reply

  15. after adding this home page is redirecting but posts not redirecting to https.
    http and https .. both are working .. please help.

    Reply

    • Should you run into that issue, you would want to reach out to your hosting provider to ensure they do not have any redirects set up.

      Reply

      Admin

  17. Thank you for the SSL upgrade instructions.
    Using Really Simple SSL with my hosting provided certificate was a v simple upgrade process

    Reply

  18. Thanks for your valuable content.please I want to ask,if I can use the Really simple SSL plugin which is easier,why will I want to do it manually.

    Reply

    • That would be mainly for personal preference, there shouldn’t be a major difference between using the plugin or manually changing it.

      Reply

      Admin

  19. Thank you for the guide.

    I going to install a fresh WordPress on hostgator. Do I need to do anything different for the HTTPS ? or follow the guide after installation ?

    Reply

  20. Hello, I went into settings and changes http to https and now I am locked out of wordpress completely. Do you have a solution to this as it is a clients website and I am concerned I have lost everything completely. Nick

    Reply

    • You would want to enable an SSL certificate for the site or reach out to your hosting provider to assist you in setting the URLs back to HTTP

      Reply

      Admin

  21. First, you need to visit Settings » General page. From here you need to update your WordPress and site URL address fields by replacing http with https.

    BUT! After that my page is totally disabled! I can’t backup. I can’t even enter to the admin panel. And I don’t know what’s going on. What should I do? Do you have any idea?

    Reply

    • It sounds like you may have not enabled an SSL certificate on your site before changing the address. You would want to reach out to your hosting provider to enable an SSL certificate for your site or have them change your URLs back to HTTP

      Reply

      Admin

  22. Good day, thank you for the guide. I installed a fresh wordpress on a VPS with an ip addresss. Now, I want to change it to a domain name – Do I need to do anything different for the HTTPS:// ?

    Reply

    • You would want to check with your hosting provider for how their servers are set up for swapping to the domain.

      Reply

      Admin

  23. Hi! So it looks like, after following the steps through “Fixing Mixed Content Errors in WordPress Theme,” I see that my images are causing mixed content issues. The error I am getting is, “This content should also be served over HTTPS.” How can I fix this?

    Reply

  24. would it be okay if I change website address and site address to https but didn’t do the rest of manual process, then install the plugin instead?

    Reply

    • We would recommend if you are planning on using the plugin to start with the plugin method to prevent any hiccups during the process.

      Reply

      Admin

  25. Hello Sir,

    I have wordpress site running on wordpress 3.5.1 . can I use really simple ssl plugin for it. The plugin says it needs wordpress 4.6 and higher.

    Pls suggest me how can i do it

    Thanks

    Reply

  26. I am unable to access the admin login URL after updating the site URLs, it keep redirecting to https but I get a “This site can not be reached error” .. I also tried to update the .htaccess file but no luck. the original website is also not getting redirected to https.

    Any ides what might I be missing here?

    Reply

    • You would want to first reach out to your hosting provider for them to take a look and ensure your SSL certificate doesn’t have an issue.

      Reply

      Admin

  30. Inner pages and post pages are still opening with http also, which will impact on search engines. What should I do now ?

    Reply

    • You would likely need to clear all caching on your site and you may want to check with your hosting provider that the SSL certificate was applied correctly.

      Reply

      Admin

  31. Why would you add define(‘FORCE_SSL_ADMIN’, true) to wp-config file if the .htaccess redirect rule already does the job?

    When adding the line to wp-config file I got a syntax error right after and it was not possible to get to the admin area.

    Reply

    • The FORCE_SSL_ADMIN is for your admin area to ensure it is using HTTPS. You would want to ensure you copied the entire code correctly. If you were missing the ; it would give a syntax error.

      Reply

      Admin

  32. Hello,

    Thanks for the detailed guide. After switching from HTTP to HTTPS, I added the new property to Google Search Console.

    Do I need to submit the sitemaps again as well on the HTTPS version in GSC?

    Beginner query. :D

    Reply

  34. Better Search & replace is 1.3.3 and has not been updated for a year and is not tested on the current wordpress version. It is compatible only up to 5.2.6.

    Is it safe to use, or can you recommend an alternative please?

    Reply

  35. Solution 2 wasn’t working for me, the website would be unavaible.
    After a few attemps, I noticed my hosting provider already provides a force https option. Turn it on, and bingo.

    Reply

  36. What of if my hosting provider doesn’t support free SSL certificate can the plugin works also or how can I get it for free?

    Reply

    • If your current host does not offer free SSL then you would want to reach out to them for what options are available.

      Reply

      Admin

  38. Hi, if i’m using the 1st method, do I need to follow the Submit my HTTPS Site to Google Search Console step also after that?

    TQ

    Reply

  39. I installed the Really Simple SSL plugin, which states that you should manually replace every http:// in all .css and .js files to //. That doesn’t sound really simple to me. As a beginner I set up a simple website with a couple of pictures. Is it common that http:// statements are in these files?

    Reply

  40. Hi,
    When adding the code to .htaccess, i get a “too many redirects” error. I tryed adding to the existing code above, below, and also erasing the existing code and using only the new. All three option get too many redirects.

    Is there something I should change there? Thanks in advance for your help!

    Reply

  41. I’ve tried using the plugin but when I do the website becomes not accessible. I’ve tried the manual approach but once I’ve changed the addresses in WP settings the site becomes not accessible again.

    Reply

    • You would want to reach out to your hosting provider to ensure that your SSL certificate is connected to your domain correctly and they should be able to help :)

      Reply

      Admin

  42. I am about to make the change to SSL and will be following the guidance in te article, initially using the really simple ssl plugin. Before i begin i have a quick question.

    If I use the really simple ssl plugin, which takes care of everything, i can leave the general settings in wordpress for wordpress address and site address as http rather than change to https as the plugin will be taking care of it?

    Reply

      • Thanks for confirming. I have one other rquestion.

        having just activated lets encrypt ssl on siteground for a website, i am asked wther i want to switch the following on or leave it off.

        HTTPS Enforce – Forces your site to work entirely over an encrypted HTTPS connection. The redirect is performed on server level and works for any website.

        Do i leave this off as the really simple ssl plugin will take care of this as well?

        Reply

        • Yes, you can leave that off, you would only want to use that should there be any issues with the plugin or Google finding http links

        • Thanks for your advice. WP Beginner is such an awesome website. Keep up the great work!

  43. I want to thank you a lot. I have been looking for the errors over 12hours and get it done with better replace plugins. Thanks a lot dear.

    Reply

  45. Can someone tell me, do I replace the contents on my.htaccess. file with the suggested code or do I place it and the beginning/end of the eisting entry.

    Reply

      • Thanks for the quick reply. So, would that be after the existing and before the # END WordPress, or does it go after the .

        Reply

        • That should not matter, it may be a good idea to do it after should you need to remove the code in the future :)

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Copyright © 2009 - 2025 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround

The WordPress® trademark is the intellectual property of the WordPress Foundation. Uses of the WordPress®, names in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation. WPBeginner is not endorsed or owned by, or affiliated with, the WordPress Foundation.

I need help with…

Popular searches:

Starting a Blog WordPress SEO WordPress Performance WordPress Errors WordPress Security Building an Online Store