How to Migrate Your WordPress Site to HTTPS

There are numerous tutorials out there showing you how to migrate, but I’ve made this as it’s become a lot easier.

Install SSL Certificate

There are many alternatives here. This will depending entirely on your hosting setup.

I use Media Temple VPS for all my sites, running on Plesk 12.5.  Up until recently I had to pay USD75 per year for EACH certificate I used. Even then the installation process was a bit messy.

Now you can use a free Let’s Encrypt certificate which is awesome! Just follow the instructions here. It was all done in about a minute with zero problems.

Once installed you should be able to type into your browser and see it render.

WordPress Changes

1. Change URL name in settings

Change from http to https


2. Fix up bad image links

By default all your images will be going to http. This will cause Mixed Content errors in your browser (just check the developer tools console to see them).

This is easily fixed by doing a search and replace. Install the Search and Replace plugin.


I make extensive use of the wp-migrate-db-pro plugin which has a search and replace feature. Select all tables, and set find to your http URL. Replace with your https URL.

3. Fix Theme Files

Check anything in your theme files (calls to Javascript, or hardcoded image links) – make sure they are all changed from http:// to https://

You can also use the protocol relative URL (// This is the url without the http bit. The browser will load whatever the current protocol is.

Upload your theme changes and refresh any caches.

NOTE: A common Mixed Content warning will happen if you are using Google Fonts. Make sure you change your font call to use a protocol relative URL.

4. Setup a 301 redirect in your .htaccess


# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


Appeasing Google

If you use Google Search Console:

Google treats the move as a site URL change. See this. Basically you need to add your new https site to the search console. Confusingly you must NOT use the change of address tool.

Google Analytics

You will need to change your default URL to https. Click Admin, then Property Settings for your site.


Then click under Default URL:

How long it will take Google to begin crawling and reindexing the new site is anyone’s guess. Eventually you should see the old http URLs drop out of Google and the new ones start to appear.

Extra Stuff

  • Keep an eye on your browser console for any Mixed Content errors or warnings.
  • If possible get any inbound links to your site changed to use the new protocol.
  • Now move your site to HTTP/2 (that’s a bit trickier).

In the testing that I’ve done, HTTPS is slower than regular http. To get back up to speed you will ultimately want to move to http/2.

Disqus comments? You will have to follow this article to migrate all your URLs

Use a CDN? This caused me some hiccups. The CDN will need to be serving HTTPS, and will need its own certificate. I use Amazon Cloudfront and had some ongoing problems with the CDN returning 301s for some assets.

Turns out there are some extra setting in the CDN I needed to set to force it to only request https from the origin (i.e. my site).

In case you’re wondering. I went to Distribution -> Origins -> Edit and changed the Origin Protocol Policy to Match Viewer. It had been set at http – so each time it went to renew one of the assets (image or JS) it would go back to my site, which would then serve a redirect — which would then be cached by the CDN. Tricky.

Site Search? I use Swiftype to drive my site search. Much to my horror I discovered my search results page was stuck in an endless redirect loop. In Swiftype my search page was still listed as http which would then cause Apache to redirect to https, than Swiftype would redirect back to http… etc etc

Problems With Plesk and Google

A got an email from Google saying “Self signed SSL/TLS certificate for <my domain name>”. After lots of investigation, it seems that Google tests the SSL using a bot that doesn’t support SNI. SNI allows a server on a single IP to serve multiple different certificates for different domains.

Really old browsers (like IE7 running on Windows XP) do not support SNI, and therefore get the Plesk default cert instead of the Let’s Encrypt one.

For some reason the Google Search Console has a problem with this. The only way around it would be to have multiple IPs? One IP per each domain on the VPS? This is not something I’m about to do. So be it. Let’s hope Google doesn’t apply some kind of ranking mischief.

Hi, I'm James, and for the last decade I've made a living by making my own blogs and websites.
Updated: March 9, 2017

Add a Comment