How to Move a WordPress Website from HTTP to HTTPS/SSL


Google announced that it has started using HTTPS as a ranking signal. And that has implications for your site and whether it uses an HTTP or HTTPS protocol.

For now, it’s only a very lightweight signal affecting fewer than 1 percent of global search queries, and carrying less weight than other signals (such as high-quality content) in order to give website owners time to switch to HTTPS.

In this article, we will take a look at the meaning and difference between SSL and HTTPS, how to install and activate an SSL certificate and how to move WordPress from using the insecure HTTP communications protocol to HTTPS.


SSL, Secure Sockets Layer, is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral in order to prevent eavesdropping and tampering.

HTTPS on the hand is a URI scheme which has identical syntax to the standard HTTP scheme, aside from its scheme token. However, HTTPS signals the browser to use an added encryption layer of SSL to protect the traffic.


In a nutshell, SSL is the standard that defines how connections are encrypted via HTTPS.

How SSL Works

Typically an SSL certificate will contain your domain name, company name, address, city, state and country. It will also contain the expiration date of the certificate and details about the certification authority responsible for the issuance of the certificate.

When a browser connects to a secure site it will retrieve the site’s SSL certificate and check that it has not expired, it has been issued by a certification authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end-user letting them know that the site is not secured by SSL.

Difference Between HTTP and HTTPS

There are lots of criteria that differentiate one from the other. In my opinion, the three listed below are the major differences between HTTP and HTTPS.

  1. URL Scheme: HTTPS URLs begin with https:// and use port 443 by default, whereas HTTP URLs begin with http:// and use port 80 by default.
  2. Security: HTTP is insecure and is subject to eavesdropping attacks, which can let attackers gain access to sensitive information of a website whilst HTTPS is designed to withstand and secure against such attacks.
  3. Network layers: HTTP operates at the highest layer of the TCP/IP model which is the Application layer.
    SSL security protocol operates as a lower sub-layer of the same TCP/IP model but it encrypts an HTTP message prior to transmission and decrypts it upon arrival. Thus, HTTPS is not a separate protocol, but refers to use of ordinary HTTP over an encrypted SSL connection.

Why Use HTTPS?

HTTPS is especially important over unencrypted networks (such as Wi-Fi), as anyone on the same local network can “packet sniff” and discover sensitive information.

How many times have you accessed a site on an open network and got unexpected ads?

When you serve your website content securely via HTTPS, you are guarantee that nobody will alter how they are received by users. If you’re serious about doing business online, you need SSL. It’s the best way to protect user data and defend against identity theft.

Many customers will refuse to do business with a website that doesn’t have an SSL certificate. Displaying your SSL Site Seal tells customers they can shop or use a website with confidence, knowing they are protected.

Moving WordPress from http to https

So, after you will install the WordPress for your blog, you have to setup the SSL. To make a website HTTPS, firstly get an SSL certificate for the domain, install it on the server and change the website permalinks from http to https.

A lot of WordPress sites are on shared-hosting servers with cPanel provided as the control panel hence a shared-hosting will be use as the base of this tutorial. If your website is on a dedicated server or VPS, this tutorial is still applicable but the process on getting it done varies with servers.

To follow along with this tutorial, ensure your shared-hosting has SSL/TLS activated. If absent, contact your host and request it. They might charge to activate it.

To check if it is activated, login to cPanel and you should see an SSL/TLS manager under the Security widget.

Move WordPress from HTTP to HTTPS

Getting an SSL Certificate

There are various kinds of SSL certificates. They are basically categorized into three groups: Domain Validation, Organization Validation and Extended Validation.

  • Domain-level validation is the most basic type of SSL and are generally the least expensive.
    These certificates provide basic encryption, are issued very quickly and involve a simple check to verify domain ownership.
  • Organization-validated SSL certificates include authentication of the business or organization behind the domain. This provides a higher level of security and lets customers know they can trust your server with their personal information.
  • Extended validation is top of the line. With extended validation, the certifying authority conducts a very in-depth examination of your business before issuing the certificate. This type of SSL provides the highest degree of security and user trust.

Here is a guide from Namecheap on what SSL certificate to choose.

There are lots of companies selling SSL Certificates online, such as, Media Temple, GoDaddy, Comodo and Namecheap.

How to Activate an SSL Certificate

Note: I bought my SSL certificate from Namecheap but the instructions remain valid regardless of the company you bought your SSL from.

The first step in activation of SSL certificate should be obtaining CSR code from your hosting company. To obtain the CSR code from an SSL activated shared-hosting account, follow the steps below:

1. Login to your cPanel account and navigate to the SSL/TLS Manager.

WordPress SSL

2. Click on the link below Certificate Signing Requests (CSR)

cPanel's CSR code link

3. Fill out the form for the domain that you wish to create the SSL on and click the Generate button.

CSR code form fill-out

4. Your domain Encoded CSR should be generated and shown to you.

Generated encoded CSR code

5. Head over to your SSL provider to get started with SSL activation. Enter the CSR code generated above in the provided CSR text area field, select the web-server your host is running on and click the Next button.

CSR and web-server type form

6. You will be prompted to enter your CSR information and to choose an approval email.

CSR information and approval email

7. Provide your personal contact details. When done, submit the order. An approval email will be sent. Follow the instructions to validate your domain.

Domain validaion control

On completion of the validation, your SSL would be issued and sent to your email.

We need to get the SSL issued to you installed on your server. A dedicated IP address is required to be assigned to your cPanel account. If you cannot afford one, most cPanel hosting support Server Name Indication (SNI) – an extension to the TLS protocol that allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites.

Since the shared-hosting am using for my WordPress blog supports SNI, I decided to use it instead of buying a dedicated IP.

Note: There are several advantages of using a dedicated IP address over SNI. See this article for more information.

To install the SSL certificate, follow the guide below:

1. At cPanel SSL/TLS Manager, click the link beneath Certificates (CRT)

Instal SSL cert cPanel

2. Upload the certificate (with .crt file extension) or past the certificate in the text area provided.

Installing SSL certificate in a server

3. Activate the SSL for your site. Click on the link under Install and Manage SSL for your site (HTTPS).

Install SSL for your site

4. Select the domain from the drop-down list, click the Autofill by domain and finally click the Install Certificate button.

Install SSL for a domain name

Configuring WordPress for SSL/HTTPS

Links in WordPress (such as image attachments, themes CSS and JavaScript files) are relative to the install URL.

To change WordPress from HTTP to HTTPS, the install URL must changed from say to

  • Login to your WordPress dashboard and navigate to Settings > General.
  • Ensure that the WordPress Address (URL) and Site Address (URL) are https. If not, add S after http to make https and save it.

WordPress General Settings

To easily enable (and enforce) WordPress administration over SSL, the constant FORCE_SSL_ADMIN should be set to true in your site’s wp-config.php file to force all logins and all admin sessions to happen over SSL.

define('FORCE_SSL_ADMIN', true);

The constant FORCE_SSL_ADMIN can be set to true to force all logins and all admin sessions to happen over SSL.

If your WordPress site uses a content delivery network (CDN) to serve its components (images, JavaScript, CSS style sheet), ensure the URLs are all https:// otherwise your website will be deem insecure by the web browser.

What’s Next?

Now that we’ve successfully moved WordPress to HTTPS, we still need to do two more things — set up a 301 permanent redirect and inform Google of the URL change.

To setup a 301 permanent redirect, FTP/SFTP to your server and add the code below at the top of WordPress’ .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^ [NC,OR]
RewriteCond %{HTTP_HOST} ^ [NC]
RewriteRule ^(.*)$$1 [L,R=301,NC]

Change every instance of to your WordPress URL.

To inform Google about the change in URL, re-add your WordPress site to Google webmaster tool (but this time with https://) and follow this this guide to let Google know about the change of URL.

You can check your SSL website status using Qualys SSL Labs.


By completing this tutorial, you should have a comprehensive knowledge on HTTPS and SSL, reasons why should make your site secure and how to set up SSL/HTTPS in WordPress. If you have any questions, suggestions or contributions, I would be happy to answer them in the comments.


  1. Tom Aug 12, 7:12 pm

    For the http to https redirect, Apache suggests this code:

    • Ron Aug 12, 11:23 pm

      Thanks Tom! this works like a charm..

    • Walt Nov 23, 4:29 pm

      I agree. In fact, my site refused to redirect properly until I change the code in .htaccess to:

      RewriteEngine On
      RewriteCond %{HTTPS} !=on
      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

  2. Ron Aug 12, 8:45 pm

    I’m at 301 redirect part, i got an error “This webpage has a redirect loop” can you help me fix this?

    • Agbonghama Collins Aug 13, 9:51 am

      Sorry about that Ron.

      If that didn’t work for you, use the Apache suggested code below.

      RewriteEngine On
      # This will enable the Rewrite capabilities

      RewriteCond %{HTTPS} !=on
      # This checks to make sure the connection is not already HTTPS

      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    • Amit Ramani Aug 15, 5:16 pm

      I have the same issue “redirect loop”. Any ideas?

  3. Cody Aug 14, 10:10 pm

    Hey Guys, not sure if you can help but I am getting duplicate URL’s for each page (i.e. http and https).

    I set up everything correctly as far as I know, I’m showing that the certificate is valid and getting the “Identity Verified” seal. All of my menu links point to https, and you wouldn’t see the http URL’s from the front end unless you manually type in an http URL manually. Which means that search engines will also see duplicate URL’s for each page. Any ideas on how to eliminate the duplicates???


    • Agbonghama Collins Aug 15, 9:02 am

      Hi, you shouldn’t worry about the http links if you’ve done a 301 redirect.
      The 301 redirect ensures all http links get redirected to the https equivalent.

      As stated in the article, don’t forget to inform Google of the change in URL to avoid duplicates.

      • Darren Jan 16, 5:39 pm

        All the links need to be changed sitewide otherwise the green padlock is not displayed.

        A mix content status is what happens when all resources are not served up securely.

  4. Amit Ramani Aug 15, 6:13 pm

    I am receiving “redirect loop” in Chrome after I make these changes. What can be the problem? I have followed the steps including the changes in .htaccess for Apache.

    • Amit Ramani Aug 15, 7:29 pm

      I figured out the issue of “redirect loop” in my case. There was repeated redirects between http:// and https://.
      The reason for this was that even though the .htaccess forced http to https, the WooCommerce “Un-force HTTPS when leaving the checkout” setting was forcing it back to http://

      Once I unchecked the “Un-force HTTPS when leaving the checkout” setting, it all works fine now! Hope this helps someone else.

      • Senguttuvan G Oct 10, 7:55 am

        Indeed, it resolved my problem. I was struggling it for more than a day, I was pretty sure some plugin is causing the redirect loop, but I couldn’t figure it out. Thank you very much!

  5. Amit Ramani Aug 16, 4:20 pm

    I followed all the directions. The site has been succesfully moved to https://.
    When I try to do Change of Address to move the http:// site to the https:// site under GWT, the https:// site does not appear as one of the destination options. Any ideas?
    I have succesfully verified the https:// site under GWT.

    • Agbonghama Collins Aug 16, 8:34 pm

      If the https version of the site doesn’t show up in GWT, it means Google has detected that both site are the same.

      You need to to bother because you’ve done a 301 redirect and Google will adhere to the redirect and pass all link juice and pagerank to the https equivalent.

      I hope that answers your question,

      • Amit Ramani Aug 16, 8:37 pm

        Thank You for your response. I presume I should keep both the http:// and https:// accounts under GWT? I am assuming that going forward, no data will be collected for the http:// account and new data will begin showing up for the https:// site?

  6. Agbonghama Collins Aug 16, 9:22 pm

    Yes, you should keep both account.

    Over time, you will start seeing your site analytic dat on the https account.

    You shouldn’t get surprise when you see same data in the http version.
    Reason because, Google sees both the http and the https version as one.

  7. Jacob Aug 20, 12:48 am

    Any assistance on the side of adjusting a Multisite Network on WordPress from HTTP to HTTPS would be great as well.

  8. syntocode Aug 20, 2:41 pm

    Thanks for a Well written and informative post..

    Shedding more light on how to achieve this on a multisite installation will be much appreciated

    BTW, how soon do you think google will enforce this new policy?

    Regards :)

  9. Michael Aug 22, 7:24 am

    Is there a SQL command that can delete all “http:” from all blog posts?

    so all links will be //

    btw thanks alot for this guide i successfully moved my wordpress site to https!

    • Agbonghama Collins Aug 22, 11:26 am

      This should be of help:

      UPDATE wp_posts SET post_content = REPLACE (

      Change to your website URL.

      Let me know if it work or not.

  10. Daniel Aug 23, 3:11 pm

    Really nice post.

    I got a problem though, after installing the SSL crt and setting the URL to https, there is always a 403 error on the https sites. Any idea where the error could come from?

    • Agbonghama Collins Aug 23, 7:17 pm

      You might want to contact your host for possible cause and solution.

      Have got no idea on resolving your problem.

  11. Federico Vezzoli Aug 29, 6:05 pm

    Nice tutorial, I just want to point out that in google webmaster tool seems impossible to tell the protocol change. If I add my site with https and than I try the migration procedure the secure site isn’t listed, maybe beacuse it’s the same domain.

    any hint?

  12. Chris Sep 7, 7:15 pm

    Thanks for the great guide!

    I am currently gearing myself up to make the move to https and want to do it correctly to not lose any organic traffic.

    I contacted my hosting company regarding the 301 redirect rules and they recommended using the “WordPress HTTPS (SSL)” plugin instead.

    They said it could create redirect loops within WordPress using these 301’s…

    Any suggestions welcome!


  13. Fahad Rafiq Sep 25, 1:59 pm

    After the Google announced that SSL is now a ranking factor. Everyone is rushing towards moving their website to HTTPS.
    But most people do not realize there are many things people forget to do, like for example blocking HTTP pages from indexing and submitting HTTPS website to Google Webmaster tools again.
    Read this tutorial on how to setup SSL on WordPress websites:

  14. Ben Sep 30, 3:46 pm

    Just wanted to thank Agbonghama for the article and Tom for the “loop” fix. Very appreciated

  15. pankaj Oct 10, 10:28 am

    i just followed the steps and getting a redirect loop error when i am tryig to open

    please help me out asap!!

    • Agbonghama Collins Oct 10, 11:00 am

      Ensure you use the .htaccess code below and not the one in the article.

      RewriteEngine On
      # This will enable the Rewrite capabilities

      RewriteCond %{HTTPS} !=on
      # This checks to make sure the connection is not already HTTPS

      RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

      If problem persists maybe a plugin is responsible. Deactivate all plugins and activate them one at a time in-order to detect the rogue plugin.

      Also, see previous comments for tips.

  16. Peter Oct 15, 6:32 pm

    Hi Agbonghama,

    Thanks a lot for the tutorial!

    My htaccess file is as below in the bottom. Where exactly should I add this code:
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    My htaccess file:
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    Many thanks for your help,

  17. Agbonghama Collins Oct 15, 6:43 pm

    Add it at the very top of the file before your existing rewrite rule i.e before

    # BEGIN WordPress

  18. Elisabeth Nov 20, 5:27 pm

    WordPress checks the value of FORCE_SSL_ADMIN and calls the function is-ssl in wp-includes/functions.php in order to redirect to https or not.

    This function returns 1 if $_SERVER[‘SERVER_PORT’] = TRUE or
    $_SERVER[‘HTTPS’] = ‘1’ ou ‘on’

    This doesn’t work behind a reverse proxy if the proxy is in https and not the virtual host…

  19. Kelly Feb 10, 4:10 am

    I keep ending up with an F (0 for key exchange)???

    And also “This server supports anonymous (insecure) suites” so I am capped at a B anyway.

    I asked the hosting company tech people and they keep saying:

    “Also you should start it (images- content, ect…) with /path/to/image not https://path/to/image

    I don’t want to press for a clearer understanding or else they will just ignore my emails!

    I don’t know how to load content on my wordpress site any other way… it all ends up with a directory of https://…………………

  20. Robert Zinn Feb 24, 1:21 am

    As requested by another user, does anyone know the steps to enable HTTPS on a Multisite Network instance of WordPress?

  21. Rumah Ayu Mar 7, 1:06 pm

    1) Thanks to TLS-SNI HTTPS servers don’t need dedicated IP addresses anymore.

    2) That increase is negligible, due to hardware implementations of crypto algorithms in modern CPUs.

    3) Valid point, although it’s not a new problem. If you forget to regularly patch your servers, a hacker will take down your site too. Also, a major benefit of using encryption everywhere is that it increases “background noise”, making encrypted transmissions less suspicious.

  22. Richard Lloyd Jun 23, 2:42 pm

    Unfortunately, the original article fails to mention some pitfalls…

    WordPress ludicrously stores a lot of its URL references in the DB with absolute URLs (this is horribly, horribly painful and hits you even moving the site from dev to UAT to live), so your DB will still be full of http:// references even with the Apache rewrite rules that are suggested. If you “View Source” on your pages, you really should have *nothing* that is sourcing http:// URLs – this includes both internal ones for images/CSS/JS and external ones (e.g. Google Web fonts, JQuery and other such external services).

    To fix the internal http:// URL references, you really need to search and replace them all in the DB. I use this script for this:

    Make sure you set your max_execution_time high (e.g. 600 seconds) in php.ini if you have a large DB.

    To fix external http:// URL references, change their URL start from http:// to just // (two slashes mean “load in the same protocol that the page was loaded in).

    BTW, if you use load balancing (e.g. pound or mod_proxy_balancer) which decrypts SSL at the front-end and passes it unencrypted to the back-end, don’t forget to add this to the back-end’s VirtualHost config:

    SetEnv HTTPS on

    This “fools” WordPress’ is_ssl() core function that the page was loaded in SSL.

  23. Pandu Aji Jun 26, 6:15 am

    I got redirect loop using this htaccess :(. any idea?

  24. Niall Flynn Sep 1, 7:27 am

    This htaccess is the only thing to watch out for in this post use

    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ [R,L]

  25. Fred Nov 6, 7:31 pm

    Hey guys, Thanks for the helpful article. Unfortunately there’s still an issue on my side.

    My home page and backend are loading with https, they are working fine. But the subpages are giving me a 404 error (url are loading with https like they should). I have tried remaking permalinks, my database has been update with the addresses updated, I even tried a https plugin (basically rewritting your htaccess for you). It is my first time using a Google VM for site hosting.. that might also be the source of my problem…

    Any suggestion for my next move? Possible solutions ? :)

    • Caroline Dec 7, 3:43 am

      Yeah, I’m seeing the same 404 error that Fred is seeing on subfolders (the homepage is fine). Any suggestions/ ideas would be very welcome :)

    • Caroline Dec 7, 3:54 am

      Hi Fred,

      Just FYI, I found a different solution on another website. It suggested adding this different code to the .htaccess file:

      RewriteEngine On
      RewriteCond %{SERVER_PORT} 80
      RewriteRule ^(.*)$$1 [R,L]

      I used this and got it working :)

      On a related note – my site has ‘non-www’ as the preferred variant. I noticed that when I used the full URL including ‘www’ it didn’t work, but when I used the full URL without the ‘www’ it did work.

      Good luck!


  26. Roy Jan 10, 11:41 am

    another reason to change to HTTPS It’s because HTTP/2 protocol need both SSL cert and HTTPS 443 port. Which is much faster that traditional protocol HTTP/1.1. And http/2 is now getting more and more browser support.

  27. Ron Feb 8, 10:36 pm

    You may want to read the Google instructions on this. You are NOT to use any of these tools at Google for a change from http:// to https://

    On Google’s Site:

    “Note: The tool does not currently support the following kinds of site moves: subdomain name changes, protocol changes (from HTTP to HTTPS), or path-only changes.”

  28. sunil nirwan Jul 9, 2:20 pm

    plz help i can’t open my site. When i search my site on google search the first link to my site when i click to link. my site go to “https ssl” but i don’t want to it.

  29. Liz Apr 15, 7:23 pm

    I followed your tutorial – updated the .htaccess file and now I get an error on the site that says I have too many redirects.


  30. Oluseye Oct 5, 12:23 pm

    I just finished moving from HTTP to HTTPS and I was able to do this successfully. However, I have been getting the “this page is not authorized….” notification sign whenever I visit on a browser.

    How do correct that please??

  31. DOOMLOM Nov 18, 3:05 pm

    Why to use HTTPS (not free), and not HTTP (free) , in plus Opera, Mozilla and more… stop show you https links. HTTPS is not a big deal only shit truble for idiots. TO code informations? This is sucks. We pay enough for I-net bill. To protect what? Do not make enough the java scripts, for this? In final, HTTPS are a idiot thing to make money, for USA guvermment. :)

  32. David Jan 8, 5:44 pm

    I recently did a http > https redirect on my site. However, this only seems to have worked for the home page, my posts can still be accessed through http. Is this normal? If so, to eliminate all http urls, must i place a redirect on each of them?

    Any advice would be much appreciated …

  33. Tomek Jan 9, 10:22 am

    thanks for this article, worked for me although I also changed “redirect” code for htacces file.

Leave a Reply

* Minimum length: 20 characters