Move http to https on WordPress


In this article, you will see how to add SSL and HTTPS in WordPress website. It is recommended these days to move HTTP to HTTPS on WordPress is an important thing because most of in our websites we share sensitive data like credit card and bank information or login credentials dozens of times per day.

As a website owner it is your duty to keep the information safe when users making online transactions for purchasing something using debit card, credit card or netbanking or they simply logging in to your site.

To protect the data transfer, a secure connection is required using one of the most important step – use HTTPS (Hyper Text Transfer Protocol Secure) and SSL (Secure Socket Layer) encryption on your website.

HTTPS or Secure HTTP is an encryption mechanism, which secures the connection between user’s browser and your server. That means, any information that is exchanged gets encrypted.

Encryption is the process of replacing plain text information (like usernames and passwords) with random numbers and letters. That way, they are no longer readable by humans and harder to make sense of if someone intercepts them.

HTTPS is a combination of Hyper Text Transfer Protocol (HTTP) and Secure Sockets Layer (SSL). SSL is currently the most frequently used method to provide security for Internet communications, so HTTPS is more secure way for transmitting and receiving information across the Internet. This kind of communication is used for accessing those websites where security is required. Banking websites, payment gateway are some great examples where HTTPS protocols are used.

Most third party payment providers like Stripe, PayPal, etc. will require you to have a secure connection using SSL.

Recently, Google also announced that they will be using HTTPS protocol as a ranking signal in their search results. This means that using HTTPS and SSL will help improve your website’s SEO (Search Engine Optimization).

How does HTTPS work?

HTTPS also known as HTTP+SSL, where a client and a server communicates to each other, but through an SSL, that encrypts and decrypts their requests and responses.

Basically SSL certificates encrypt the data that goes from your server to the target website and back in the following manner:

  1. Client or browser connects to server on a SSL port
  2. Server sends back its public key; the client or browser decides if it’s ok to proceed – it checks if the public key isn’t expired, and if it is verified or “signed” by a trusted third party Certificate Authority, whose job is to verify server application for a digital SSL certificate.
  3. If the client trusts the certificate, it sends its public key to the server.
  4. Then server creates the encrypted message, using client’s public key and server’s private key, and sends message back to the browser or client.
  5. Client or browser decrypts the message.

This way, the client or browser and the server continue to establish the secure connection.

We are often asked – won’t HTTPS slow down my website?

In reality, the difference in speed is negligible, so you should not worry about that.

There will be some level of overhead due to encryption, but it is highly dependent on:

  • Hardware
  • Server software
  • Ratio of dynamic vs static content
  • Client distance to server
  • Typical session length
  • Caching behavior of clients

HTTPS requires an initial handshake which can be very slow. The actual amount of data transferred as part of the handshake is not huge (under 5 kB typically), but for very small requests, this can be quite a bit of overhead. However, once the handshake is done, a very fast form of symmetric encryption is used, so the overhead there is minimal. Making lots of short requests over HTTPS will be quite a bit slower than HTTP, but if you transfer a lot of data in a single request, the difference will be insignificant. However, keepalive is the default behaviour in HTTP/1.1, so you will do a single handshake and then lots of requests over the same connection. This makes a significant difference for HTTPS. You should probably profile your site (as others have suggested) to make sure, but I suspect that the performance difference will not be noticeable.

You may read on HTTPS speed

Using HTTPS has other advantages like:

  • Visitors can verify you are a registered business and that you own the domain
  • Customers are more likely to trust and complete purchases from sites that use HTTPS

I recently moved HTTP to HTTPS for the following site:

Roy Tutorials

In the browser you will see the protocol as https with Secure and clicking on Secure you would see something similar to the above as shown in the figure.

Moving your wordpress site to https using the following steps


It is always good idea to take backup your site’s files and database whenever making major changes. This way, in case something goes wrong, you can always have the version to restore.

Even better, if you have the possibility, make changes on a test server first and not your live site. If everything goes fine then you can update to live server.

SSL certificate implementation

The first thing is to install an SSL certificate. If you do not have permission to install SSL certificate then you can ask your hosting provider to install SSL certificate on behalf of you. You can also check right in the management dashboard or ask your hosting provider if they have already installed SSL certificate for using HTTPS on your website. For example, to switch your site to Let’s Encrypt in cPanel, you can follow these instructions written here Find the same steps for Plesk here

If you have an administrator permission to your server then you can use to implement Let’s Encrypt. If you get SSL certificate from other source then you can follow instructions from your hosting provider to implement it.

You can also use plugin to implement SSL and

Add HTTPS to your site’s admin area

The first place where you will need to secure the connection is the WordPress dashboard. By securing the backend, you make sure that whenever a user logs in, their information is exchanged securely.

To do so, open wp-config.php in your WordPress root folder and add the following line above the “That’s all, stop editing!”.

define('FORCE_SSL_ADMIN', true);

Once you have updated the file, try to access your login page with HTTPS in the URL, for example via If everything worked correctly, you have successfully established a secure connection for backend.

Update website’s address

Login to your wordpress site’s admin area and update your site address as shown below in the image

http to https

Changing links to your content

Now it’s time to update any links in your content and database that include the old HTTP protocol. To do so, login to your hosting server and open phpMyAdmin page and run the below queries:

# Update self-hosted embeds (images, iframes, scripts, etc.)
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');

# Update internal pingbacks
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, '', '');
UPDATE wp_comments SET comment_author_url = REPLACE(comment_author_url, '', '');

# Update YouTube embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');

# Update Vimeo embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');

# Update Flickr embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://farm', 'https://farm');

# Update Slideshare embeds
UPDATE wp_posts SET post_content = REPLACE(post_content, '', '');

Please make sure to replace example by your site address.

If you want to use plugin then you can check and

Implement 301 redirects in .htaccess file

The next step is moving your site to HTTPS is setting up a permanent redirect (301) that sends visitors automatically over to the secure version. For that, we need to make an entry into .htaccess file on your server’s root directory.

Add below lines of snippets to the .htaccess file:

#http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Enable HSTS

HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Add below line of code to the .htaccess file under the server’s root directory.

# Enable HSTS
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

Testing the live site

Now we are done with the main configurations. Do the testing of your live site and if you found everything works as expected then you can update the following

  1. Update your sitemap URL in Webmaster Tools (Google, Bing etc.).
  2. Add site with new URL to Webmaster Tools (Google, Bing etc) as http and https are two different sites.
  3. If you are using CDN (Content Delivery Network) then update URL there.
  4. Make sure to update new URL in Google Analytics
  5. Update your new URL in Social Networks

That’s all. Thanks for reading.

Leave a Comment