• Skip to primary navigation
  • Skip to main content
  • Skip to footer

WPJohnny

WordPress Performance Guides and Reviews

  • Start a WordPress site
  • Hosting
  • Themes
  • Plugins
  • Blogging
  • Marketing

How to Move Your WordPress Site from HTTP to HTTPS

WordPress hosting Jul 14, 2018 by Johnny 11 Comments

Converting to HTTPS/SSL is one of the scariest tasks out there.

It feels like SUCH a big project with a billion little details. Feels like you need to hire a programmer or server expert or someone to make all the edits on your website, webserver, and Google accounts.

Here are some simple steps to manually set up HTTPS and HTTPS-redirects instead of using plugins (further slowing down your site). This will give you the proper URLS and fast speeds.

STEP 1 – Install SSL certificate

Either you do this on your own from cPanel or your webhosting panel. (It’s also possible to get free shared SSL from CloudFlare. But you should still be doing it the proper way, which is from your webserver/webhost.)

  • Can’t do it yourself? Ask your webhost, or programmer or server guy to do it.
  • SSL’s are free now! – thanks to LetsEncrypt. Don’t let anyone fool you into thinking you need to pay for it! (Yes, it’s true that not all SSL certificates are the same and that some big stores may prefer the fancier kind that shows your brand name in the address URL. Most sites don’t need this.)

STEP 2 – Change WordPress URL to HTTPS

Go to your WordPress settings and change the website address and site address to HTTPS. If you can’t get in there for whatever reason, you can edit wp-config.php.

STEP 3 – Update your database URL’s

This is the part where most people either get lazy or don’t know how to do it. They’ll use a plugin like some “Really Simple SSL” that forces HTTPS or enable the feature from their security plugin. I HATE THIS…don’t install another plugin just for this basic function!

The best way is to do it manually from your database so that all your asset URL’s and internal links use native HTTPS instead of wasting server resources to reload the links in HTTPS.

How to update your database URL’s manually:

  1. Install Better Search Replace (by Delicious Brains)
  2. Back up your database if you’ve never done this before.
  3. Enter “http:” in the top field and “https:” in the bottom field. Please write it exactly as I say…otherwise, if you put only “http” and not “https:”, you risk jacking up all the entries that already have “https”.
  4. Select all tables.

Honestly, editing database URL’s manually is very easy to do but also very easy to completely screw up your site if you don’t know what you’re doing. Please be careful and make backups.

STEP 4 – Update Google Search Console

Update your website settings in Google Search Console and also Google Analytics to use your new HTTPS address!

STEP 5 – Apply HTTPS redirect in your htaccess file

This is the last step. Put whichever code fits the address you want your users to redirect to….HTTPS with or without WWW? Then relax and you are done!!! WOOHOO! (Don’t have htaccess or you’re not on Apache/LiteSpeed? You probably don’t have to worry about this, but do ask your webhost.)

WITHOUT www (all visits go to “https://domain.com”):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

WITH www (all visits go to “https://www.domain.com”):

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

STEP 6 – Resolve any problems (if needed)

Everything should be working. But just in case, here are a few diagnostic steps you can do if the HTTPS doesn’t show green of you don’t get that padlock.

  • www.whynopadlock.com – this should be your first order of business. Check here and it will tell why you’re not getting a full HTTPS status.
  • Google Chrome > Developer Tools > Security – another way is to right-click anywhere on the page, then click “Inspect”, then “Security” TAB. Then reload the page.

Most likely, you may still have some assets loading from HTTP instead of HTTPS. Use the search-replace tool again or go through all your theme/plugin settings.

Share this post:

Share on FacebookShare on X (Twitter)Share on LinkedInShare on WhatsAppShare on EmailShare on SMS

Read all my posts on WordPress hosting

About Johnny

Right on the edge of WordPress development! 10+ years of WordPress design, development, hosting, speed optimization, product advisor, marketing, monetization. I do all that.

More WordPress Guides

InMotion VPS Hosting Review (HINT: they’re really bad)

The MONSTER GUIDE to WordPress Image Optimization

Swift Performance WordPress Cache Plugin – UNOFFICIAL GUIDE

How to get BEST PRICING on a Apple MacBook Pro

Cloudways is cashing out (acquired by Digital Ocean)

WPMU DEV sucks – don’t use their plugins

Reader Interactions

11 Comments

  1. JB Sidey

    October 16, 2018 at 2:16 pm

    In Step 3, which Tables do I select? All? Is there a chance unnecessarily/incorrectly changing an https: to an https:?

    Reply
    • Johnny

      October 21, 2018 at 11:33 am

      Select all tables! Thanks for asking; I’ve clarified it in my guide now.

      Reply
  2. Nguyen Minh Hung

    December 14, 2018 at 6:29 pm

    In step 5, is it only done on apache web server?

    Reply
    • Johnny

      December 15, 2018 at 12:37 am

      Yes, I already clarified that you don’t have to do that if you’re not on Apache.

      Reply
  3. Pedro

    April 9, 2019 at 9:26 am

    Hello Johnny
    Thanks for the tutorial.
    About step 3, with links to external sites that still do not respond to https, it is not recommended to search for https://domain.name and https://www.domain.name and replace it with https://domain.name or https://www.domain.name, depending on whether you use www or not at the site address? This would only change the internal links, leaving the external links as they were when they were created. Makes sense?
    Looking forward to your feedback.
    Thank you

    Reply
    • Johnny

      April 9, 2019 at 11:27 am

      IMO, you should just change them all to HTTPS so that you don’t have any mixed-requests on the page. If the external site doesn’t respond to HTTP, let their server rewrite the URL. 🙂

      Reply
  4. Jake

    January 11, 2021 at 5:34 am

    This is most probably a really newb question, but in step 3 you mention
    Enter “https:” in the top field and “https:” in the bottom field. Please write it exactly as I say…

    does that mean I should leave out the domain name and only enter “https:”? All the other info I find on the Search and Replace plugin states to add the domain name as well (ie https://domaindotcom), and a warning to NOT add a ‘/’ at the end.

    Reply
  5. Henk Bekker

    March 9, 2021 at 8:43 am

    Step 3. 3 — Shouldn’t it be “http:” in the top field and “https:” in the bottom field?

    Reply
    • Johnny

      March 9, 2021 at 11:21 am

      OMG!! ARGHHH! GEEEEZ. It’s probably been wrong for so long. But now fixed thanks to you.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

More links

  • Gadget reviews
  • Try my free WPJ plugins
  • Join the WPJ FB Group
  • WPJ YouTube & newsletter
  • Become a WPJ Affiliate

Popular Reviews

  • Best WordPress Hosting
  • Best WordPress Themes
  • Best WordPress Plugins
  • Best WordPress Cache Plugins

Services

  • Speed optimization
  • Speed optimization courses
  • WordPress hosting
  • Hire me or other experts
  • Client login

About Johnny

10+ years of WordPress design, development, hosting, speed optimization, marketing.
Contact me.

newsletter block

Copyright 2025 | WordPress guides by Johnny Nguyen

Click to Copy