How to Force HTTPS on WordPress

Securing your WordPress site is non-negotiable in today’s digital landscape. The cornerstone of this security is enabling and enforcing HTTPS, which ensures an encrypted connection between a user’s browser and your WordPress website.

This comprehensive step-by-step guide will walk you through exactly how to force HTTPS on WordPress, covering all the essential manual and plugin methods.

Following this guide ensures that your entire site operates on a secure connection, providing a better user experience and enhancing your search engine rankings.

Why You Should Force HTTPS on a WordPress Site?

Enabling and forcing HTTPS on your WordPress site offers significant advantages, moving your site from an insecure WordPress HTTP setup to a secure HTTPS site.

• Enhanced Security: HTTPS encrypts the data transmitted between the user’s browser’s address bar and your server. This protection is crucial for safeguarding sensitive information, such as login credentials, personal data, and payment details, from unauthorized access by eavesdroppers and hackers. An SSL certificate is what enables this encryption.

• Boosted User Trust: When visitors see the padlock icon in the browser’s address bar, they instantly know your WordPress website uses a secure connection. Browsers like Chrome now display prominent “Not Secure” warnings for HTTP sites, which erodes trust and encourages immediate bounce-backs. Moving to the HTTPS version of your site eliminates this warning.

• Improved Search Engine Rankings: Google officially confirmed that HTTPS is a search rankings factor. While not the most potent factor, it gives your HTTPS website a slight edge over an equivalent WordPress HTTP site in search engine results. Security is a priority for Google Search Console, and running a secure site is a best practice.

• Access to Modern Web Technologies: Many modern browsers and web application features, such as HTTP/2 (for faster loading) and geolocation, require a secure connection.

Pre-Implementation Checklist Before Enabling HTTPS

Before forcing HTTPS on your WordPress site, which is currently running on HTTP, you must complete a few crucial preparatory steps. Skipping these can lead to site breakage or SEO issues.

• Get an SSL Certificate: This is the first and most critical step. Contact your hosting provider or check your hosting plan dashboard. Most reliable web hosts offer free SSL certificate options, often via Let’s Encrypt. You must activate SSL and ensure the SSL certificate is installed and active on your server for your domain before proceeding.

• Backup Your Site: Any significant configuration changes, mainly involving redirects or the WordPress database, carry a risk. Create a complete backup of your WordPress database and all files. This is your safety net if anything goes wrong.

• Check Your Hosting Environment: Determine whether your web host uses an Apache server (which utilizes the htaccess file) or an Nginx server. This determines which redirection method (Step 3 or Step 4) you’ll use.

• Confirm SSL Installation: Use an online SSL checker tool to confirm your SSL certificate is correctly installed and valid.

• Gather Login Credentials: You’ll need access to your WordPress admin, your web host’s file manager or FTP/SFTP access, and potentially phpMyAdmin for database changes.

Step-by-Step Guide to Enable HTTPS on WordPress

There are two primary methods to force HTTPS on your WordPress website: using a WordPress plugin, such as the Really Simple SSL plugin (also known as Simple SSL), for the easiest path, or the manual, more robust process. We’ll detail the manual method, as it provides a permanent solution and less reliance on a third-party plugin.

Step 1: Update WordPress and Site URLs to HTTPS

The first manual step is to tell WordPress that its new WordPress address and site address are the HTTPS address.

• Log in to your WordPress admin dashboard.

• Navigate to Settings → General.

• Locate the WordPress Address (URL) and Site Address (URL) fields.

• Change both HTTP URLs to their HTTPS equivalent (e.g., change http://yoursite.com to https://yoursite.com).

• Click Save Changes at the bottom. You will be logged out and forced to log back in using the https version of your login URL.

Step 2: Force HTTPS in wp-config.php

This step enables SSL for the administration area and login pages, which is a good security practice.

• Access your WordPress installation files using FTP/SFTP or your web host’s file manager.

• Locate the wp-config.php file in the root directory of your WordPress site.

• Open the file for editing.

• Add the following code immediately before the line that says /* That’s all, stop editing! */ Happy blogging. */:

define('FORCE_SSL_ADMIN', true);

• Save and close the wp-config.php file.

Step 3: Add 301 Redirects in .htaccess (Apache)

This is the most critical step for Apache servers. It creates a 301 redirect from HTTP to HTTPS for all incoming requests, ensuring that every visitor lands on the HTTPS version of your WordPress site. This is vital for search engines and maintaining search rankings.

• Access your WordPress installation files using FTP/SFTP or your web host’s file manager.

• Locate the htaccess file in the root directory (the exact location as wp-config.php). If you don’t see it, ensure you can view hidden files.

• Open the htaccess file for editing.

• Add the following code immediately before the # BEGIN WordPress line:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

• RewriteEngine On enables the rewrite module.

• RewriteCond %{HTTPS} off checks if the connection is not secure (i.e., it’s WordPress HTTP).

• RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] executes a 301 redirect from the HTTP URLs to the HTTPS address.

• Save and close the htaccess file.

Step 4: Configure HTTPS Redirects in Nginx

If your hosting provider uses the Nginx web server instead of Apache, you won’t have an htaccess file. You need to add the redirect code to your nginx configuration file.

• Connect to your server via SSH or through your host’s control panel access for Nginx settings.

• Locate your website’s main nginx configuration file (often found in /etc/nginx/sites-available/yourdomain.conf or a similar path).

• Within the server block that listens on port 80 (WordPress HTTP), add the return directive to perform the HTTP to HTTPS redirect.

server { listen 80; server_name yoursite.com www.yoursite.com; return 301 https://$server_name$request_uri; }

• Save the nginx configuration file and restart the Nginx server to apply the changes.

Note on Managed Hosting: For many managed WordPress hosts like WP Engine, this step is often handled automatically once the SSL certificate installed. Check your host’s documentation first.

Step 5: Replace HTTP URLs in Database

Even after setting up redirects, your WordPress database still contains HTTP URLs for images, internal HTTP links, and other media. These old HTTP URLs will trigger a mixed content warning or error. This manual process of replacing them is critical for a smooth transition.

• Install and activate a plugin like Better Search Replace or use WP-CLI if you are comfortable with the command line.

• Navigate to Tools → Better Search Replace.

• In the ‘Search for’ field, enter your old http domain (e.g., http://yoursite.com).

• In the ‘Replace with’ field, enter your new https domain (e.g., https://yoursite.com).

• Select all database tables in the list below. The number of tables searched depends on the size of your WordPress database.

• Crucially, first run a ‘dry run’ to see how many replacements the plugin will make.

• If the dry run count appears correct, uncheck the ‘dry run’ box and click ‘Run Search/Replace’ to execute the search and replace operation across your WordPress database.

Step 6: Fix Mixed Content and Update Hardcoded Links

After the database search and replace, you may still encounter mixed content issues. This means some assets (like images, scripts, or styles) are still loading over insecure HTTP, even though the main page is HTTPS.

Using a Plugin (Easy Method):

The Really Simple SSL plugin (also known as the Simple SSL plugin) is excellent for a quick fix. It utilizes the plugin method to resolve mixed content by detecting settings and applying appropriate headers and rules. This includes adding the Content-Security-Policy header with the upgrade-insecure-requests directive.

Manual/Advanced Fix:

• Use your browser’s inspect tool (Console tab) to identify the specific insecure content sources (HTTP links).

• These are often hardcoded HTTP links in theme files (check your theme’s header.php, footer.php, or functions files) or old WordPress plugin settings that the database search/replace missed.

• Locate and manually update the hardcoded URLs starting with ‘http’ to ‘https’ in the specific files or settings.

Also Learn: How to Fix HTTP 429 Too Many Requests Error

Step 7: Clear Cache and CDN

Your WordPress site and any performance services likely store old WordPress HTTP versions of your pages.

• Clear Server-Side Cache: If you use a caching WordPress plugin (such as WP Rocket or LiteSpeed Cache) or a host-level cache, clear all cached files.

• Clear CDN Cache: If you use a Content Delivery Network (CDN), such as Cloudflare, purge its cache entirely.

Verifying and Testing Your WordPress HTTPS Setup

After completing the steps to force HTTPS, you must verify that your HTTPS website is functioning correctly.

• Check the Padlock Icon: Visit your WordPress website and look for the padlock icon in the browser’s address bar. If it’s there, your HTTPS version is loading correctly.

• Test All URL Variants: Manually type in all common forms of your domain into a browser to ensure they redirect to the single https address (e.g., http://yoursite.com, http://www.yoursite.com, https://yoursite.com, https://www.yoursite.com). They should all redirect HTTP via a 301 redirect to your chosen canonical HTTPS address.

• Inspect for Mixed Content: Open your browser’s inspect tool (right-click → Inspect → Console tab). A successful setup should show no mixed content warning or mixed content error messages.

• Update Google Search Console: Add the https address as a new property in your Google Search Console account. Use the property button to add the URL prefix property. This helps search engines index the new secure HTTPS version immediately. You must verify ownership of the latest property.

• Update Google Analytics: Log in to your Google Analytics account. Go to Admin → Property Settings → Default URL and select HTTPS from the dropdown menu.

Troubleshooting Common HTTPS Issues

Switching from WordPress HTTP to HTTPS is generally smooth, but a few issues commonly arise.

Best Practices for Maintaining HTTPS on WordPress

Once you successfully force HTTPS, maintain these best practices to prevent future issues.

• Use Relative URLs: When linking internally or embedding media, use relative URLs (e.g., /wp-content/uploads/image.jpg) instead of complete absolute URLs (e.g., https://yoursite.com/wp-content/uploads/image.jpg). This ensures the link constantly adapts to the protocol used by the WordPress site.

• Use Security Plugins: Keep your security plugin (if you use one) up to date and ensure it’s compatible with your HTTPS site.

• Monitor Google Search Console: Regularly check your Google Search Console account for any crawl errors or reports of HTTP URLs still being indexed.

• HSTS Implementation: For advanced security, consider implementing HTTP Strict Transport Security (HSTS). This header forces browsers to only communicate with your HTTPS website for a defined period, even if a user types HTTP. This is powerful, but it requires a permanent solution and should only be implemented after a completely successful HTTPS migration.

Conclusion

Successfully forcing HTTPS on your WordPress site is more than just a security upgrade; it’s a vital requirement for establishing trust, enhancing usability, and improving search engine rankings.

Whether you choose the ease of the plugin method with the Simple SSL plugin or the robust manual process using the htaccess file and WordPress configuration, following this step-by-step guide ensures you make the transition correctly.

By migrating your WordPress site from HTTP to HTTPS and implementing the necessary 301 redirects, you create a safer, more secure, and more authoritative HTTPS website that is prepared for the future of the web. This crucial step is the foundation of a healthy, secure, and well-ranked WordPress website.

FAQs About How to Force HTTPS on WordPress