How to Change a WordPress Blog (or Site) to HTTPS

Wordpress HTTPSNow that it’s been officially announced that Google is using HTTPS (aka SSL) as a signal for their search ranking algorithm, no doubt many people will be trying to figure out how to convert their “normal” WordPress HTTP site into an HTTPS site in hopes to get better search rankings.

The process is a little technical and can be somewhat confusing so I am going to try to help take some of the intimidation and complexity away by showing you how I did it for this site, which is powered WordPress also.

Step 1: Order your SSL Certificate

You’ll need to order your SSL Certificate from an authority that issues them. This process isn’t exactly difficult, but it does have some confusing steps and terminology.

The first part of this process is to purchase the certificate. I got mine from and was very pleased with the price and the simplicity of the checkout process. There are a number of options as far as the individual certificate goes, but for most people with a basic single site, I recommend the GeoTrust RapidSSL certificate.

Step 2: Install your certificate

Once you have purchased your certificate, you will need to “activate” it. Basically the purchase gets you the ability to enter all the details you need to get a certificate issued to your server. To do this, you will need to get a “certificate request” from your web server. I use Cpanel, so it was a matter of a few clicks.

After you have entered your certificate request and some other details, you will be emailed the actual certificate. It looks like a lot of jibberish, but is basically encrypted data that verifies your server and domain are who you claim to be.

I copied my certificate text and pasted it into the spot on Cpanel where you enter certificates, and assigned it to the website I wanted it assigned to, and that was it. Now my certificate is on the server and ready to be used.

Step 3: Change your WordPress to HTTPS

This is probably the easiest part. Before you make this change though, be sure to test and see if your site actually works with the certificate. You can do that by just entering in your browser and seeing if your site loads.

It may load and not display correctly. Don’t be too alarmed, because you will need to fix these things anyway and it shouldn’t take a whole lot of changes. If you’re not comfortable editing any HTML on your own, then I would suggest you contact your web designer or programmer and let them know what you’re wanting and ask for them to do it for you at this point. If you’re okay with trying it yourself, then read on.

Go to your WordPress dashboard and to Settings -> General

wordpress-general-optionsYou should have 2 fields for your WordPress and Site “address” like in the screenshot to the right. Change whatever you already had there, to “https” instead of “http” and click “save” at the bottom of the page. You may need to log in again afterwards.

This configures WordPress to use HTTPS for all its internal links. If you have any caching plugins like W3TC or others, be sure to empty your cache now.

Step 4: Fix links and content still using HTTP

Content you previously uploaded, or content in widgets, theme options, custom menus and other areas may still be using HTTP instead of HTTPS. You don’t want this, because most browsers will block HTTP content that isn’t secured when you are requesting an HTTPS page. You’ll need to change these. Take a minute to go through your theme options, widgets, custom menus and other spots to find and change these.

I found it helpful to view the source on my site and search for “” in the source and see what might still be using regular HTTP.

Much of my previous blog posts had content (such as images and internal links) that used HTTP instead of HTTPS. You could edit them each individually and change them, or you could try to update them all at once in the database directly which is what I chose to do.

If you want to search and replace in your content, this is how I did it.

I first created a backup of my database.

Then I ran the following MySQL query to update the content on this site:

UPDATE `wp_posts` SET `post_content` = replace(post_content, ‘’, ‘’);

What this query does, is searches through the wp_posts table for anything with “ and replaces it with the HTTPS version of “”

It’s important to note that you want to use your entire site domain for this search, instead of just searching for “http” and replacing that with “https” because some of your content might have outbound links and you don’t want to change those, just your internal links.

Some people might think that this step to update your content is optional and while in some respects it might be, here are a couple reasons I think it is really important:

  • Images (and other content) that are loaded with http instead of https in your blog posts may not display because browsers many times block insecure content on secure pages
  • Even though you have a redirect or rewrite from HTTP to HTTPS, you should update your links. If you don’t, your server will load the HTTP request first, then redirect to the HTTPS request and use more resources than necessary. This will make your server slower, and you may need to upgrade to a faster server or more powerful hosting level for no reason at all if you have a busy site.

Step 5: Redirect your site to force HTTPS

Just because your site links are pointing to HTTPS doesn’t mean that you’ll get the benefit Google says is given to secure sites. You will need to force HTTPS so whenever the Googlebot comes to visit it is forced to the HTTPS version and sees that you don’t have any non-secure pages on your site.

In order to do this, you will need to redirect all requests that come to your server via regular HTTP to the corresponding HTTPS version of that request. This is not just for pages, but also for images.

The best way to do this is via your .htaccess file and have Apache do it for you. Here’s the code that should take care of that for you:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

There’s also a couple other options, and I found this page with instructions for how to do it in PHP helpful. I had some conflicting code in my .htaccess file that was causing an error so I used the PHP method instead although I really prefer to do this with Apache instead. This is something on my to-fix list.

Time for Happy Hour!

Hopefully after these steps you should be done, but please, please don’t forget to test everything very thoroughly to make sure nothing is broken. This worked for me, but as you see it wasn’t completely smooth sailing and I had to do my redirects in PHP instead of Apache. You may have to tweak some things also, but just be sure to test it because no one wants a broken site, and especially one that isn’t earning you money!

If you need help or have questions, I’m happy to do my best to help you out, just leave a note in the comment area below.