Migrating a WordPress website from http to https

A lot has been said over the past years about migrating your website to a secure protocol. Unless you are writing for fun and have simple blog, migrating to https is a no brainer. Moving to https helps in search engine optimization efforts. It also creates trust signals for your visitors as a secure padlock sign displays on the address bar. The latter is very important as visitors are becoming more concerned on their information being protected.

If you are setting up a new website or finally planning to migrate, this detailed guide will help you do the same without any hiccups. Let’s look at all the steps:

  1. Back up your website

Needless to say, making a back up of your website is important. In case anything goes haywire, the back up can be used to restore website. You can request your hosting provider to create a back up or use FTP application like filezilla to create back up on your system. There are also many plugins to back up your WordPress website.

When we bought our first website, the seller used a plugin called All-in-One WP Migration but then faced issues restoring the data as it was giving upload failure. However using rollback plugin to access an old version of WP migration plugin solved the issue. What a relief!

Also, take a look at our pre-check list:

  1. Take multiple back-ups of your website (sometimes back up files get corrupted)
  2. Carry the activity on a off day or when visitor traffic is minimum and you have buffer to reset to original if something goes wrong
  3. Crawl your website (tools like seofrog), and download the list of all URLs and status codes
  4. Use Google developer console to note any errors (sometimes existing errors are construed as https errors)
  5. Be patient, and careful, and take help if needed.

2. Install SSL at domain

When you buy hosting especially the advanced plans, you get SSL free for a year. If not, you can purchase SSL certificate, which start as low as $5/year. Depending on your hosting provider, you can install the SSL certificate at your domain. It takes up to 48 hours (usually sooner), to show that SSL certificate has been installed. Here’s how it appears on our host:

3. Setting up https at WordPress

If you want to avoid all the manual process- getting into the code, adding a few lines, and are uncomfortable or new to WordPress, we strongly recommend the easy way out- a plugin. There are a few plugins like Really Simple SSL, One Click SSL that will do all the migration for you.

If you want to get it done manually, here are the steps:

  • Login to WordPress, go to Settings>General. Look out for WordPress Address and Site Address and update the protocol. This will take care of pages or posts served to visitors or at the front end.
  • Login to FTP client, go to your root domain folder, and find out wp-config.php file. Open the file in your editor, add the following code just before the “That’s all, stop editing! Happy blogging”,

define(‘FORCE_SSL_ADMIN’, true);

This will ensure that your back end or login sections are served over https

  • Within the FTP client, find the htaccess file and go to edit the file. Add the following code either at the very start (before begin WordPress) or after the end WordPress section:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


This code will ensure that any request for your website on http will automatically be served on https including all the resources within such as fonts, images, etc. 301 within the code redirect tells Google that this is a permanent redirect.

This is it, congrats, your website is ready to be served over https. But wait, how do I check if everything is done correctly?

Verifying your migration:

Go to your website and open developer console. Hit command+option+J on mac ot ctrl+shift+J on windows to access the console window. If there are errors, they will show up on this console window.

Mixed Content Warning

When we migrated our website to https, we got mixed content warning which was as follows:

The page at ‘<URL>’ was loaded over HTTPS, but requested an insecure font ‘<URL>’. This request has been blocked; the content must be served over HTTPS.

The console will show you exactly where the warning is originating from and you need to head to that URL and plugin https. However open the URL with https to check whether your resource is loading or not.

For example, we had many images that were loading from http, and we just changed http to https and fixed our mixed content warnings.

Anything Else?

  1. Register https protocol at Google Search Console
  2. Create new sitemap and submit to Search Console
  3. Update your protocol at Google Analytics, by simply going to Admin>property settings>default URL.