Checklist After Moving from http to https for WordPress7 min read

I recently acquired an SSL certificate and moved BMA to https. It took me more than 2 hours to get that green signal on a browser that says your website is secure, Phewwww! Getting the SSL was an easy part and I’m not going to tell you about that, there are tonnes of other resources on the internet that guides you how to acquire an SSL certificate for your domain. I’m going to make your “after job” easy (HTTP to https). In this article, I will give you all the necessary steps that you need to take after you have acquired an SSL certificate.

If you have a new website which does not have any content then this blog is not for you. You are probably good to go. But if you in the same zone where I was, that is you have loads of content on your website which was created when your website was on HTTP protocol then this checklist is going to save you a lot of time.

#1 Secure wp-admin before anything

The very first step you need to follow is to secure your admin area. If you are about to move your website to https then the first thing that stops working is your admin area. You need to force HTTPS in your admin area.

To force HTTPs in your admin area, put the below line of code in your wp-config.php file (find the reference). Put the code just above “That’s all, stop editing! Happy blogging!” lines.

define('FORCE_SSL_ADMIN', true);

Most of the time this piece of code is all you need to do. But if your website is still experiencing errors (bad website structure, missing assets etc?) then you need to follow step #2 as well.

#2 Reverse proxy to rescue

You need to provide a reverse proxy in the wp-config.php file just below the #1. Put the below piece of code just below the #1.

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')

Once you have put the above code in its place, reload your website with https prefix and you must get a perfectly working website as it was before. You might not get a green colour secure message on the bar but your website should be working fine at this moment.

Note – if it is not working at all, consider removing the code.

#3 Change site address to secure site address

This part is where you change your WordPress site address to a secured address. Go to Settings ? General and change the WordPress site address (Refer the image below).

Wordpress Site address settings

Replace the old site address with new secure site address (https). At this point, you should have everything working the way it should. The next step is that you need to place perfect 301 redirects at the place to serve all the incoming request from https URL.

#4 Proper 301 redirects to serve secure pages

I use CloudFlare hosting account so I have made a simple page rule from CloudFlare dashboard to always use https for serving pages.

CloudFlare Pagerule

It means that any request that comes to BMA will be served from HTTPS protocol. If you are not using CloudFlare then I would strongly recommend that you do. You can check best free hosting services where I have talked about Cloudflare account.

If you are not using CloudFlare account then you will need to make changes to your .htaccess file. Word of caution – if you do not have knowledge of .htaccess files then you must not do it by yourself. I would recommend free WordPress plugin which you can install which will make your job really easy. Install WordPress HTTPS (SSL) plugin to secure your posts and pages. It is a one-click job after installing the plugin. Do read the description given on the plugin page.

To do it in the .htaccess file. Put the below piece of string to the start of your .htaccess file

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

You should also read How to port website to a new domain which will help you to understand how search engines work to index your website.

So, you have a working website on https but still, you are not seeing the green colour info saying Secure in the address bar of your browser. That is because you have a whole lot of content on your page that still points to the Http address. These are the mixed content warning that the core of your website is served from https but it points to the resources which are served from https URLs.

#5 Mop up Mixed Content Warnings

We are aiming for the “SECURE GREEN LOCK” that says your website is completely secure.

Green Secure Lock https

If you will are already getting the GREEN LOCK (chances are rare) then no need to do anything. Just enjoy you have successfully secured your website. But if you are getting a yellow warning sign then follow the rest of the article. Similar to the below image,

Mixed Content Warning

The reason is that your website core is served from https but its contents are served from non-https sources which result in a mixed content warning. We would need to change all the links to https secure links in order to get that green lock in place. Before we perform the next step, make sure you take a complete backup of your database, in case, anything goes wrong. Normally everything would work as expected but it’s always safe to take a backup before making any major changes.

Replace all Http links with https links

You are about to change the content of your WordPress website. If you don’t have an idea about the database then it would seem impossible. But you will love what we are about to do it next. You need admin access to your database before you can make these changes, so make sure you can access the database. Just run the below queries in a series (one after the other) and all your content’s link will be changed successfully.

# Query 1 - Replace src="http:// with src="//
UPDATE wp_posts 
SET  post_content = ( Replace (post_content, 'src="http://', 'src="//') )
WHERE Instr(post_content, 'jpeg') > 0 
    OR Instr(post_content, 'jpg') > 0 
    OR Instr(post_content, 'gif') > 0 
    OR Instr(post_content, 'png') > 0;

#Query 2 - To catch single-quoted links

UPDATE wp_posts
SET post_content = ( Replace (post_content, "src='http://", "src='//") )
WHERE Instr(post_content, 'jpeg') > 0
OR Instr(post_content, 'jpg') > 0
OR Instr(post_content, 'gif') > 0
OR Instr(post_content, 'png') > 0;

Do not forget to replace with your website Url.

#Query 3 - To change all href to your website

UPDATE wp_posts
SET post_content = ( Replace (post_content, 'href="<a href="">'</a>, 'href="//<a href="">'</a>) )

#Query 4

UPDATE wp_posts
SET post_content = ( Replace (post_content, "href='", "href='//") )

At this point, you have successfully replaced all your Http links to https links. Above steps will solve all the generic problems that need to be resolved after you move your WordPress from Http to https protocol.

#6 Keep mopping up

Nobody can guarantee that these steps will make your website Secure. You might still get mixed content warnings on some of your pages. You will need to hunt down those problems individually and solve it. All I can guarantee you that after following all the above steps your website has solved most of the generic errors that could keep you involved for hours.

Just let me know if the above steps worked for you or not? If you faced any more challenged, please add those in the comments and we will try to find a solution for that.

And as always,
Be my aficionado 🙂

  • Article By: Varun Shrivastava

  • Varun Shrivastava is an innovative Full Stack Developer at ThoughtWorks with around 4 years of experience in building enterprise software systems in finance and retail domain. Experienced in design, development, and deployment of scalable software. He is a passionate blogger and loves to write about philosophy, programming, tech and relationships. This is his space, you can get in touch with him here anytime you want.