How to move a WordPress site from HTTP to HTTPS, in 5 steps and without using plugins

Starting July 2018, the HTTPS protocol has become an official (and quite mandatory) web standard, for what concerns best practices and data safety.
All websites that do not use an SSL certificate, hence having the “https”, in their url, will be marked as “not safe” by Google and other search engines might soon follow.

It is not a secret that websites that have been using the safer transfer protocol, have seen an increase in page ranking, therefore it has now becoming imperative that to maintain a website SEO, safety standards are also required.

Luckily, the move is quite simple.

Not everybody likes to use plugins for each and every small change to their website, so I will briefly show you how to move your WordPress site from HTTP to HTTPs in a few simple moves.

Keep in mind that the more plugins, the more potential safety issues and potential data breaches, but also the more server resources used each time a page is seen, hence possible worse performance – which also factors in a SEO strategy.


The first step, always before making any significant change to a website, is make a full backup of your site.
This means the whole of your website root, but most importantly your full WordPress database, the wp-config.php and .htaccess files and the whole of the wp-content folder.


The second step, is to get an SSL certificate, which is the actual encryption “engine” of a website.
The “HTTPS” simply signals browsers and users that an SSL is installed on the server, hence all data sent between the user and website, will be encrypted.

Now, your hosting provider surely offers SSL certificate and usually also installs it for you, so this could be your safest and easiest way to get one.
Some hosting providers offer free ones like Let’s Encrypt but many will have paid options.

If you are also thinking about changing server and are looking for a new hosting provider, I definitely recommend Media Temple managed VPS servers, if you need room to change and customize your server through shell access or Plesk Onyx.
If you want everything managed for you, including SSL certificate, caching, performance and more with no interest in shell access, then WP Engine is blazing fast and definitely a great choice (and you get 20% discount!).

Prices of SSL certificates vary greatly, but if you are on a tight budget and want to get one for free, you know how to install an SSL certificate on a server, or are willing to learn… don’t despair, you have at least 2 great free options to choose from.

Let’s Encrypt, a free, automated, and open Certificate Authority comes to the rescue and is endorsed and supported by the world’s biggest Internet companies, among others, in order to promote data safety worldwide.
If you have SSH access to your website, start here.
If you don’t have shell access, but your provider let’s you upload an external certificate, the you can follow this guide.

Another way to get a free account on CloudFlare!
This will not only get you much better performance and protection against attacks, but also a free SSL.
There is very little setup to do (mainly just change your domain’s NS) and no coding required.
However, make sure to read their SSL FAQ, in case you have doubts.

To check that your SSL is installed correctly (you might need to wait up to 24h), head over to these free online tools:

GeoCert SSL Installation Checker
DigiCert® SSL Installation Diagnostics Tool
Qualys SSL Server Test
DigiCert SSL Tools

Each tool gives you more details (and tools), so make sure that everything is good to know, before you proceed with the next steps.


The third step, is about telling WordPress to start using HTTPS everywhere!
So the first thing you need to do is turning your backend into a safer place, by adding this line to your wp-config.php:
define('FORCE_SSL_ADMIN', true);
The second one, is to add this to your .htaccess, which will redirect all your users automatically to HTTPS urls, instead of HTTPS (including search engines).

If you are using Apache:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

If you are using NGINX:
server {
listen 80;
return 301$request_uri;

Great, now your website will now force HTTPS on every url!
This doesn’t just work for users, but also search engines, since we are using the 301 status code (which means “permanently moved”), making sure that they update their records for that page too.


It’s now time to get rid of mixed content warnings. You can see these, if you press F12 on Windows, to bring up your browser’s Dev Tools console.
In here you will see, besides Javascript errors and other information, also warning about your web pages using unsafe objects or images.

That is because, when you were adding content (eg. images) while still being on HTTP, the urls of these objects were saved as http://www.yoursite/.../someimage.jpg.
So your last task, is to make sure all these saved urls in your database and content, are converted to https urls.
Depending on how many objects you have saved with http urls (don’t forget to check also Custom Fields or hard-coded urls in your theme), this might take some time.

There are 2 ways to go about this:
1. The fastest, by using a convertion tool, which, however, will convert EVERY http url to https, even external ones)
2. The slower but more targeted way, which requires you to manually update the database (with certain queries)

You need to choose what best fits your website and your content: if you use a few images/upload material but many different external urls, the manual option is probably safest.
If you mostly just upload images and have few website references and they are usually just referencing websites homepages, the fast option should be safe enough (worst thing that can happen, a website you are linking to, in https now, will show a message to the user once they get there, that the website actually doesn’t have a SSL installed, which happens the more and more rarely nowadays).

In any case, make sure you have your database backup ready, in case you need to rollback and try something different.


Head over to InterconnectIT and download their Search and Replace script.
This is THE best conversion script for WordPress databases available and that’s because it doesn’t just mindlessly convert, but also “reprogram” certain parts, if needed, so you won’t have to worry about data inconsistencies across your database.
Once done, create a new “sr” folder in your WordPress site root and upload in there all files and folders from the zip.
Then simply go to that folder, in your browser and “search replace” http:// with https:// in the 2 fields at the top.
Let it run and do its magic, you are done!
Make sure you delete that “sr” folder when done, to avoid the risk of the tool being used by someone with malicious intentions.


Get on your website’s PHPMyAdmin (if you don’t know what this is, check your hosting provider panel) or install Adminer.
Execute this query on your MySQL:

This will convert all your images urls into https.

In case you have image urls in your custom fields, you can use this query:

In case you still see mixed content warnings, you might need to manually go in and fix them from your content itself, or by editing your theme files.


Google Webmaster tools considers http and https sites as two different things.
If you already have your site set up, using the http protocol, you need to add a new property with https this time.
Once done and verified, select your old http property and click on the cog icon on the right, then “Change of Address”.
Your new https should show up and after you select it, you will be able to request the change, keep all your old data and notice an improvement in page ranking.

You are all done!

Jany Martelli

I’m a Digital Consultant, Front-End Developer, specialized in WordPress.
I help companies, professionals and startups grow with technology and a winning digital strategy, I hand-pick and coordinate the perfect team for them, plan projects from the ground-up, develop & deploy websites, online stores and apps.

Privacy Preference Center


Also called a transient cookie, a cookie that is erased when the user closes the Web browser. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from the user s computer.

They are usually used to temporarily keep track of users' preferences (eg. currency, language, items you place in the cart - in case of an e-commerce website, which this website is not) throughout the website. Other times they are used to make sure the user is not a malicious bot trying to take down a website, hence the cookie cannot be disabled for security reasons.

They are usually harmless (or they should be!) and will go away when you leave the website or close the browser.



Persistent Cookies.

Also called a permanent cookie, or a stored cookie, a cookie that is stored on a user's hard drive, until it expires (persistent cookies are set with expiration dates) or until the user deletes the cookie.

These cookies are meant to profile the website's visitors and let the admins know who visits their website. Your name is NOT tracked, but your IP, country, browser and device specs, research terms and more, usually is. It helps admins understand what contents their users like best and who is their audience, in order to provide better and more targeted content.

Other cookies have the same functions as session ones: for example, they simply help the browser remember if your Internet connection is fast enough to play high-quality videos next time, or what language you chose for your subtitles.

Some of these might be relatively harmelss, since they were meant to first and foremost help admins to manage their site's audience and content, however they might also be used, to be collected and sold to third parties.

You can check a full explanation of a few of the most common ones here



Persistent Cookies.

Also called a permanent cookie, or a stored cookie, a cookie that is stored on a user's hard drive, until it expires (persistent cookies are set with expiration dates) or until the user deletes the cookie.

These cookies are meant to collect your browsing preferences (your searches, the websites you visit, things you like or don't like, personal conditions and things you might not want a third party to know about nor to be sold to someone else).

A vast majority of websites, search engines, apps and social networks, will place these cookies in your browsers because they are showing you ads and making money off them. This is not inherently bad, however the ad you see, comes also with these cookies, to help Advertising Networks to show you even more relevant ads, as well as collect a vast amount of data about Internet users, to then be sold or mishandled in ways that could harm society.

This website shows Ads from Google, therefore it places their cookies in your browser (sorry!).
If you don't wish to be tracked, please adjust your privacy settings here.
We also show Facebook Ads, therefore if you don't wish to be tracked by them, please head over here to change your settings.

Also turn these cookies' consent toggle OFF.

Please understand that not allowing Advertising cookies to be placed in your browser, does NOT mean you will not see ads, you STILL will, but they simply will not be relevant to your own interests anymore.

On Chrome, click here, to block all third party cookies (they might all be used for advertising or collect your preference to be sold to the highest bidder, though, but most likely they will be).

If you want to have even more control over which third parties can collect your data (even outside this website), please visit this website.