Skip to main content

Change to https with WordPress

By Sue Johnson

https green lock

If your website is currently using http instead of https, it is a good idea to get an SSL certificate so that you can use https.

SSL certificates encrypt data, keeping passwords and user submitted information safe by stopping it going out into the internet as plain text.

GDPR regulations require that you protect your data.

Install an SSL certificate

Step one is to get an SSL certificate installed on your website. Let’s Encrypt provide one for free and this is supported by many web hosts. Your web host may allow you to do this from within your website control panel, if not contact them for details.

Redirect WordPress URLs to https

Step two is to change all the URLs within your WordPress website. WordPress uses absolute URLs, e.g. http://example.co.uk. Wherever http occurs, it needs to be changed to https.

Start with the WordPress address and site address. You can either edit these in Settings –> General or from within the database using phpMyAdmin. Note that if you change your WordPress website address, you will need to log in again.

To make the changes from within the database, log into phpMyAdmin, select the database you require and run the following SQL query:

UPDATE wp_options SET option_value = 'https://example.co.uk' WHERE option_name IN ('siteurl', 'home')

Change wp_ to whatever your table prefix is, and example.co.uk to your website URL.

Next you need to change the URLs for images and downloads:

UPDATE wp_posts SET post_content = (REPLACE (post_content, 'http://example.co.uk', 'https://example.co.uk'))

Finally, you might need this query for post meta data. Not all websites require it:

UPDATE wp_postmeta SET meta_value = (REPLACE (meta_value, 'http://example.co.uk', 'https://example.co.uk'))

If you have hardcoded any URLs for your website into HTML in the widgets with http, you will need to change these manually.

Force SSL using .htaccess

At this stage, you can check if SSL is working on your website. All pages should now be displaying the lock icon.

If you try to remove the s from https in the URLs for your pages, you will find that other than the homepage, it is possible for the website to go back to http.

To fix this, you will need to force SSL in your .htaccess file.

Your .htaccess file is at the root of your website, e.g. in ‘public_html’.

It is a good idea to copy this file and rename it to create a backup before you begin.

Now edit it by putting the following lines of code at the top. It needs to go above the lines which start with # BEGIN WordPress to work.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Your .htaccess file will now look something like this:

htaccess file

That’s it! Now if you try to type http://, it will automatically redirect to https://.