Moving a WordPress Website from HTTP to HTTPS/SSL(INSTRUCTION)


Google has recently announced that is will start using HTTPS as a ranking signal. This has implications for your website and whether it uses a HTTP or HTTPS protocols. For now, however,
it’s only a very lightweight signal affecting fewer than 1% of global search queries, and will carry less weight than other signals (such as high-quality content) so as to give website owners
ample time to switch to HTTPS.

In this article, we’ll look at the meaning and differences between SSL and HTTPS, how to install it and activate an SSL certificate and how to move WordPress from using the insecure HTTP communications protocols to the secured HTTPS.


SSL, Secure Sockets Layer, is the standard technology for making an encrypted link between a web server and a browser. This link makes sure that all data passed between the web server and browsers remain private and integral so it will prevent eavesdropping and any effort to tamper with your website. HTTPS on the other hand is the URI scheme which has identical syntax to the standard HTTP scheme, aside from its scheme token. Althought, HTTPS signals the browser to use an added encryption layer of SSL to protect the traffic. In summary, SSL is the standard that defines how connections are encrypted via HTTPS.

How SSL Works

Typically an SSL Certificate will contain your domain name, company name, address, city, state and country. It’ll also contain the expiration date of the certificate and details about the certification authority that was responsible for the issuance of said certificate. When the browser connects to a secure site it will retrieve the site’s SSL certificate and check that is has not expired, it has been issued by a certification authority the browser trusts, and that it is being used by the website that is linked too it. If any of these checks fail, the browser will display a warning to the end-user letting them know that the side is not secured by SSL.


Difference Between HTTP and HTTPS

There are lots of criteria that makes these two technologies seperate. Honestly, the three listed below are the major differences between HTTP and HTTPS.
URL Scheme : HTTPS URL’s always begin with HTTPS:// and use port 443 by default, whereas HTTP URLs begin with https:// and use port 80 by default.
Security : HTTP is insecure and is vulnerable to eavesdropping attacks, which can let attackers gain access to sensitive info of a website whilst HTTPS is designed to withstand and secure against attacks of this nature
Network Layers : HTTP operates at the highest layer of the TCP/IP model which is the Application layer.
SSL security protocol operates as a lower sub-layer of the very same TCP/IP template, however it encrypts an HTTP message prior to transmission and decrypts it upon arriving. Thus, HTTPS is not a separate protocol of itself, but refers to use of ordinary HTTP over an encrypted SSL connection.

Why Use HTTPS?

HTTPS is especially important over networks that are unencrypted (Such as Wi-Fi), and as anyone on the same local network can “packet sniff” and discover sensitive info.
How many times have you accessed a site on an open network and got unexpected ads?
When you serve your website’s content via HTTPS, you’re assured that noone will alter how they are received by users. If you are serious about doing business online, you really need SSL. It’s the best way to protect user data and defend against identity theft. Most customers will refuse to do business with a website that doesn’t have an SSL certification. Displaying your SSL Site Seal tells your customers that they can shop or use a website with confidence, knowing they’re protected.


Moving WordPress from HTTP to HTTPS

After you install WordPress to your blog, you have to set up the SSL. To make a website HTTPS, firstly get an SSL certificate for the domain, install it on the server and change the website permalinks from http to https.
A lot of WordPress sites are on shared-hosting servers with CPanel provided as the control panel hence a shared-hosting will be used as the base of this tutorial. If your website is on a dedicated server or VPS, this tutorial is still applicable but the process on getting it done varies with servers.
To follow along with this tutorial, ensure your shared-hosting has the option for SSL/TLS. If it’s not, contact your hosting provider and request it. They might charge to activate it.
To check if it is activated, login to cPanel and you should see an SSL/TLS manager under the Security widget.

Getting an SSL Certificate?

There are different kinds of SSL certificates. They are basically categorized into three main groups: Domain Validation, Organization Validation, Organization Validation and Extended Validation.

Domain-level validation is the most simple type of SSL and are generally the most affordable. These certificates provide basic encryption, are issued very quickly and involve a simple check to verify domain ownership. Organizaton-validated SSL certificates include authentication of the business or organization behind the domain, which provides a higher level of security and lets customers know they can trust your server with their personal info.
Extended validation is top of the line. With extended validation, the certifying authority does a very in-depth examination of your business before issuing the certificate. This type of SSL provides the highest degree of security and user trust. Here is a guide from Namecheap on what SSL certificate to choose. There are a lot of companies selling SSL Certificates online, such as, Media Temple, GoDaddy, Namecheap, and Comodo.


How to Activate an SSL Certificate?

Note: I bought my SSL certificate from Namecheap but the instructions remain valid regardless of the company you bought your SSL from.

The first step in activation of SSL certificate should be obtaining CSR code from your hosting company. To obtain the CSR code from an SSL activated shared-hosting account, follow the steps below:

1. Login to your cPanel account and navigate to the SSL/TLS Manager.

2. Click on the link below Certificate Signing Requests (CSR)

3. Fill out the form for the domain that you wish to create the SSL on and click the Generate button.

4. Your domain Encoded CSR should be generated and shown to you.

5. Head over to your SSL provider to get started with SSL activation. Enter the CSR code generated above in the provided CSR text area field, select the web-server your host is running on and click the Next button.

6. You will be prompted to enter your CSR information and to choose an approval email.

7. Provide your personal contact details. When done, submit the order. An approval email will be sent. Follow the instructions to validate your domain.

On completion of the validation, your SSL would be issued and sent to your email.

We need to get the SSL issued to you installed on your server. A dedicated IP address is required to be assigned to your cPanel account. If you cannot afford one, most cPanel hosting support Server Name Indication (SNI) – an extension to the TLS protocol that allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites.

Since the shared-hosting am using for my WordPress blog supports SNI, I decided to use it instead of buying a dedicated IP.

Note: There are several advantages of using a dedicated IP address over SNI. See this article for more information.

To install the SSL certificate, follow the guide below

1. At cPanel SSL/TLS Manager, click the link beneath Certificates (CRT)

Instal SSL cert cPanel
2. Upload the certificate (with .crt file extension) or past the certificate in the text area provided.

3. Activate the SSL for your site. Click on the link under Install and Manage SSL for your site (HTTPS).

Install SSL for your site
4. Select the domain from the drop-down list, click the Autofill by domain and finally click the Install Certificate button.

Configuring WordPress for SSL/HTTPS

Links in WordPress (such as image attachments, themes CSS and JavaScript files) are relative to the install URL.

To change WordPress from HTTP to HTTPS, the install URL must changed from say to

Login to your WordPress dashboard and navigate to Settings > General.
Ensure that the WordPress Address (URL) and Site Address (URL) are https. If not, add S after http to make https and save it.

To easily enable (and enforce) WordPress administration over SSL, the constant FORCE_SSL_ADMIN should be set to true in your site’s wp-config.php file to force all logins and all admin sessions to happen over SSL.

define(‘FORCE_SSL_ADMIN’, true);
The constant FORCE_SSL_ADMIN can be set to true to force all logins and all admin sessions to happen over SSL.

If your WordPress site uses a content delivery network (CDN) to serve its components (images, JavaScript, CSS style sheet), ensure the URLs are all https:// otherwise your website will be deem insecure by the web browser.


What’s Next?

Now that we’ve successfully moved WordPress to HTTPS, we still need to do two more things — set up a 301 permanent redirect and inform Google of the URL change.

To setup a 301 permanent redirect, FTP/SFTP to your server and add the code below at the top of WordPress’ .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^ [NC,OR] RewriteCond %{HTTP_HOST} ^ [NC] RewriteRule ^(.*)$$1 [L,R=301,NC] Change every instance of to your WordPress URL.

To inform Google about the change in URL, re-add your WordPress site to Google webmaster tool (but this time with https://) and follow this this guide to let Google know about the change of URL.

You can check your SSL website status using Qualys SSL Labs.


By completing this tutorial, you should be well equipped on understanding HTTPS and SSL, why you should make sure your site is secured with these technologies, and how to install it on your very own WordPress website. If you have any questions, suggestions or contributions, I would be happy to answer them in the comments.


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments