Moving a WordPress site to HTTPS requires more than just installing an SSL certificate. Here is the full checklist including the database updates, redirects, and tools like SSL Insecure Content Fixer to handle remaining issues.
1. Install and Verify the SSL Certificate
Most hosts provide free Let’s Encrypt SSL certificates through their control panel. Install it for your domain (including www and non-www versions). After installation, verify it is working by visiting https://yourdomain.com directly. The browser should show a padlock without errors. Use SSL Labs at ssllabs.com/ssltest to check the certificate grade and configuration.
2. Update WordPress URLs
Go to Settings, then General. Change WordPress Address (URL) and Site Address (URL) from http:// to https://. Save. Your site will now use HTTPS for all WordPress-generated URLs. If you get locked out after this change, add these lines to wp-config.php temporarily:
define( 'WP_HOME', 'https://yourdomain.com' );
define( 'WP_SITEURL', 'https://yourdomain.com' );3. Update HTTP to HTTPS in the Database
Old content in the database has hardcoded http:// URLs. Use Better Search Replace to update them. Go to Tools, then Better Search Replace. Search for http://yourdomain.com, replace with https://yourdomain.com. Run a dry run first, then apply to all tables. This updates post content, post meta, options, and other stored URLs. Do this on a backup — always.
4. Set Up HTTP to HTTPS Redirects
After updating WordPress, set up server-level redirects to send all HTTP traffic to HTTPS. In .htaccess (Apache) add:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]If on Nginx, add to the HTTP server block: return 301 https://$host$request_uri;
On Cloudflare, enable Always Use HTTPS under SSL/TLS, then Edge Certificates — this handles the redirect at the CDN edge.
5. Install SSL Insecure Content Fixer
Despite the database update, some HTTP URLs may remain in plugin and theme output that is not stored in the database. Install SSL Insecure Content Fixer and set it to Simple. After verifying the main mixed content issues are resolved, you can escalate to a higher fix level if warnings remain.
6. Update Google Search Console
Add the HTTPS version of your site as a new property in Google Search Console if it is not already there. Submit a new sitemap from the HTTPS property. Google treats HTTP and HTTPS as separate sites — the HTTPS version needs its own property for Search Console data.
7. Update Google Analytics
In Google Analytics (GA4), go to Admin, then Property Settings, and ensure the default URL includes https://. In older UA properties, go to Admin, then Property Settings and update the Default URL field.
8. Update External Links
Any external sites linking to your HTTP URLs will eventually follow the 301 redirect to HTTPS. This is automatic, but if you control any of those sites (your own social profiles, other websites), update the links to point directly to https:// to skip the redirect step.
9. Test Thoroughly
After the migration: check the homepage, several posts, shop pages, checkout, and account pages. Verify the padlock is present on all pages. Check DevTools Console for any remaining mixed content warnings. Test on mobile. Check that login and form submissions work correctly over HTTPS.
For full HTTPS migrations on complex WordPress sites including multisite networks and WooCommerce stores, a WordPress developer can handle the complete migration with minimal downtime.