WordPress HTTPS



Currently Google’s Chrome browser puts an “i” in the middle of a circle in front of a websites url address if they are not running the HTTPS protocol. This has gone unnoticed by a lot of people. You need to click on the circle to see the message that says the website is not secure. However, in July 2018 Google will step-up the pressure to get website to move to HTTPS by adding the words “Not Secure” in the website URL line. This is sure to get attention. Visitors will quickly flee from websites that are marked “Not Secure”. Couple this with the fact that Google is ranking websites running HTTPS higher in search results than websites who are still using HTTP,  it is clear that it is time for all websites to move from HTTP to HTTPS.

In this post I will focus on describing the steps to make this change. I have used these steps to change a lot of WordPress website from HTTP to HTTPS with success. However, every website is different and you may need to do things differently. If this is helpful, please let me know. If you need to take different steps please share so it can help others.

1. Dedicated IP address

A dedicated IP address is a unique IP addresses for your domain name. For example if you type it will take you to https://www.google.com. This is their dedicated IP address that uniquely identifies the domain name google.com. When using HTTPS protocol you need to uniquely identify your domain name so the proper SSL certificate can be severed.

Depending on your hosting account you may need to purchase a dedicated IP address. You will then need to assign the dedicated IP address to your website in your host account and update your domain name’s DNS to point to your dedicated IP address. The timing of these updates is important. Until your DNS is fully propagated some people may still get your old IP address and will not be able to access your website.

2. SSL Certificate

You need to purchase a SSL (Secure Sockets Layer) certificate and install it in your host account. A SSL certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. There are many providers and types of SSL certificates available. The key is to make sure that you are purchasing a SSL certificate from a reliable provider and select the type of SSL certificate that best meets your needs.  If you are hosting your website from a quality host provider then it may be easiest to purchase a SSL certificate through them.

Once you purchase the SSL Certificate it is important that you pay close attention to all email messages and follow the instructions carefully to install the SSL certificate correctly.  File any email messages and instructions in a safe place for future reference.

When the SSL certificate is installed properly, you should be able to visit your site at either HTTP or HTTPS and have it come up fine.  But you are far from done, keep reading.

3. Back Up your Website

Do a complete (database and files) and store the back-up in a safe place in case you need to restore the website.

4. Force HTTPS in WordPress Admin

To force HTTPS in the WordPress admin area, put this line in your wp-config.php file at the root of your WordPress install:

define(‘FORCE_SSL_ADMIN’, true);

Test that this is working by going to https: followed by //yoursite.com/wp-admin/ or use your custom url login path (be sure to change the HTTP to HTTPS). If that work then continue to the next step. If it does not work remove the line from your wp-config.php file and make sure your SSL certificate is properly installed.

5.Change WordPress Address (URL) and Site Address (URL) from HTTP to HTTPS

In your WordPress Admin go to Settings -> General. Change both the WordPress Address URL and the Site Address URL from HTTP to HTTPS. Save Your Changes.

url https

6. Change Your Existing URLS To HTTPS

It is highly likely that you have URLs specified as http://yourdomainname throughout your website. We need to change them to https://yourdomainname in order to avoid mixed content errors (see more on Mixed Content Warnings below).

Install the WordPress Plug-in “Search & Replace” by Inpsyde GmbH. It can be found at: https://wordpress.org/plugins/search-and-replace/

Once the Search & Replace plug-in is installed and activated in your WordPress Admin go to: Tools -> Search & Replace

On the Backup Database tab. Create a backup of your database by clicking “Create SQL File”. Then download the SQL file and store it in a safe place in case you need to restore your data base. Note: in a future step you will create a SQL file that will be used to change the domain name from HTTP to HTTPS. This file will have the same name as the database back-up so it is important that you store the database back-up in a location so you do not confuse the two files.

On the Search & Replace Tab. You will now change all of the domain name urls from http to https.

“search for” enter : http://yourdomainname

“replace with” enter: https://yourdomainname

Click on “Select all tables”

Make sure “Dry Run” is clicked on so you can review your results to make sure that the changes look correct. Once the dry run is finished the dry run details will be displayed above the tabs.

change url WordPress

Click on View details. Review the results to make sure the new urls look as you expected. If they do, then close out of the details file and you will go back to the Search & Replace tab.

Now you are ready to create the SQL file to make the database changes.

Click on “Select all tables. You will need to click this on again or you will not get any results.

Click off “Dry Run”

Click on “Export SQL file with changes”. A SQL file that contains the changes will be created. Note: The plug-in will not allow you to change the domain name directly to the database.

Download the SQL file with the database changes. Make sure not to override the SQL file that contains your database back-up.

On the SQL Import tab. Select the SQL file with the changes and click on Import SQL file. Try not to freak out as this can take a bit of time. Once the import completes you will receive a message above the tabs that hopefully says the SQL file was successfully imported. You can also use phpMyAdmin to import the file if you prefer.

SQL Import

Note: I recommend that you remove the Search & Replace plug-in when you are done.

7. Verify Your Website Is Fully HTTPS

While viewing all pages on your website you should see a green lock with the words Secure and https://yourdomainmane in the URL area

secure https

If you do not see this, make sure you entered https://yourdomainname and not http:// and try again. Still no green lock – go to step 8.

8. No Green Lock

If you do not have a green lock then you most likely will have a circle with an i in the middle – info icon. This means that you are not fully HTTPS yet. You will need to fix the URLs that are not HTTPS.

If you are using Chrome as your browser click on the info icon and then click on the details. You will most likely see “mixed content” and “blocked” information. The information detail will tell you which page on your website was trying to load an insecure url. The insecure url is using HTTP and not HTTPS. I find that this often occurs if images are being loaded in widgets or TablePress where the full path to the image was specified. The full path will contain HTTP and unfortunately the Search & Replace plug-in does not change these URls to HTTPS for you.  I am sure there a lot of other places where the HTTP protocol can be lingering, so the only thing to do is read through the warning file and fix all of them.