SSL security on WordPress, switch to HTTPS

This year we started with offering SSL Security on our wordpress installations. There’s a few reasons for that. Besides the obvious, which is to provide additional security and encryption, we also learned that Google will rank HTTPS over HTTP. And since my customers ask us a lot to help out and advice on their Google ranking this is enough of an incentive to start rolling out SSL security.
This article explains the steps to take with your WordPress installation after you get the SSL certificate installed. It does not cover the SSL certificate installation on your domain, you will need to contact your hosting for that.

Below the steps you need to take to do the switch yourself manually, without the need for any plugin.
After I figured this out I was looking for the way to do this on a WordPress Multisite installation, and ran into a plugin which could have saved me all the effort: Really Simple SSL by Rogier Lankhorst. If you want your full site secured, all pages, then this plugin will do it for you with a single click. No hassle.

Switching WordPress from HTTP to HTTPS

There’s a few things to do with your wordpress installation after you had the SSL security certificate installed on your domain. The first thing you should do is make sure you have a back-up of your files and database, as any of these steps will make your site unavailable when something goes wrong.
The SSL Security certificate installment is not in the scope of this article, in most cases you’ll need your hosting provider to arrange this for you. Next steps involve WordPress modifications.
This will cause downtime, not long, but still may have impact on your visitors, so do this on a quiet moment.

.htaccess file modification

You’ll find your .htaccess file in the root of your domain on the server. You can edit this file with a text editor, or, if you have the SEO plugin by Yoast installed you can use the file editor from Yoast. You can find this under SEO – Tools.

At the top of the .htaccess file, before anything else, add these 3 lines:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

This will make sure all content and pages are redirected from http to https.

WordPress URL in General Settings

Next step: from your dashboard, in Settings – General change the entries for the WordPress Address and Site Address from http to https.

SSL security, switch to https


If you visit the site after this your URL should already display https, but you most likely will get errors when visiting your pages, the padlock on top may not be green, giving warnings of mixed content, or your site may not show at all in extreme cases, telling you there are too many redirects. Which is why you should check and perform the next 2 steps.

WooCommerce SSL enforce

WooCommerce has a setting that can enforce the use of of SSL. You can find this under WooCommerce – Settings – Checkout. Make sure the ‘Force secure checkout’ box is checked, and the ‘Force HTTP when leaving’ is absolutely NOT checked.

SSL security, switch to https


Database Search replace http://

Last step, this one involving running database changes to ensure all site content is displayed as secure. If you still had a warning next to the padlock complaining about mixed content, or images not showing, this should solve that bit. I mentioned to back-up your database, if you did not do this already, please do it now.

What you need to do is run a search and replace on the database. WordPress stores most links to images and posts in your database in an absolute format with the full domain name, including the http:// bit in front.
You want to remove the http:, and leave just the preceding slashes //, so the page will display all content as intended by the security settings.
I use a stand-alone tool, the  DATABASE SEARCH AND REPLACE by Interconnect IT.
With this I can replace all HTTP:// with // in 10 seconds on a MySQL database of around 20MB.

When done your website should be all fine, and up and running with a green padlock, and https.

      SSL security, switch to https

SSL security still not ok after these steps?

Above worked for me, but there’s a few occurrences where things still may not be 100%.

Mixed content warnings

If you still get mixed content warnings this might be due to a plugin using scripts in http instead of https.
You can use the inspector in the firefox or chrome browsers to check the page for any http entries, mostly you’ll find the plugin responsible  within the content. Then you can fix it, or contact the plugin owner to see if they can modify their plugin.

It also might be that you are using images in a folder outside wordpress, still linked with http instead of https.
Best import all images to your library, and replace the external images with the library versions.

It may also happen that the security certificate is not installed correctly (I heard this quite a lot). Contact your provider for support and ask them to check.

SSL Security installation on WordPress Multisite

I was trying to figure out how to manage the SSL security set up on our subdomains on our Multisite,, when I came across the wordpress plugin Really Simple SSL by Rogier Lankhorst.
I could have saved all above steps, as this plugin does everything described above with a single click. Also on Multisites. Install the plugin, Network enable it, and then a single visit to the dashboard of the sub-sites will give you the message ‘SSL detected and activated’.
Very neat 🙂
Do read the documentation on the plugin Multisite, and on how to roll back, as depending on theme or server configuration it might not work for you. For me, on WP 4.4.1 it worked fine!

Famous last words

Always make a full back-up of your files and database before you start this.

If you want to switch to https, but are not comfortable with any of these steps you may want to hire someone to do this for you.

I hope this explanation helped to initiate the SSL Security on your wordpress site, and no errors occurred. Feel free to use the comments in case of any recommendations.