In-Depth HTTP to HTTPS Migration Guide for WordPress

By Brian Jackson Updated on August 28, 2018

As of July 24th, 2018, Google Chrome is now be marking all non-HTTPS sites as “Not Secure.” Regardless of whether they collect data or not. This is why HTTPS is more important than ever!

In today’s post we are going to dive deep into a HTTP to HTTPS migration and share applicable tips to hopefully make the transition for your WordPress site as smooth as possible. As some of you may know, Google has been working hard on their objective of moving everyone to a more secure web. For WordPress site owners it is always great if you can be proactive. Because of new protocols, SEO benefits, and even more accurate referral data, there has never been better time to migrate to HTTPS. Find out more of the why and how below.

What is HTTPS?

HTTPS (Hyper Text Transfer Protocol Secure) is a mechanism that allows your browser or web application to securely connect with a website. HTTPS is one of the measures to help keep your browsing safe and secure. This includes things like logging into your banking website, capturing credit card information, and even logging to the back-end of your WordPress site. HTTPS on your WordPress website requires that you have an SSL certificate for encryption. This ensures that no data is ever passed in plain text.

Still looking for that perfect WordPress host?

At Kinsta, we do hosting different than the rest. We’ve combined the fastest platform in the world (Google Cloud) with the best support team in the industry. Ready to take your site the next level?

According to Builtwith, as of February 2018, 49.8% of the top 10,000 websites are using HTTPS. That is up from 5.68% back in September 2015.

Top websites HTTPS usage

Top websites HTTPS usage

As of February 2018, MozCast is reporting over 77% of search queries are over HTTPS, up from 26% in January 2016. That means there are a lot of sites migrating from HTTP to HTTPS.

MozCast HTTPS queries

MozCast HTTPS queries

Even Google themselves is pushing for that 100% encryption mark across all their products and services. As of January 2018 around 91% of traffic to Google is over HTTPS. That is up from 48% back in December 2013.

HTTPS traffic at Google

HTTPS traffic at Google

And according to Firefox telemetry data and Let’s Encrypt stats, over 66% of page loads are now HTTPS.

Why Should You Care About HTTPS?

There are actually quite a few reasons why WordPress website owners should care about HTTPS and think about migrating from HTTP to HTTPS now rather than later.

1. Security

Of course, the biggest reason for HTTPS is the added security. By migrating from HTTP to HTTPS you are now serving your website over an encrypted SSL/TLS connection. This means that data and information is no longer passed in plain text. For eCommerce sites that process credit card information, this is a must have. It is not technically required by law, but it is your responsibility as a business to protect your customer’s personal data.

Besides eCommerce, this can even be applicable to your WordPress login pages on blogs. Especially for those of you running multi-author WordPress websites, if you are running over HTTP, every time a person logs in, that information is being passed to the server in plain text. HTTPS is absolutely vital in maintaining a secure connection between a website and a browser. This way you can better prevent hackers and or a middle man from gaining access to your website.

2. SEO

Google has officially said that HTTPS is a ranking factor. While it is only a small ranking factor, most of you would probably take any advantage you can get in SERPs to beat your competitors. And because of Google’s push for everyone to migrate to HTTPS, you can bet that the weight of this ranking factor will most likely increase in the future. Here is a great article on the impact of TLS/SSL on rankings.

And just look at some of the other data surrounding SEO and HTTPS! Matthew Barby did an analysis of 1 million URLs and found that over 33% of all pages ranking 1, 2 or 3 in Google use HTTPS.

https usage vs google ranking

HTTPS usage vs Google ranking

3. Trust and Credibility

According to a survey from GlobalSign, 28.9% of visitors look for the green address bar in their browser. And 77% of them are worried about their data being intercepted or misused online.

https address bar

HTTPS can help your business by building what we call SSL trust. By seeing that green padlock, customers will instantly have more peace of mind knowing that their data is more secure.

4. Referral Data

This reason is for all of you marketers out there. If you use Google analytics you are probably familiar with referral data. What a lot of people don’t realize is that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just lumped together with the “direct traffic” section. If someone is going from HTTP to HTTPS the referrer is still passed.

This is also important because if your referral traffic has suddenly dropped but direct traffic has gone up it could mean one of your bigger referrers has recently migrated to HTTPS. The inverse is also true. Check out this more in-depth guide from Moz on direct traffic.

5. Chrome Warnings

As of July 24th, 2018, versions of Chrome 68 and higher are marking all non-HTTPS sites as “Not Secure.” Regardless of whether they collect data or not. This is why HTTPS is more important than ever!

Chrome 68 not secure

Chrome 68 not secure

And with Chrome 70 coming October 2018, they will be marking all non-HTTPS sites as “not secure” with a big red warning (on pages where users enter data).  This is especially important if your website gets’s a majority of its traffic from Chrome. You can look in Google Analytics under the Audience section in Browser & OS so see the percentage of traffic your WordPress site gets from Google Chrome.

Chrome not secure red warning

Chrome not secure red warning (Image source: Google)

Chrome holds over 56% of the browser market share, so this is going to impact a lot of your visitors. You can also check which browsers your visitors are using in Google Analytics under “Audience > Technology > Browser & OS.” As you can see in this example below over 63% of visitors to the site are using Google Chrome.

Chrome usage from visitors

Chrome usage from visitors

Google is making it a lot more clear to visitors that your WordPress website might not be running on a secured connection. Here are some tips from Google on how to avoid the warning.

Firefox also followed suit and starting with the release of Firefox 51 back in late January, they too will show a gray padlock with a red line through it for non-secure sites that are collecting passwords. And of course, if you migrate your entire site to HTTPS, then you don’t have to worry about this.

firefox non-secure grey padlock

Firefox not secure warning

You might also start getting the following warnings from Google Search Console if you haven’t migrated over to HTTPS yet.

To: owner of

The following URLs include input fields for passwords or credit card details that will trigger the new Chrome warning. Review these examples to see where these warnings will appear, and so you can take action to help protect users’ data. The list is not exhaustive.

The new warning is the first stage of a long-term plan to mark all pages served over the non-encrypted HTTP protocol as “Not Secure”.

6. Performance

And last but not least, we have performance. Because of a new protocol called HTTP/2, a lot of times, those running properly optimized sites over HTTPS can even see speed improvements. HTTP/2 requires HTTPS because of browser support. The improvement is performance is due to a variety of reasons such as HTTP/2 being able to support better multiplexing, parallelism, HPACK compression with Huffman encoding, the ALPN extension, and server push. There used to be quite a bit of TLS overhead when it came to running over HTTPS, but that is now a lot less. TLS 1.3 which is coming out soon will speed up HTTPS connections even more!

It is also important to note that web performance optimizations such as domain sharding and concatenation can now actually harm your performance. These are obsolete and for the most part should no longer be used.

Everything on the web should be encrypted by default. –  Jeff Atwood, Co-founder of Stack Overflow

HTTP to HTTPS Migration Guide

Now it is time to get down to the fun part, migrating your WordPress site from HTTP to HTTPS. Lets first go over some of the basic requirements that you will need and some things to be aware of.

  • You will need an SSL certificate. We will go more into detail about this below.
  • Double check to ensure that your WordPress host and CDN provider supports HTTP/2. Kinsta has HTTP/2 support for all of our customers. This is not required, but you will want this for performance.
  • You will want to set aside a good block of time to do your HTTPS migration. This isn’t something that can be done in 5 minutes.
  • Double check to ensure that all external services and scripts you use have an HTTPS version available.
  • It is important to know that you will lose social share counts on all your posts and pages unless you use a plugin that supports share recovery. This is because your share counts are based on an API that was looking at the HTTP version, and you have no control over 3rd party social networks.
  • Depending upon the size of your site, it may take Google a while to re-crawl all of your new HTTPS pages and posts. During this period you could see variations in traffic or rankings.
  • Don’t forget about local citations.
We recommend turning off your CDN integration and disabling any caching plugins before beginning, as these can complicate matters.

1. Choosing an SSL Certificate

The very first thing you will need to do is purchase an SSL certificate if you don’t have one. Google recommends using a 2048-bit key certificate or higher. We recommend you buy certificates from vendors such as Comodo, DigiCert, GeoTrust, Thawte, Rapidssl or Trustwave. But there are also cheaper alternatives such as GoGetSSL, NameCheap, and GoDaddy. There are three primary types of certificates you can choose from:

  • Domain Validation: Single domain or subdomain, (email or DNS validation), issued within minutes. These can typically be bought for as low as $9 a year.
  • Business/Organization Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 1-3 days.
  • Extended Validation: Single domain or subdomain, requires business verification which provides higher level of security/trust, issued within 2-7 days. This enables the full green bar like you see on banking websites.

Let’s Encrypt

As of April 2016, Let’s Encrypt also created a way to get free SSL certificates. Check with your WordPress host and CDN provider to see if they have a Let’s Encrypt integration. You can also follow the Certbot guide on how to install them manually. Let’s Encrypt certificates expire every 90 days so it is important to have an automated system in place.

If you are Kinsta customer, we now have a Let’s Encrypt integration! This means installing an SSL certificate is as easy as 123. Login to your MyKinsta dashboard and click on “Manage” next to your WordPress site.

Manage WordPress site

Manage WordPress site

Click into “Tools” and under Enable HTTPS select “Add Let’s Encrypt Certificate.”

Add Let's Encrypt certificate

Generate Free HTTPS certificate

You will then have an option to choose the domains on which you want an SSL certificate installed. If your site is and has a redirect from www to non-www, you will still want to select both for the HTTPS redirect. Click on “Generate.” (Note: You will need to add all of your domains prior to this from the MyKinsta dashboard, including any subdomains which require SSL)

HTTPS credentials domains

HTTPS credentials

And that’s it! It will take a few seconds or so to install and your site should be all secured.

2. Installing a Custom SSL Certificate

If you have purchased an SSL certificate, you need to install the SSL certificate on your WordPress site. When going through the certificate setup with the vendor, you are asked to provide the server type. If you are a Kinsta customer, the type of our web servers is Nginx, if that option is not available, then “Other” will work as well.

A CSR code will be needed by the SSL provider to create/sign the certificate file. For generating a CSR code and RSA key, please complete the following form:

We recommend filling out every field, but at a minimum, you should fill in the following as seen in the example below:

  • Common name (domain name)
  • Email Address
  • Organization
  • City / Locality
  • State / County / Region
  • Country

Note: For the common name field, if you are generating a wildcard certificate, you will need to input your domain name like *

Generate CSR form

Generate CSR form

The form will generate you the private key file and the CSR. Make sure to save both of those as the certificate will be unusable without them.

CSR and private key

CSR and private key

Upload your CSR with your SSL provider to regenerate your SSL certificate (.cert).

You will then need to go to your WordPress host and give them the certificate and private key. If you are a Kinsta customer you can log in to the dashboard, click on a site, go to the Tools tab and under Enable HTTPS select “Add Custom HTTPS Credentials” to get started.

Install SSL certificate on WordPress

Install custom SSL certificate on WordPress

You’ll will then be able to add your private key and certificate right there.

Apply certificate

Apply certificate

3. Verify Your SSL Certificate

So now you have your SSL certificate installed, you should verify it to ensure everything is setup correctly. A quick and easy way to do this is to use the free SSL check tool from Qualys SSL Labs. If everything is right, you should get an A letter grade in the test, as seen below.

ssl check a grade

Check SSL certificate grade

Check out our more in-depth tutorial on how to perform an SSL check.

4. Redirect HTTP to HTTPS

After you have verified your SSL certificate, the next thing you need to do is permanently redirect all the HTTP traffic to HTTPS. There are a couple different options you have when choosing to redirect HTTP to HTTPS in WordPress. One is to do it at the server level (recommended) or you can do it with a free WordPress plugin. Note: Our examples all include a 301 redirect directive which is the correct way to implement it in regards to SEO. Using a different type of redirect could harm your rankings. It is also important to be aware that 301 redirects might not pass 100% of the link juice, even though Google might say they do. Check out this post from Cyrus over at Moz regarding HTTPS migrations and 301 redirects.

Redirect HTTP to HTTPS in Nginx

redirect http to https in nginx

If your web server is running Nginx, you can easily redirect all of your HTTP traffic to HTTPS by adding the following code to your Nginx config file. This is the recommended method for redirecting WordPress running on Nginx.

server { listen 80; server_name; return 301$request_uri; }

We use Nginx for everyone here at Kinsta. The great news is that you don’t have to worry about this. If you need to add a redirect simply open up a quick support ticket and let us know which domain you need redirected. We then add it to the Nginx config for you.

Redirect HTTP to HTTPS in Apache

redirect http to https in apache

src: Apache Software Foundation

If your web server is running Apache, you can easily redirect all of your HTTP traffic to HTTPS by adding the following code to your .htaccess file. This is the recommended method for redirecting WordPress running on Apache.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

None of Kinsta’s servers are running Apache.

Redirect HTTP to HTTPS with Really Simple SSL Plugin

The third option you have to redirect from HTTP to HTTPS is to use the free WordPress Really Simple SSL plugin. We don’t recommend this method as a permanent solution because 3rd party plugins can always introduce another layer of problems and compatibility issues. It is a good temporary solution, but you should really update your hard-coded HTTP links as we will show you in the next step.

really simple ssl plugin

Really Simple SSL plugin

Implement HSTS Header (optional)

HSTS (HTTP Strict Transport Security) is a security header which you add to your web server that forces the browser to use secure connections when a site is running over HTTPS. This can help prevent man-in-the-middle attacks (MitM) and cookie hijacking. You can use the above 301 redirects along with the HSTS header. Check out our in-depth article on how to add HSTS.

5. Check For Too Many Redirects

After you add a redirect from HTTP to HTTPS you should double check to ensure you don’t have too many redirects. This problem is quite common and can affect the speed of your WordPress site. You can use Patrick Sexton’s Redirect mapper tool to easily see how many redirects are happening on your site. Here is an example below of redirects that are not setup correctly which are easily spottable using the redirect mapper. You can see that there are duplicate HTTPS redirects happening on both the www and non-www versions.

redirects not setup correctly

Redirects not setup correctly

Here is an example of redirects setup correctly. As you can see there is only one redirect happening.

redirects setup correctly

Redirects setup correctly

Check out our in-depth post on WordPress redirects and best practices for faster performance.

6. Update Hard-coded HTTP Links

Now that you have redirects in place it is time to fix all those hard-coded HTTP URLs. Generally, it is not recommended to hard-code URLS but most likely over time you probably have, we all do it. Below are a couple options you have for updating your HTTP links to HTTPS.

Option 1 – Kinsta Search and Replace Tool

If you’re a Kinsta client, we have an easy to use search and replace tool in our MyKinsta dashboard.

Kinsta search and replace tool

Kinsta search and replace tool

Here are simple steps to update from HTTP to HTTPS URLs:

  1. Enter in the search field the value you want to search for in the database, which in this case is our HTTP domain:
  2. Enter in the replace field the new value that should be used to replace the value that you are searching for. In this case it is our HTTPS domain,
  3. Ensure the “Dry Run” option is selected first, as this will count how many replacements will be made without actually making the replacements. Then click “Replace.”
  4. You can then run “Replace” again without Dry Run selected to make the changes in the database.
Confirmation on live search and replace

Confirmation on live search and replace

Check out our search and replace tutorial for additional details.

Option 2 – Better Search Replace Plugin

Another easy method you can use is a free plugin called Better Search Replace, by the awesome WordPress team over at Delicious Brains.

Struggling with downtime and WordPress problems?

Kinsta provides an all-in-one hosting solution designed to save you time! Let us handle the nitty-gritty stuff (caching, backups, etc.), and you focus on what you do best, which is growing your business.

Check out our features
better search replace options

Better search replace options

Option 3 – interconnect/it Search Replace DB PHP Script

A third option you have for running a WordPress search and replace is to use a free PHP script from interconnect/it called Search Replace DB. This is one of our favorite tools to use with any HTTP to HTTPS migration.

Important! Using this script could break your WordPress website if you don’t know what you are doing. If you are not comfortable doing this, please check with a developer or your web host first.

To use the script, simply download the zip file, extract the folder called search-replace-db-master, and rename it to something secret of your choosing. In our example, we renamed it to update-db-1551. Then upload it via FTP, SFTP, or SCP to your web server’s public directory. This is typically the same directly that contains your /wp-content folder. Then navigate to your secret folder in your browser, such as

interconnect search replace script

Interconnect search and replace script

The script will automatically attempt to find and populate the database field but you must check that the details are correct and that it is for the database you wish to carry out a search/replace operation on. You can click on “dry run” first to see what it will be updating/replacing. Then when you are ready click on “live run” which will perform the database updates and the WordPress search and replace.

And example for an HTTPS migration would be to replace “” with “”

search replace options

Search replace options

It is also very important due to security reasons that you delete this script after you are done! You can click the “delete me” button. It you don’t, it could leave your website open to attacks. It is also recommended to double check on your web server and confirm that the folder/script has been completely removed. Note: This script will update all of your entries in your database, including your WordPress Site URL, hardcoded links on pages and posts, etc.

If you hard-coded your home, site, or WP content areas in your wp-config.php file, ensure to update them to HTTPS.

define('WP_HOME', '');
define('WP_SITEURL', '');
define( 'WP_CONTENT_URL', '' );

If you have a CDN and use a CNAME, such as, you will probably also want to run the script above a 2nd time to do a find for any hard-coded URLS and replace them with

Option 4 – Search and Replace with WP-CLI

For you more tech-savvy folks and developers that don’t like to leave the command line, you can also update your links using WP-CLI. We recommend checking out this advanced search and replace WP-CLI guide.

7. Update Custom Scripts and External Libraries

Now that you have your old hard-coded URLs updated you will want to check any custom scripts or external libraries that you might have added in your header, footer, etc. This could be things like Google jquery, Font Awesome, CrazyEgg, AdRoll, Facebook, Hotjar, etc. An example for Google jquery, you would simply update it to point to the HTTPS version:

<script src=""></script>

Pretty much every provider and or service should have an HTTPS version that you can switch to.

8. Migrate CDN From HTTP to HTTPS

Next, if you are using a CDN you will want to also migrate that to HTTPS otherwise you will run into mixed-content warning issues on your WordPress site. If you’re using Kinsta CDN you can skip this step as everything runs from our CDN over HTTPS by default.

But here are some useful links and tutorials on how to install and setup SSL for different third-party CDN providers. Note: Some of them even have a Let’s Encrypt integration, which means SSL is free. You can always check with your CDN provider to help with your HTTP to HTTPS migration if you have problems.

Once you have the CDN updated you will want to make sure and update that in whatever WordPress plugin you are using for integration. In this example below we are using CDN Enabler and we simply flip the URL over from HTTP to HTTPS, and enable the CDN HTTPS option at the bottom.

change cdn to https

Change CDN to HTTPS

9. Check Your Website For Mixed Content Warnings

Next you will want to do a final check on your WordPress site to ensure you aren’t getting any mixed content warnings. These warnings appear when you are loading both HTTPS and HTTP scripts or content. You can’t load both. When you migrate to HTTPS, everything needs to be running over HTTPS. Wired documented their transition from HTTP to HTTPS and a snag they ran into:

“[…] one of the biggest challenges of moving to HTTPS is preparing all of our content to be delivered over secure connections. If a page is loaded over HTTPS, all other assets (like images and Javascript files) must also be loaded over HTTPS. We are seeing a high volume of reports of these “mixed content” issues, or events in which an insecure, HTTP asset is loaded in the context of a secure, HTTPS page. To do our rollout right, we need to ensure that we have fewer mixed content issues—that we are delivering as much of’s content as securely possible.”

Below are some examples of what happens in the browsers if you don’t fix these warnings.

Chrome Mixed Content Warning Example

Here is an example of what happens in Chrome when a mixed content warning fires.

chrome mixed content warning

Chrome mixed content warning

Firefox Mixed Content Warning Example

Here is an example of what happens in Firefox when a mixed content warning fires.


Firefox mixed content warning

Internet Explorer Mixed Content Warning Example

Here is an example of what happens in Internet Explorer when a mixed content warning fires. As you can see, IE is probably one of the worst because it actually breaks the rendering of the page until the popup is clicked.


IE mixed content warning

There is a great free little tool called SSL Check from JitBit which you can run to easily scan your website or URL for non-secure content. The tool will crawl your HTTPS WordPress site and search for non-secure images, scripts and css-files that will trigger a warning message in browsers. The number of pages crawled is limited to 200 per website.

You can also use Chrome DevTools to do a quick check on any page by looking at the network requests panel. The security panel is also actually quite useful. You can immediately see any non-secure origins and then click into the requests to see what they are coming from.

chrome dev tools https

Check HTTPs in Chrome Devtools

There is also desktop software called HTTPS Checker which you can install and scan your site. It can help you check for “not secure” warnings and content after big changes. It is available on Windows, Mac, and Ubuntu. The free plan allows you to check up to 100 pages.

https checker software

HTTPS checker software

10. Update Google Search Console Profile

Now that you have your WordPress site up and running on HTTPS and hopefully no warnings, it is time to dive into some of the marketing side of things. Some of these are very important, so don’t skip these! The first thing you will want to do is create a new Google Search Console profile for the HTTPS version.

google search console https

Add HTTPS property in GSC

After you have created the new HTTPS version you will want to re-submit your sitemap files, the now HTTPS versions.

https sitemap file

HTTPS sitemap file

If you have a disavow file from bad backlinks or a penalty you will need to resubmit this. Not everyone will have one of these. This is very important! If you don’t do this you could permanently harm your site. Go to Google’s Disavow Tool and click into your original HTTP profile. Download the disavow file if it exists. Then go back to the tool again and submit your disavow file under the HTTPS version.

Note: After you have all this done you can safely delete the HTTP profile in Google Search Console.

11. Bing Webmaster Tools

Bing Webmaster Tools is a little different than Google Search Console. You don’t actually need to create a new HTTPS profile, instead just submit your newly created HTTPS sitemap.

bing webmaster tools https

Bing Webmaster Tools HTTPS

12. Google Analytics

Next you need to update your Google Analytics property and view. This won’t affect your analytics data it will simply help when linking your site to Google Search Console, etc. To update your property click into your domain property settings and under the default URL, change it to the HTTPS:// version.

https google analytics property

Update Google Analytics property to HTTPS

To update your view click into your domain view settings and under the Website’s URL, change it to the HTTPS:// version.

https google analytics view

Update Google Analytics view to HTTPS

You will also want to re-link your newly created Google Search Console profile that you created in Step 8 with your Google Analytics account. To do this click into your domain’s property settings, go down and click on “Adjust Search Console.” You can then link your new HTTPS GSC profile. By linking these together it enables search queries data to flow into your Google Analytics account.

link google analytics search console

Link Google Analytics to GSC

13. YouTube Channel

If you have a YouTube channel you will want to re-associate your website with your new HTTPS version in Google Search Console. Otherwise, you will get errors with annotations and other things in YouTube complaining about the HTTPS link being invalid. In your YouTube dashboard click into your Channel and then into “Advanced.” Then change your domain to the new HTTPS version and click Add. You might have to remove the old one and then re-add. You will have to then approve it by going into Google Search Console, clicking into your messages for that site and click on approve.

youtube associated website

Update YouTube associated website to HTTPS

14. Miscellaneous

And that is about it as it pertains to your HTTP to HTTPS migration! Here are some more miscellaneous items you will want to update as well. Some of these may or may not be applicable for you depending on what you use.

  • Make sure to check that your robots.txt is accessible and working.
  • Ensure that any canonical tags point to the HTTPS version (this should have already been done if you followed Step 4 above).
  • If you are running a comment plugin such as Disqus, you will need to migrate your Disqus comments over from HTTP to HTTPS.
  • Update Your URLs in your Email Marketing software
  • Update PPC Ad URLs: AdWords, Bing Ads, AdRoll, Facebook Ads, etc.
  • Update Social Media Links (Facebook Page, Twitter Bio, Pinterest, Google+, etc.)

The Google search team also just recently published answers to 13 FAQs when it comes to HTTPS migrations.


As you can see there is probably a little more to an HTTP to HTTPS migration then you might have originally thought. However, it is all pretty easy and if you follow the steps above you should be good to go. If you are a Kinsta customer and have issues with your HTTPS migration as it pertains to your WordPress website, feel free to reach out to us. Did we miss any other important HTTP to HTTPS migration tips? If so, feel free to drop them in the comments below.

If you enjoyed this article, then you'll love Kinsta’s WordPress hosting platform. Turbocharge your website and get 24x7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans

Hand-picked related articles

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.
  1. Gravatar for this comment's author
    Andrew September 14, 2016 at 12:17 am

    Hi Brian, great in depth article on moving to HTTPS!
    To help with the mixed content checking step, we’ve launched
    We offer 2 tools, a desktop app to scan a site externally for mixed content along with a hosted online service that will collect reports of mixed content direct from browsers about your site.

    1. Gravatar for this comment's author
      Brian Jackson January 24, 2017 at 3:40 pm

      Thanks Andrew! I have added this to our post above.

  2. Gravatar for this comment's author
    AJ September 16, 2016 at 2:24 pm

    Great guide Brian! What are your thoughts on switching a site already with a Google page rank of 7+ and millions of backlinks? Will switching completely kill your rankings? There are so many benefits of switching, but if it means traffic will crash then the site may be out of business. Any thoughts on the SEO aspect? Thanks!

    1. Gravatar for this comment's author
      Brian Jackson September 19, 2016 at 12:49 pm

      Hey AJ!

      I have migrated quite a few sites and never saw a dip in traffic at all. And believe me, that is always a concern. And in fact, on some saw an increase in traffic. The general consensus from Google and SEO community is that 301 redirects should pass 90-99% of the link juice. But they might not pass 100%. So that is something to be aware of. From personal experience I think the small HTTPS boost they give you makes up for whatever small percentage of link juice that might not be passed by the 301s.

      The biggest things from an SEO perspective is your disavow file (re-submission) if you have one. Implementing your 301 redirects correctly, and your canonical tags. If you do a search and replace like in the above tutorial that will also update your canonical tags. And I recommend immediately submitting your new sitemaps after switching so that Google can start crawling your changes immediately. just recently did an HTTPS migration and you might want to check it out. They shared some of where they screwed up:

      While it can be a lot of work on larger sites, I would recommend doing it sooner than later as I have feeling Google is going to be giving the HTTPS ranking factor a lot more priority than it has in the past.

  3. Gravatar for this comment's author
    Nicholas Turbanov September 28, 2016 at 1:01 am

    Hi Brian,

    Thanks for the in depth article.

    I was wondering if you perhaps made a mistake in 4. saying “HTTP to HTTPS referral data is blocked in Google Analytics” – it’s the other way around, as you mention in the last sentence of the paragraph.

    I don’t want to nitpick, just make sure I’ve understood correctly myself :-)

    1. Gravatar for this comment's author
      Brian Jackson September 28, 2016 at 8:33 am

      Thanks for the heads up Nicholas! Yes that was a mistake. I have corrected it above now.

  4. Gravatar for this comment's author
    Kingsley Felix October 20, 2016 at 9:02 am


    Thanks for this guide…. when you switch to HTTPS what happens to your external links? (guest post) your DA/PA and other SEO ranks you have obtained over the years?

    1. Gravatar for this comment's author
      Brian Jackson October 24, 2016 at 8:17 am

      Hey Kingsley,
      Great question. That is where step #3 above comes into play with the global 301 redirects from HTTP to HTTPS. External links are still linking to your HTTP version, but because you have a 301 in place to the HTTPS version they should pass 90-99% of the link juice.
      So you will retain your DA/PA.

  5. Gravatar for this comment's author
    Дмитрий October 24, 2016 at 8:34 am

    Hello. If you are looking for a good reseller, I recommend This company is a partner of the Hague Security Delta – the largest cluster of security in Europe.

  6. Gravatar for this comment's author
    Eric Vadeboncoeur October 31, 2016 at 12:11 pm

    Great post, I have just moved my website to https and followed this guide. Also used to troubleshoot mixed content warnings. Thanks!

    1. Gravatar for this comment's author
      Brian Jackson October 31, 2016 at 1:44 pm

      Awesome, glad to hear it Eric!

  7. Gravatar for this comment's author
    Mike January 14, 2017 at 7:35 am

    Great article Brian, I personally use sed to do search and replace in the database since it is so fast. Small typo Choosing a SSL Certificate, should be an SSL if following phonetics.

    1. Gravatar for this comment's author
      Brian Jackson January 15, 2017 at 1:59 pm

      Glad it was useful Mike! A database search and replace is definitely the long-term recommended method. Also, I have fixed the typo :) Thanks for the heads up.

  8. Gravatar for this comment's author
    Kristof Devos February 7, 2017 at 6:23 am

    I’m still somewhat afraid to do it, but I think I’ll take the step using this great (!) in depth article. Thanks for sharing this!

    1. Gravatar for this comment's author
      Brian Jackson February 9, 2017 at 8:11 pm

      The 301 part is the most important part to retain all your rankings.

  9. Gravatar for this comment's author
    Fred Harris February 12, 2017 at 9:47 am

    Wow, what a great article. Thank you for this piece of work Brian, much appreciated. The guys from Rosehosting told me about Let’s Encrypt and how they will install it for me, so my plan is to ask for the Let’s Encrypt SSL installations.
    One thing bothers me though. How is that a free product such as Let’s Encrypt is better than a paid SSL certificate from a trusted authority?
    Is the cryptography on the same level?
    Thanks again.

  10. Gravatar for this comment's author
    Cristian Worthington February 20, 2017 at 2:28 pm

    Excellent article.

    There is one problem that many people have when they migrate to https.

    If they have a lot of valuable posts with Likes and Shares, they will lose the social proof on those posts – the counts that appear next to share buttons on their site will drop to zero.

    I have developed a simple WordPress Plugin that can help you recover the lost likes and shares (available on my blog at It’s called HTTPS Social Migration Pro and it lets you continue to use the share buttons on your site, while preserving your old likes and shares.

  11. Gravatar for this comment's author
    NTripping March 30, 2017 at 3:42 am

    Hey Brian, great guide!

    Quick question: referral links will be redirected, of course, but will this affect search engine rankings? Losing social counts is one thing, but losing rankings would suck even more :)

    Thanks and keep up the good work!

    1. Gravatar for this comment's author
      Brian Jackson March 30, 2017 at 8:39 am

      Thanks! Glad the guide was helpful. Generally 301 redirects will pass between 90-99% of the link juice. And due to the other benefits from HTTPS, I have normally seen traffic increases (including rank increases) when migrating sites from HTTP to HTTPS.

      There are also a few plugins, Social Warfare, and HTTPS Social Migration Pro which can help retain your social counts before and after migration.

  12. Gravatar for this comment's author
    Vibhor Purandare April 6, 2017 at 12:31 am

    Good day I am so thrilled I found your webpage, I really found you by mistake, while I was researching on Bing for something else, Regardless I am here now and would just like to say thank you for a marvelous post and all round exciting blog (I also love the theme/design), I don’t have time to read through it all at the minute but I have bookmarked it and also added in your RSS feeds, so when I have time I will be back to read more, Please do keep up the fantastic job.

  13. Gravatar for this comment's author
    JoAn Guevara April 7, 2017 at 6:34 pm

    Very good article. Thanks!

    1. Gravatar for this comment's author
      Brian Jackson April 10, 2017 at 12:38 pm

      Thanks JoAn, hopefully it helped in your HTTP to HTTPS migration!

  14. Gravatar for this comment's author
    SEO May 25, 2017 at 4:43 am

    Simple and Easy , Http to Https, Every Blogger must Read this article.

  15. Gravatar for this comment's author
    Dorado June 5, 2017 at 11:27 pm

    I found your article very useful. Thanks for sharing Brian.

  16. Gravatar for this comment's author
    Udegbunam Chukwudi June 10, 2017 at 10:29 am

    Thanks a lot for this. Saved me a lot of work last night and I just started getting google alerts about my https pages appearing in search listing :D

    1. Gravatar for this comment's author
      Brian Jackson July 13, 2017 at 8:33 am

      Great, glad to hear it!

  17. Gravatar for this comment's author
    Rajan M June 24, 2017 at 9:45 pm

    Thanks for such detailed article. After migrating my site to https, I am getting error as per your Point “5. Check For Too Many Redirects”. I am getting error of 2 Redirects for www only (first one in your image “Redirects not setup correctly”). How do I correct this issue to work properly like in your second image “Redirects setup correctly”?

  18. Gravatar for this comment's author
    Celebrities Galore July 13, 2017 at 1:48 am

    Great article, simple as professional, time-tested and … bravely implemented :-)
    Much appreciated, Brian.

    1. Gravatar for this comment's author
      Brian Jackson July 13, 2017 at 8:33 am

      Thanks, glad it was helpful.

  19. Gravatar for this comment's author
    Nana Hm October 9, 2017 at 4:48 pm

    Oh jesus I had so many issues with this http to https! I am not super technical, so sometimes its hard for me to understand everything but this article was a great help and I finally got the solution on this issue that has been bothering me for like 3 days! Thank you so much! I just have a question, I have added httpswww and https no-www as properties. Should I delete the http properties or just leave them? Not sure it makes a difference to keep them? Kind regards, Nana

    1. Gravatar for this comment's author
      Brian Jackson October 9, 2017 at 8:36 pm

      Glad it was helpful! I would leave them for 3 or so months just until everything transitions over. Then you can delete them :)

      1. Gravatar for this comment's author
        Nana Halager Mikkelsen October 10, 2017 at 12:41 pm

        Thank you, I will leave them there then and wait :)

  20. Gravatar for this comment's author
    Lars Andersson October 10, 2017 at 9:01 pm

    I don’t know what happened to my comment from yesterday. Anyway, I took the plunge, and now get green locks everywhere. And this guide was what made it all possible! Fantastic!

    Thought I’d add something for people on Apache servers though. In Step 4 I use a different modification of .htaccess. It is similar to what Apache recommend, with a slight tweak to make sure I don’t get multiple redirects. Here is what I use, and it works very well:
    #### BEGIN redirect to https
    # Enable the Rewrite capabilities
    RewriteEngine On
    # Make sure the connection is not already HTTPS
    RewriteCond %{HTTPS} !=on
    # Redirect from original location, to the same location but using HTTPS.
    RewriteRule ^/?(.*) https: //$1 [R=301,L]
    #### END redirect to https

    Also, in Step 10, it will be necessary to create both www and non-www https profiles, unless you definitely don’t use both. And then link your preferred profile to Analytics in Step 12.

    Again, thanks for your guidance, Brian. It is invaluable!

  21. Gravatar for this comment's author
    Lars Andersson October 10, 2017 at 9:46 pm

    Yeah, yeah, replying to my own comment. I found that (in my case at least) I got too many redirects (i.e. 2 in one place) when I implemented Apache’s suggestion. So I modified it a tiny bit – and posted it in my comment of today (the one above this one) – now it works with only one redirect for all four calls.

  22. Gravatar for this comment's author
    Roee Yossef October 14, 2017 at 2:39 pm

    Great Article! Thanks alot :)

    1. Gravatar for this comment's author
      Brian Jackson October 16, 2017 at 12:32 am

      Glad it was helpful!

  23. Gravatar for this comment's author
    HealthTrekker November 29, 2017 at 10:17 pm

    Jesus C****t! You are a freaking hero, Brian!

    I am trying to muddle my way through the mixed content warnings & was looking for the post with that search-replace plugin,

    But WOW! This is by-far the best HTTPS/SSL WP migration entry I’ve found.

    Thank You So Much!

    1. Gravatar for this comment's author
      Brian Jackson December 21, 2017 at 1:54 pm

      Glad you found it helpful!

  24. Gravatar for this comment's author
    Gloria Barr December 20, 2017 at 9:59 am

    Thanks for this…I need to read again to be sure of what I am doing. What about the internal links on my site….will they need to be changed or is that part of the process?

    1. Gravatar for this comment's author
      Brian Jackson December 21, 2017 at 1:53 pm

      Hey Gloria,
      Yes in step #6 that is discussed. You will want to update your hard-coded internal HTTP links over to HTTPS.

  25. Gravatar for this comment's author
    Klaus January 17, 2018 at 12:29 am

    very helpful, thank you!

  26. Gravatar for this comment's author
    Étienne Brochu May 5, 2018 at 9:06 am

    Very useful article ! Thanks

    I do have a question. With Better Search Replace, do I search all my database ?
    I’m not a technician, so why Really Simple SSL is not a good permanent solution ?


    1. Gravatar for this comment's author
      Brian Jackson May 6, 2018 at 3:52 pm

      Hey Étienne,
      Yes, the Better Search and Replace plugin will search the entire database. The Really Simple SSL plugin is not recommended for a long-term solution as you will always have to have the plugin installed. It’s more of a band-aid or good temporary solution. We always recommend HTTPS replacements in the database, therefore you don’t have to rely on a third-party plugin.

  27. Gravatar for this comment's author
    Étienne Brochu May 7, 2018 at 12:01 pm

    I do have some plugins that created their own database, do I have to search all of them with the Better Search and Replace plugin.

    Thanks !

    1. Gravatar for this comment's author
      Brian Jackson May 9, 2018 at 12:08 am

      Are the plugins creating their own database or just their own tables? Most likely it is their own tables within your database, in which case, the Better Search and Replace plugin will find.

  28. Gravatar for this comment's author
    Purushu May 29, 2018 at 7:33 am

    Wow! This is everything.
    Better Search Replace plugin was super helpful. Being a tech noob, I was more likely to mess up the code from MyPHPAdmin :P
    Also, my website was throwing up some black/white screen, what looks like due to Varnish Accelerator in Cpanel for Cache. Had to disable that bit during http to https migration. Thanks for the info :)

Leave a Reply

Use WordPress?

Use WordPress?

Join 20,000+ others who get our FREE weekly newsletter with WordPress tips on how to drive more traffic and revenue to your business!


You have Successfully Subscribed!

Send this to a friend