Ashley Cameron Design

Ashley Cameron Design

Shop the Creative Design Market

Good afternoon

Checklist for Moving A WordPress Site to HTTPS

This post was last updated: Sep 6, 2022
BlogWordPress

About a 2 minute read

"It’s not what you look at that matters, it’s what you see."

Henry David Thoreau

This article includes tips for migrating your WordPress website from HTTP to HTTPS after you’ve purchased an SSL Certificate.

Update from HTTP to HTTPS in WordPress Admin

In General > Settings, update WordPress Address & Site Address:

WordPress Address (URL): https://example.com/wordpress/
Site Address (URL): https://example.com

Or in wp-config.php:


1
2
define('WP_HOME','https://example.com/wordpress/');
define('WP_SITEURL','https://example.com');

Force SSL for logged in users and visitors

In wp-config.php, add these two lines before /* That’s all, stop editing! Happy blogging. */


1
2
define('FORCE_SSL', true);
define('FORCE_SSL_ADMIN',true);

Search & Replace Links

Using the plugin Better Search Replace, update links from the http://yourdomain.com to https://yourdomain.com (with or without your preference of www). If any links are not served from http, your browser will still show that it’s not fully secure. Developer Tools console will list the image links/content that needs updating.

Server-side 301 Redirects

Whether you’re relaunching a website or have just updated from HTTP to HTTPS, redirect visitors and search engines to the HTTPS url.

Redirect in .htaccess

For appache servers, use mod_rewrite:

Redirect www to non-www (generic/any domain)


1
2
3
4
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

Redirect www to non-www (specific to domain)


1
2
3
4
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.example.com [NC]
RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

Redirect non-www to www (generic/any domain)


1
2
3
4
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

Redirect non-www to www (specific to domain)


1
2
3
4
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^example.com$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301]

Enable HSTS (HTTP Strict Transport Security) in .htaccess (optional)

Setting up redirects from HTTP to HTTPS is not enough to secure your website. Hackers can still capture site cookies, session ID, and redirect visitors to their own site. Learn more technical info here.

If you have subdomains in your content, you will need a wildcard SSL certificate. Make sure all subdomains are working correctly on the SSL.

HSTS Requirements

  • Website must have a valid SSL Certificate
  • Redirect all HTTP links to HTTPS with a 301 Redirect
  • All subdomains must be covered in your SSL Certificate; order a wildcard certificate
  • Serve an HSTS header on the base domain for HTTPS requests
  • Max-age must be at least 10886400 seconds or 18 Weeks. Go for the two years value, as mentioned above!
  • The includeSubDomains directive must be specified if you have them
  • The preload directive must be specified

Next, add this line to your .htaccess (for apache server):


1
2
#Use HTTP Strict Transport Security
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Submit your site for inclusion in Chrome’s HSTS preload list

Check your website’s status and eligibility for submission at hstspreload.org