Key takeaways for a successful HTTPS transition:
- Verify your certificate: Ensure that Let’s Encrypt or an equivalent certificate is activated with your web host before making any changes.
- Backup your site: Never touch your .htaccess file or your database without having a recent complete backup (files + SQL).
- Use 301 Redirects: A permanent redirection (301) is essential so that Google understands the HTTP version is definitively replaced by the HTTPS version.
- Fix the database: Use a tool like “Better Search Replace” to convert internal HTTP links (images, scripts) to HTTPS directly in your database.
- Update external tools: Remember to change your data stream URL in Google Analytics (GA4) and verify your property in Google Search Console.
- HTTPS is an SEO prerequisite: Beyond security, it is a positive signal for Google’s algorithm (E-E-A-T criteria).
How to move WordPress to HTTPS? Is your WordPress site still in HTTP? That’s a mistake. Is your site already in HTTPS? Are you sure? Let’s check.
Quick test: Go to any page of your website other than the homepage — remove the “S” from “HTTPS” in the address bar. Is your site still in HTTPS? If it redirects back automatically, well done, you can move on to another article. If not, stick around for a bit.
Moving WordPress to HTTPS isn’t very complicated. I will offer you 2 simple, fast, and effective solutions. In this tutorial, I give you the essential steps to properly switch WordPress to HTTPS.
The 3 Recommended Methods for Switching WordPress to HTTPS
| Method | Difficulty | Major Advantage | Recommended Use |
|---|---|---|---|
| Plugin (SecuPress) | Very Low | Fixes mixed content automatically | Beginners and small sites |
| Hosting Provider (cPanel) | Medium | Simple and high-performance | Intermediate profiles |
| Manual (.htaccess) | Advanced | Zero impact on site speed | Professional and SEO-focused sites |
Switching to HTTPS is a crucial step that must adapt to your technical skills. To secure your site and your users, I recommend using one of the following three levers, ranked from the most automated to the most technical method.
Method 1: Using a Plugin (Turnkey Solution)
This is the ideal method for beginners. I recommend SecuPress to my clients, which is now connected to the “Really Simple SSL” plugin. It allows you to activate SSL in one click. The major advantage of this solution is that it doesn’t just activate the protocol: it can also dynamically fix “mixed content” errors (images or scripts left in HTTP) that sometimes prevent the padlock from appearing correctly.
Pros
- No coding required.
- Generally fixes mixed internal URLs (unsecured content).
Cons
- May introduce plugin dependencies.
- Less robust than direct server configuration.
Method 2: Configure via Your Hosting Provider (cPanel)
If you don’t want to overload your site with an extra plugin, look into your hosting management interface (often cPanel). Most hosts now offer a “Force HTTPS” option in the “SSL/TLS Status” or “Let’s Encrypt” section. By activating this option, the server manages the redirection itself before WordPress is even called, which is excellent for performance.
Pros
- Automatic (includes renewal for Let’s Encrypt).
- No plugin required.
- Fewer configuration errors.
Method 3: Manual Modification via .htaccess (Expert Method)
This is the cleanest and most durable solution for SEO. It involves manually inserting a 301 redirect rule into your .htaccess file (accessible via FTP). By forcing traffic at the server level, you ensure an instantaneous and definitive redirection without depending on a third-party extension. This is the method I systematically use for my clients’ projects.
Pros
- Clean redirection via permanent 301.
- No plugins.
Caution
- Requires FTP/Server access.
- Does not configure the SSL certificate itself.
- More complicated without technical knowledge.
Need a tutorial? Watch the video; otherwise, I explain the step-by-step methodology further down.
Before Moving WordPress to HTTPS?
In concrete terms, moving WordPress to HTTPS is similar to a site migration, meaning you are essentially creating a new site to which the content of your various pages will be transferred.
The first step in moving your WordPress site to HTTPS simply consists of obtaining an SSL certificate.
Your host or domain name manager usually offers a free SSL certificate in their package. Add the “s” at the end of the HTTP in your domain name. If you are still on your website and it loads, it means the certificate is already installed. Move to the next step.
If not, contact your host to activate a free Let’s Encrypt certificate.
In some industries and for certain e-commerce sites, it is sometimes recommended to choose a paid, more secure certificate. Your host can advise you on a certificate suited to your situation.
The HTTPS protocol helps further secure your website. Today, it is the standard, and you cannot afford to have a website without HTTPS. Visually, all that changes is the URL.
https://redback-optimisation.fr/ to https://redback-optimisation.fr/
In reality, there will always be an HTTP version and an HTTPS version of your website. For Google, these are seen as two different websites. You must therefore ensure that the HTTP version automatically redirects to the HTTPS version.
Moving WordPress to HTTPS: The Advanced Method
Here is the method I recommend for switching WordPress to HTTPS. You must follow these 5 steps:
Step 1
Go to your WordPress Dashboard under Settings -> General. You will need to change the main address of your site. Replace the URL in HTTP with its version in HTTPS. You must modify both URL fields: “WordPress Address (URL)” and “Site Address (URL)”. You will be logged out because your Dashboard will now switch to HTTPS as well.
Step 2
Désormais, your entire website should be in HTTPS. Unfortunately, it’s not always that simple. The problem is that your website is now duplicated: an HTTP version and an HTTPS version. You will have to redirect every HTTP URL to its HTTPS version.
You will need to use FTP. You should have received your FTP codes when purchasing your domain name and hosting. If you don’t have them anymore, contact your host. There is usually:
- A Hostname
- A Username
- A Password
- A Port: 21 or 22
Download the Filezilla (Server) software and log in with your credentials. This software allows you to access the folders and files of your website.
Step 3
On Filezilla, in the “www” (or “public_html”) folder, you should find the “wp-config” file and the “.htaccess” file. Using drag-and-drop, download these two files and make 2 copies of them. You should have 2 original files and 2 files that you will modify. Note: You might need to wait 24 hours after your site goes live to see the .htaccess file.
Step 4
You will need to copy a piece of code into these files. To do this, download Notepad++ (TextWrangler for Mac).
Open the wp-config.php file and copy the following code on line 2:
define( ‘FORCE_SSL_ADMIN’, true );
Save and replace the original file with the updated one in Filezilla.
Check that everything is working on your site. If you no longer have access, it’s because you made a mistake in the line or forgot a character. You can then upload the original backup file to Filezilla and start over.
Step 5
In the same way, another piece of code must be added in the .htaccess file (at the very top):
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]
Make sure to add your own domain in HTTPS instead of “yourdomain.com/”.
That’s it, you’ve moved WordPress to HTTPS.
What to do after switching to HTTPS?
Verify that HTTPS is working correctly
Check that your SSL certificate is effective. An invalid certificate will trigger a warning message in the user’s browser, which can damage the trust and security image you want to convey.
You can test the validity of your certificate with this SSL Labs tool. If you don’t check, you risk having URLs with a crossed-out HTTPS in the address bar. This generally indicates that you still have HTTP links on your pages.
Furthermore, the tool checks your site’s security level. It will give you a grade and indicate things to fix to improve your rating.
If the padlock is grey, it means you still have mixed content on your pages. In other words, some pages haven’t updated all elements to HTTPS (often images). This is where it gets complicated.
The first thing to do is test URLs with a grey or crossed-out padlock using this tool, which will point out non-secure elements. Test it with the HTTP version of the page. It will show a 200 code if the page is not fully secured.
If you use Firefox, you can get more info by clicking on the Red Padlock -> More Information -> Media. Search for media files still in HTTP and fix them.
You can also right-click on the unsecure page and click “View Page Source”. Then press CTRL+F to open a search bar and enter “HTTP”. Identify links that are not in HTTPS and update them.
Updating Google Search Console and Google Analytics
You no longer need to create a new property every time if you use a “Domain Property” (DNS). It automatically covers HTTP, HTTPS, www, and non-www. If that’s not the case:
Once you have completed all redirections and ensured there are no more HTTP links, you must inform Google so it indexes your new URLs as quickly as possible. This step is very important and should be done immediately.
Indeed, the longer you wait, the higher the chance of losing SEO rankings. To do this, simply add your site to Google Search Console with the new HTTPS URL. You should also submit the HTTPS sitemap and update its address in the robots.txt file.
Furthermore, don’t forget to update your URL in Google Analytics (under Property Settings and View Settings).
Why Switch WordPress from HTTP to HTTPS?
Protecting User Information
HyperText Transfer Protocol (HTTP) is a transmission protocol that allows users to access web pages via a browser while sending data to your server. The problem is that data transmitted over HTTP is not encrypted, which can allow malicious actors to easily intercept confidential information (login credentials, personal details).
HyperText Transfer Protocol Secure (HTTPS) is the secure version of HTTP. it results from combining HTTP with an SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption layer. This allows the user to verify the identity of your website via an authentication certificate. This is signaled by a green padlock next to the URL.
This certificate guarantees confidentiality and data integrity sent by the user and received by the server. Likewise, the spread of Malware will be hampered, leading to better web security. It is in everyone’s interest to contribute to the growth of HTTPS.
But how do you know which certificate to choose? SSL certificates are proof of identity for a website. There are different types based on the scope of their validation:
- Domain Validation (DV): This is the standard and (usually) cheapest certificate. These certificates allow for basic encryption. They are issued very quickly and require a simple verification of domain ownership.
- Organization Validation (OV): These certificates include the authentication of the company and/or organization owning the domain.
- Extended Validation (EV): With this type, the certificate authority performs an in-depth review of your company. It offers the highest level of security.
Better Ranking by the Google Algorithm
For Google, HTTPS is a ranking factor for websites. In several SEO analyses from 2025 based on large datasets and professional tests, Google is still considered to give a slight advantage to secure (HTTPS) sites over non-secure ones, as it improves user trust and navigation experience. Source: Ranking factors 2025.
Conclusion
Switching WordPress to HTTPS is not indispensable, but it remains highly recommended. Thanks to the SSL certificate, you convey a reassuring image to your visitors, and Google will thank you by slightly improving your positioning.
So, what do you think? Are you ready to switch to HTTPS?
