This post was originally published May, 2017 and updated July 2018.

As of July, 2018 Chrome will show “not secure” to any visitor of an unsecured site. ie:

Converting WordPress to SSL is becoming more and more important – for user experience as well as SEO ranking.

Quick Links

Printable Checklist
Code Snippets
Recommended Tools
Important Notes

If your WordPress SSL certificate is working, you’ll see the “HTTPS” protocol in the browser address bar, and a padlock. If you see a green section with the name of a company or website, that is HTTPS as well – just a more secure certificate. Most bloggers only need the first type of certificate which we’ll discuss below.

But that padlock can be deceiving. Most plugins and installation instructions are simply forwarding all links instead of changing them. This can severely slow down your site.

Before we get started, it is important to note that there are lots of tutorials out there, lots of bad advice and lots of “It’s easy! I did it!” (and they did it entirely incorrectly.)

Important Note #1: You need to be able to use FTP or your File Manager to follow this tutorial.

Important Note #2: If you do any of this coding incorrectly (ie: an extra comma) it can break your entire site!

To be honest, and for your own benefit I hope the warning above scared some of you away. (I’m looking at you, Ms Know-enough-to-be-dangerous.) For all my DIY friends, follow these instructions below and please use the checklist to force WordPress SSL correctly.

There are 4 main steps to Force WordPress SSL:

1. Purchase & install the SSL certificate

2. Convert all URLs to WordPress SSL

3. Fix “Mixed Content” using SSL Checker tools

4. Miscellaneous but Important Changes

Step 1: Purchase & Install the SSL Certificate

Cost ranges from free SSL certificates to roughly $99/year.

Most of you will only need the free SSL certificate from LetsEncrypt². And you will need your hosts’ help to install this.

A quick review of the three available SSL certificates:

Domain Validation SSL Certificate

The easiest certificate to get is the domain verification certificate. If you can prove the domain name is yours, you can obtain this certificate. There is no difference (yet) in the appearance of a DV or OV certificate.

Organization Validation SSL Certificate

The second level SSL certificate – a little more secure and a little more difficult to obtain, is the organization verification. For this one, you need to prove you own the domain and you’re a legitimate company associated with the domain. Both DV or OV certificate signed websites will display a padlock and “https” instead of “http”.

Domain Validation SSL Certificate

Extended Validation SSL Certificate

To obtain this certificate, you need to prove the following¹:

  • Verifying the legal, physical and operational existence of the entity
  • Verifying that the identity of the entity matches official records
  • Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate
  • Verifying that the entity has properly authorized the issuance of the EV SSL Certificate

Extended Validation SSL Certificate

To purchase or to obtain the free SSL certificate, you’ll first need the Certificate Signing Request (CSR) from your hosting account.  Then you give the CSR to your SSL certificate provider. They confirm everything is A-OK, and send you a zip file. That zip file is the SSL certificate. You send that to your hosting company, and they ‘install’ it.

  1. Generate a CSR by requesting one from your hosting account (or generate one in CPanel if that feature is available)
  2. Get a free SSL certificate from Lets Encrypt or purchase one from GoDaddy or whichever company you prefer. They will request the CSR in order to generate the SSL certificate.
  3. Verify the domain ownership through the email sent to you (or html file upload).
  4. The SSL certificate will be sent to you in a zip file through email. Forward this zip file to your hosting provider for installation. OR use cpanel to install the certificate yourself, if that feature is activated.

Step 2: Convert all URLs to WordPress SSL

This is the part that can easily be done with a plugin. Except that if you remove that plugin, it all falls apart. And who wants to be reliant on a plugin?

  1. Change the Settings / Home URL to HTTPS
  2. Add this to the wp-config.php file via FTP to force SSL on your dashboard pages too.
    define('FORCE_SSL_ADMIN', true);
  3. Add the following rewrites to your htaccess file via FTP to redirect any incoming links to their HTTPS counterparts.
    Change “” to your domain name. On the third line, use the new URL(with or without the www – whichever is your preferred URL).
RewriteEngine on
RewriteCond %{HTTP_HOST} ^ [NC,OR]
RewriteCond %{HTTP_HOST} ^ [NC]
RewriteRule ^(.*)$$1 [L,R=301,NC]
  • Convert interlinking URLs in your database using Better Search and Replace plugin by Delicious Brains. Use the dry run feature first to be sure you’re getting all the URLs that you expected and none that you aren’t!
    • Search for:
    • Replace with:
    • Select tables: run each table one at a time
    • Case Insensitive: YES
    • Replace GUID: NO

Better Search and Replace plugin

  1. Replace the URLs in your files. I haven’t found an easier way to do this, than good old fashioned search and replace in a code editor… anyone have any tips here?
    • Use FTP to download your theme,
    • use search and replace in each file to find and replace the HTTP with HTTPS.
    • Upload new saved files back to your server.

Please remember that when editing files directly with FTP, one wrong character can bring down your site. be careful

  1. Check each menu & widget for old links that need the https treatment.

Step 3: Fix “Mixed Content” with SSL Checker Tools

“Forcing HTTPS” is a misnomer. It is impossible to force a page to be secure when it is not. If you have two doors in your house, one is locked and the other is open – the house is not secure. Both doors need to be locked. So now that we have the first door locked (the URLs), it’s time to find all the windows and doors and force them to use SSL too.

The job of finding and securing links, scripts, iframes, and anything else that is part of your page is a bit onerous. The places we need to look are your active theme, plugins and any other code or image that you’ve added to your site via widgets or content. Everything must come from a secure HTTPS source.

To find insecure items in your page, turn off your cache plugin, clear the cache and use an incognito tab (for Chrome). Check each page, using the inspector or developer tool set options in your browser. You’re looking for a “Mixed Content” warning. It will look like this:

In this case, the font, from Google API is being loaded from instead of A quick change of that URL, and we cleaned it up.

Check the following pages:

  • single blog page with comments form
  • single page (ie: contact)
  • archive (ie:
  • home page
  • landing page
  • special archive template (ie: recipe index)

When you have finished all the obvious sources of mixed content, it is time to use an SSL checker to find those stragglers. Use the following tools to find any missed insecure items:

This is where a lot of people skip and use a plugin. However, a plugin is not changing the URLs, but at best using jquery for on-the-fly changes; and at worse, using redirects which slow the site.

Websites, specifically WordPress, will be using SSL for a long time – it’s best to get it done right to begin with!

Step 4: Miscellaneous & Important!

Google Search Console / Webmaster

In Google, you’ll need to login to your Search Console and start recording the stats from your new URL. There is a “Change of Address” function which I’ve seen on some tutorials, but it does not work! 

From Google: The tool does not currently support the following kinds of site moves: subdomain name changes, protocol changes (from HTTP to HTTPS), or path-only changes.³

To start using Google Webmaster tools / Search Console, simply “Add a New Property” just like you did originally. Add both the and versions.

Verify them both. And continue to set them up as you did with the non-https sites: select preferred domain and link your analytics profile.

**I recommend keeping your old sites there as reference. But soon, Google will begin crawling and indexing the new site. There will be no duplicate content issues if you’ve followed what I’ve indicated above.

Google Analytics

You’ll want to be sure that the https stats are tracking in Google Analytics as well. To do this, go to Property>  Property Settings > and change the “Default URL” to https.

Submit a Sitemap

When you force WordPress SSL you’ll automatically generate a new sitemap (if you’re using Yoast’s SEO plugin for WordPress). Just use this url and re-submit to Google Search Console:

Social Sharing Numbers Tracking

Unfortunately your sharing numbers will be lost unless you fix that too. We have always loved the Social Warfare plugin, and now there is one more reason to love it! See the tutorial here.

Change Miscellaneous Site Links to SSL verified link

Don’t forget to verify your new WordPress SSL URL with:

  • social media profiles (ie: Facebook, Pinterest, Instagram, Twitter)
  • social sharing trackers (ie: addthis account, hellobar, sumome, jetpack)
  • ad suppliers (ie: Adthrive, MediaVine, RewardStyle)
  • affiliate companies (ie: Shareasale, clickbank, ebay)
  • email marketing suppliers (ie: MailChimp, ConvertKit, MadMimi)


If you made it through all that, wanna work for me? 🙂

If you’re slogging through in true startup fashion – have questions? Post ’em below and I’ll answer! Now’s your chance for free advice!




Fancy an infographic?

Click here.

Beginner Checklist

If you’re starting out, you’ll love our comprehensive 52 point checklist for your website! Read through once, and then work on items one at a time as it comes up!

52 Edits Checklist – beginners categories

Cathy Mitchell

Single Mom, Lifelong Learner, Jesus Follower, Founder and CEO at WPBarista.