How to convert to SSL

Quick Links

Printable Checklist      Certificates        Code Snippets           Recommended Tools             Important Notes


[info_box type=”note_box”]Important Note #1: You need to be able to use FTP or your File Manager to follow this tutorial.[/info_box] [info_box type=”note_box”]Important Note #2: If you do any of this coding incorrectly (ie: an extra comma) it can break your entire site![/info_box]

There are 4 main steps to Force WordPress SSL:

1. Purchase & install the SSL certificate

2. Convert all URLs to the https counterpart

3. Fix “Mixed Content” using SSL Checker tools

4. Miscellaneous but Important Changes

Step 1: Purchase & Install the SSL Certificate

Cost ranges from free SSL certificates to roughly $99/year.

Most of you will only need the free SSL certificate from LetsEncrypt². And you will need your hosts’ help to install this. For everyone else, follow these steps:

  1. Generate a CSR by requesting one from your hosting account (or generate one in CPanel if that feature is available)
  2. Get a free SSL certificate from Lets Encrypt or purchase one from GoDaddy or whichever company you prefer. They will request the CSR in order to generate the SSL certificate.
  3. Verify the domain ownership through the email sent to you (or html file upload).
  4. The SSL certificate will be sent to you in a zip file through email. Forward this zip file to your hosting provider for installation. OR use cpanel to install the certificate yourself, if that feature is activated.

Step 2: Convert all URLs to WordPress SSL

This is the part that can easily be done with a plugin. Except that if you remove that plugin, it all falls apart. And who wants to be reliant on a plugin?

Instead, do it properly like this:

  1. Change the Settings / Home URL to HTTPS
  2. Add this to the wp-config.php file via FTP to force SSL on your dashboard pages too.
    define('FORCE_SSL_ADMIN', true);
  3. Add the following rewrites to your htaccess file via FTP to redirect any incoming links to their HTTPS counterparts.
    Change “” to your domain name. On the third line, use the new URL(with or without the www – whichever is your preferred URL).

  • Convert interlinking URLs in your database using Better Search and Replace plugin by Delicious Brains. Use the dry run feature first to be sure you’re getting all the URLs that you expected and none that you aren’t!
    • Search for:
    • Replace with:
    • Select tables: run each table one at a time
    • Case Insensitive: YES
    • Replace GUID: NO

Better Search and Replace plugin

  1. Replace the URLs in your files. I haven’t found an easier way to do this, than good old fashioned search and replace in a code editor… anyone have any tips here?
    • Use FTP to download your theme,
    • use search and replace in each file to find and replace the HTTP with HTTPS.
    • Upload new saved files back to your server.

Please remember that when editing files directly with FTP, one wrong character can bring down your site. be careful

  1. Check each menu & widget for old links that need the https treatment.

Step 3: Fix “Mixed Content” with SSL Checker Tools

If you have two doors in your house, one is locked and the other is open – the house is not secure. Both doors need to be locked. So now that we have the first door locked (the URLs), it’s time to find all the windows and doors and force them to use SSL too.

The job of finding and securing links, scripts, iframes, and anything else is a bit onerous. The places we need to look are your active theme, plugins and any other code or image that you’ve added to your site via widgets or content. Everything must come from a secure HTTPS source.

To find insecure items in your page, turn off your cache plugin, clear the cache and use an incognito tab (for Chrome). Check each page, using the inspector or developer tool set options in your browser. You’re looking for a “Mixed Content” warning. It will look like this:

In this case, the font, from Google API is being loaded from instead of A quick change of that URL, and we cleaned it up.

Check the following pages:

  • single blog page with comments form
  • single page (ie: contact)
  • archive (ie:
  • home page
  • landing page
  • special archive template (ie: recipe index)

When you have finished all the obvious sources of mixed content, it is time to use an SSL checker to find those stragglers. Use the following tools to find any missed insecure items:

This is where a lot of people skip and use a plugin. However, a plugin is not changing the URLs, but at best using jquery for on-the-fly changes; and at worse, using redirects which slow the site.

Step 4: Miscellaneous & Important!

Google Search Console / Webmaster

In Google, you’ll need to login to your Search Console and start recording the stats from your new URL. There is a “Change of Address” function which I’ve seen on some tutorials, but it does not work! 

[info_box type=”note_box”]From Google: The tool does not currently support the following kinds of site moves: subdomain name changes, protocol changes (from HTTP to HTTPS), or path-only changes.³[/info_box]

To start using Google Webmaster tools / Search Console, simply “Add a New Property” just like you did originally. Add both the and

Verify them both. And continue to set them up as you did with the non-https sites: select preferred domain and link your analytics profile.

**I recommend keeping your old sites there as reference. But soon, Google will begin crawling and indexing the new site. There will be no duplicate content issues if you’ve followed what I’ve indicated above.

Google Analytics

You’ll want to be sure that the https stats are tracking in Google Analytics as well. To do this, go to Property>  Property Settings > and change the “Default URL” to https.

Submit a Sitemap

When you force WordPress SSL you’ll automatically generate a new sitemap (if you’re using Yoast’s SEO plugin for WordPress). Just use this url and re-submit to Google Search Console:

Social Sharing Numbers Tracking

Unfortunately your sharing numbers will be lost unless you fix that too. We have always loved the Social Warfare plugin, and now there is one more reason to love it! See the tutorial here.

Change Miscellaneous Site Links to SSL verified link

Don’t forget to verify your new WordPress SSL URL with:

  • social media profiles (ie: Facebook, Pinterest, Instagram, Twitter)
  • social sharing trackers (ie: addthis account, hellobar, sumome, jetpack)
  • ad suppliers (ie: Adthrive, MediaVine, RewardStyle)
  • affiliate companies (ie: Shareasale, clickbank, ebay)
  • email marketing suppliers (ie: MailChimp, ConvertKit, MadMimi)


[convertkit form=5023727]




Fancy an infographic?

Click here.