Switching an established WordPress site from HTTP to HTTPS is straightforward when done in the right order. Done in the wrong order, you get redirect loops, broken mixed content warnings, or a site that half-loads on some pages. Here's the correct sequence, with verification steps at each stage so you know whether to proceed or stop and fix before moving on.
This migration touches WordPress settings, the database, and server configuration files. Any of these changes can go wrong, particularly the database search-replace step. Take a full backup of files and database before you begin. In UpdraftPlus, click "Backup Now." In cPanel, use the Backup Wizard. Label the backup clearly as pre-HTTPS-migration. This takes five minutes and means you can restore to a known-working state if anything breaks during the process.
Before making any WordPress changes, install an SSL certificate on your hosting account and verify it works. In cPanel, go to Security > SSL/TLS Status or Let's Encrypt SSL. Install a certificate covering both your root domain and the www subdomain (both yourdomain.com and www.yourdomain.com).
Once installed, open your browser and visit https://yourdomain.com directly. You should see a padlock icon with no security warning. Click the padlock and verify the certificate is valid, covers your domain, and isn't expiring soon. If there's a warning, "Your connection is not private," certificate mismatch, or expired certificate, the installation has a problem. Do not proceed until this is resolved. Every subsequent step assumes a valid, working certificate.
Also test https://www.yourdomain.com (with www). Both versions should load with a valid certificate. If www isn't covered, add it to the certificate before proceeding.
Log into wp-admin (still via HTTP for now) and go to Settings > General. Change both "WordPress Address (URL)" and "Site Address (URL)" from http:// to https://. Save changes. WordPress will log you out and redirect you to the HTTPS login page. Log back in.
Critical: do this step before adding any server-level redirect from HTTP to HTTPS. If you add the .htaccess redirect first, it redirects all HTTP requests to HTTPS, but WordPress is still generating HTTP URLs internally. The result is redirect loops or pages that load HTTPS in the browser bar but have HTTP assets. Always update WordPress settings first, server redirect second.
After saving, verify wp-admin loads correctly at the HTTPS URL. Check that the WordPress Address and Site Address in Settings > General now correctly show https://.
The WordPress settings change tells WordPress to generate new HTTPS URLs going forward, but existing content in the database, posts, pages, widget content, theme customiser settings, still contains the old HTTP URLs. These need to be updated with a database search-replace.
Install the Better Search Replace plugin (free). Go to Tools > Better Search Replace. In the "Search for" field enter http://yourdomain.com. In "Replace with" enter https://yourdomain.com. Select all tables. Check "Run as dry run?" first and click "Run Search/Replace." Review the count of items that would be replaced, a very high number warrants investigation before running for real. Uncheck "Run as dry run?" and run again to execute the replacements.
If your site has a www version with distinct content, also run the same replace for http://www.yourdomain.com to https://www.yourdomain.com. After running, delete the Better Search Replace plugin, it's not needed ongoing and adds unnecessary database access from the admin.
Load your site in a browser and open the developer tools (F12). Go to the Console tab. Mixed content warnings appear as yellow warnings with the URL of the HTTP resource causing them. Common causes:
The Really Simple SSL plugin can resolve most remaining mixed content dynamically. After activation, it rewrites HTTP references to HTTPS in page output in real time. This is a useful safety net but shouldn't be a permanent crutch, ideally you fix the source of the HTTP references so they don't need rewriting on every page load. Use Really Simple SSL while you identify and fix the underlying sources, then evaluate whether you still need it running.
Now that WordPress is configured for HTTPS, add a permanent redirect to send all HTTP traffic to HTTPS. Open your .htaccess file and add this before the WordPress rewrite rules (# BEGIN WordPress):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]The 301 status code is a permanent redirect, which passes link equity from HTTP URLs to HTTPS. After adding this, clear your browser cache and test by visiting http://yourdomain.com (explicitly HTTP), it should immediately redirect to the HTTPS version. In cPanel, you can also enable this via Security > SSL/TLS > Force HTTPS Redirect toggle, which does the same thing without editing .htaccess manually.
Several external systems need to be updated to reflect the HTTPS migration:
In the first two weeks after migration, check Google Search Console's Coverage report to confirm HTTPS URLs are being indexed rather than the HTTP versions. If you see both HTTP and HTTPS URLs being indexed, the redirect or canonical tags may not be working correctly for some pages. Check the Enhancements and Experience reports for any new issues.
A brief dip in tracked rankings and impressions is normal immediately after migration, Google is re-crawling and re-evaluating the HTTPS versions. This typically resolves within 2 to 4 weeks as Google processes the redirects. A sustained, significant drop warrants investigation, check that the redirects are 301 (permanent) and not 302 (temporary), and that canonical tags point to the HTTPS versions.
HostBible includes Let's Encrypt SSL certificates with automatic renewal on every hosting plan. HTTPS is available from day one with no extra cost and no support ticket required.
View Hosting Plans