If your site is still on HTTP, it's showing "Not Secure" in browser address bars, losing a small but real SEO advantage, and transmitting login credentials and form data in plain text. Moving to HTTPS takes less than an hour on a good host and is entirely free via Let's Encrypt. Here's the complete process, in the correct order.
HTTPS encrypts the connection between your server and every visitor. Without it, anyone on the same network, a coffee shop Wi-Fi, a corporate proxy, an ISP, can read or modify traffic in transit. That includes login credentials entered at wp-login.php, form submissions, and session cookies that keep users logged in. On an HTTP site, those cookies can be stolen and used to hijack sessions without the attacker needing your password at all.
Beyond security, HTTPS is a confirmed (if modest) Google ranking signal and is required for many modern browser features including geolocation, push notifications, and service workers. Chrome and Firefox actively warn users when they enter data on HTTP pages. Conversion rates on ecommerce and lead generation sites consistently drop on unencrypted pages.
Before making any changes, take a backup of your files and database. The migration involves changes to WordPress settings, the database, and server configuration, any of which can go wrong. Having a pre-migration backup means you can restore to a known-working state if something breaks, rather than debugging a site that may be in a broken intermediate state.
Most modern hosting control panels (cPanel, DirectAdmin, Plesk) include Let's Encrypt integration that installs a free SSL certificate automatically. In cPanel, look for "SSL/TLS Status" or "Let's Encrypt SSL" in the Security section. Click to install a certificate for your domain and the www subdomain, both should be covered by the same certificate.
Once installed, visit https://yourdomain.com in a browser. You should see a padlock with no security warning. If there's a warning saying the certificate is invalid, expired, or for the wrong domain, the installation didn't succeed, fix this before proceeding. Every subsequent step assumes a working, valid certificate.
Let's Encrypt certificates expire after 90 days. Good hosts auto-renew them. Confirm your host handles auto-renewal, you can verify this in the SSL/TLS Status section of cPanel, which shows the renewal date and whether auto-renewal is enabled.
Log into wp-admin and go to Settings > General. Change both "WordPress Address (URL)" and "Site Address (URL)" from http:// to https://. Save changes. WordPress will redirect you to the HTTPS login page, log back in. These two settings tell WordPress to generate HTTPS URLs for all its internal links, assets, and API calls going forward.
Do not add the server-level redirect (Step 4) before completing this step. Updating WordPress URLs first prevents redirect loops that occur when .htaccess redirects HTTP to HTTPS but WordPress is still generating HTTP URLs and redirecting back.
Mixed content warnings appear when an HTTPS page loads resources, images, scripts, stylesheets, iframes, from HTTP URLs. Your browser's developer tools (F12 > Console) will list exactly which URLs are causing them, with the specific resource and the page it's on.
The fastest fix is the Really Simple SSL plugin. After activation, it rewrites HTTP references to HTTPS in real time as pages are served and handles most mixed content automatically without touching your database. For a more permanent fix, use the Better Search Replace plugin to search for http://yourdomain.com and replace with https://yourdomain.com across all database tables. Always back up the database before running a search-replace operation.
Common sources of persistent mixed content: hardcoded HTTP URLs in theme files, plugin settings with absolute URLs (check your CDN plugin, contact form, or page builder settings), and externally hosted resources that genuinely don't offer HTTPS (in which case, host them yourself or find an HTTPS alternative).
After WordPress is fully configured for HTTPS, add a permanent redirect to force all HTTP traffic to HTTPS. Add this to your .htaccess file, above the WordPress rewrite rules:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]The 301 status code tells search engines the redirect is permanent, passing link equity from HTTP URLs to the HTTPS versions. After adding this, clear your browser cache and test by visiting the HTTP version of your site, it should redirect to HTTPS immediately.
In cPanel, you can also enable this via the "Force HTTPS Redirect" toggle in the SSL/TLS section, which adds the redirect rule for you without editing .htaccess manually.
HTTP Strict Transport Security (HSTS) tells browsers to always connect to your site over HTTPS, even if someone types the HTTP version. Once a browser has seen your HSTS header, it won't even attempt an HTTP connection, it goes straight to HTTPS before any redirect is needed. Add this header to your .htaccess or via your server's VirtualHost configuration:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Start with a shorter max-age (e.g., 3600 seconds / 1 hour) while testing. Once you've confirmed everything works correctly, increase it to 31536000 (1 year). HSTS is irreversible for the duration of the max-age, if you ever need to go back to HTTP (you won't, but just in case), browsers will refuse until the max-age expires. Don't enable it until you're confident the HTTPS setup is solid.
HTTPS and HTTP are treated as separate properties in Google Search Console. Add the HTTPS version (both https://yourdomain.com and https://www.yourdomain.com) as new properties. Submit your XML sitemap under the HTTPS property. In Google Analytics (GA4), verify the data stream URL reflects the HTTPS version.
Check Google Search Console's Coverage report after a few days to confirm the HTTPS URLs are being indexed. You may see a temporary dip in impressions or clicks as Google re-crawls and re-indexes the HTTPS versions, this is normal and resolves within a few weeks as the crawl completes.
Let's Encrypt SSL is installed automatically on all plans with auto-renewal. HTTPS from day one, no extra cost, no support ticket required.
View Hosting Plans