How to migrate WordPress to https

How to migrate WordPress to https

If you are here, you probably got a warning from the Google Search Console regarding your site being penalized for not being secured with an SSL certificate.

Migrating WordPress to HTTPS (SSL)

This tutorial applies when you are running your site on a VPS with Ubuntu, Apache, Php, Mysql and requires command line operations on your VPS.

Migrating WordPress to https is quite time consuming, especially if we are talking about a large site. Here are the main steps:

  • getting a SSL certificate and installing the SSL certificate in Apache
  • fixing the mixed content warnings
  • switching WordPress Admin to HTTPS
  • redirect everything to HTTPS
  • check the site for mixed content warnings using a tool

By far, the most complex step is fixing mixed content warnings. But let’s see all the steps.

Getting a FREE SSL certificate and installing the SSL certificate in Apache

SSL certificates can be bought from your hosting provider for prices ranging from $9 to $200. But even better you can get one for free from Let’s Encrypt. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG).

You better backup the files in /etc/Apache2/sites-available first as the script will change your site configuration files for Apache.

To get the certificate you have to login to your server console then run the following commands to install the program that generates the certificates in /usr/local/sbin:

cd /usr/local/sbin
sudo wget

To use the script you have to make it executable:

sudo chmod a+x /usr/local/sbin/certbot-auto

Then run the script to generate the certificate for your domain (the following line will get the certificate for both www and non www version of the site:

certbot-auto --apache -d -d

The script will start to run and it will identify where the Apache configuration files for your site are and will make changes to it. Here is how it looks when it attempts to change the Apache files (you should choose 1: Easy):

To apply the changes you should restart the server.

service apache2 restart

If everything goes well, you should be able to visit


Fix the mixed content warnings

Now, this is the hardest part of the entire procedure. Mixed content warnings appear when you visit a page via https and it contains http resources in it. It doesn’t matter if there are links to other sites with http, what matters is that elements that make the page content are included using https. This means we need to change 2 types of content:

  • any hardcoded links to an image/script/embed in the PHP code. For example should be changed to
  • any hardcoded links in the database should be changed to https;


Changing links from http to https in the code

This is usually not a problem. Make a backup of the files, then load the files in an code editor that can search for strings in all the files in a site. I’m using Aptana as an editor, so, first I backup the themes folder, then create a new project in Aptana and search for http://. You need to replace everything that is not a simple link to a different site with https://

Changing links from http to https in the database

By default, WordPress makes internal links with http. You have to look for these links in the database and change them all. We need help.

Backup the database. Then, download the Search Replace DB from Interconnect/IT and upload it somewhere on the server (create a folder on the same level with wp-content). Access the search and replace folder via a browser:

You will see that the Search and Replace Script has the database connection filed, so you need to fill in the above fields with to be replaced with Hit the Dry Run button and have a look at what is going to be changed. If it makes sense, press Live Run. Repeat for to

Other things to update would be the embeds like to or to and to Might be some others of you are using embeds from somewhere.

Note: as soon as you are done with the Search and Replace DB script you should delete it from the server.

What if you still receive Mixed content Warnings?

If you still get mixed content warnings, you should either use Firebug for Mozilla or use view source and search for HTTP links. If you find any, most likely you have to search in the files and make more replacements.

Switch WordPress Admin to HTTPS

This one is easy: edit wp-config.php and add:

define('FORCE_SSL_ADMIN', true);

just after

define('WP_DEBUG', false);

Redirect all WordPress links to HTTPS via .htaccess

If everything is working, we should let Google know we moved all the pages from http to https via a 301 redirect. To do so, edit the .htaccess file you can find in the WordPress root folder and the following lines just before </IfModule>

RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Check site for mixed content automatically

What is there are still pages with mixed content that you didn’t notice? The good news is that the guys from made a script that checks all the pages from your site for mixed content in the background. Let’s install it and see the output.

First you should install CURL on your server (if it’s not there already)

sudo apt-get install curl

Then restart Apache with sudo service apache2 restart

Install PHP5-curl with

sudo apt-get install php5-curl

and restart Apache again.

To install the bramus script, there is an additional step – you should install composer and make it available globally:

sudo curl -sS | php

and make it available:

sudo sed -i '1i export PATH="$HOME/.composer/vendor/bin:$PATH"' $HOME/.bashrc
source $HOME/.bashrc

Let’s install the bramus script (you can find more details here):

composer global require bramus/mixed-content-scan:~2.8

Now we can run the script and save the links reported as mixed content to a file:

mixed-content-scan --output=./mixed-results.txt

If any links are reported, well, that’s more work for you!