Move WordPress from HTTP to HTTPS: A Complete Guide
Step-by-step guide to properly migrate your WordPress site from HTTP to HTTPS using Let's Encrypt certificates
Introduction
HTTPS is no longer optional for modern websites. Search engines favor secure sites, browsers display warning messages for non-secure sites, and visitors expect the security that HTTPS provides. This guide will walk you through the complete process of migrating your WordPress site from HTTP to HTTPS using free Let's Encrypt SSL certificates.
Prerequisites:
- A working WordPress site running on a LAMP server (Linux, Apache, MySQL, PHP)
- SSH access to your server
- Basic familiarity with command line
- Domain with DNS managed by Cloudflare (for wildcard certificates)
If you haven't set up WordPress on a LAMP server yet, follow our Raspberry Pi WordPress Setup Guide first.
Step 1: Install Certbot
Certbot is the official Let's Encrypt client that simplifies obtaining and renewing SSL certificates. Install Certbot and the Apache plugin with the following command:
Bash
Note: The original post used
python-certbot-apache -t stretch-backportswhich is outdated. Modern Debian/Ubuntu distributions use the Python 3 version without needing backports.
Step 2: Choose Your Certificate Type
You have two options for SSL certificates:
Option A: Single Domain Certificate
If you only need to secure one domain, run:
Bash
This will guide you through an interactive process to select which domains to secure and automatically configure Apache for you.
For more control, you can use:
Bash
This obtains the certificate without modifying your Apache configuration, giving you more control over the setup.
Option B: Wildcard Certificate with Cloudflare DNS (Recommended)
A wildcard certificate covers your main domain and all subdomains (e.g., example.com and *.example.com). This is ideal if you run multiple subdomains.
- Install the Cloudflare DNS plugin for Certbot:
Bash
- Create a Cloudflare API configuration file:
Bash
- Add your Cloudflare account details:
ini
Security Note: To obtain your Global API key, log in to Cloudflare, go to your profile, and look for the API Tokens section. For better security, consider using scoped API tokens instead of the global key.
- Secure the configuration file to prevent unauthorized access:
Bash
- Obtain the wildcard certificate:
Bash
Replace yourdomain.com with your actual domain name.
Step 3: Configure Apache for HTTPS
Configure Default SSL Site
If your WordPress site is in the default /var/www/html directory, edit the default SSL configuration:
Bash
Update the file with the following content (replace yourdomain.com with your domain):
apache
If your site is in a custom directory, adjust the DocumentRoot and <Directory> paths accordingly.
Enable SSL Modules and the Configuration
Bash
Configure HTTP to HTTPS Redirection (Recommended)
Edit your HTTP VirtualHost configuration:
Bash
Add the following redirection rules inside the <VirtualHost *:80> block:
apache
Enable the rewrite module and restart Apache:
Bash
Step 4: Update WordPress Settings
Update Site URLs in WordPress Admin
- Log in to your WordPress admin dashboard
- Go to Settings → General
- Update both "WordPress Address (URL)" and "Site Address (URL)" to use
https://instead ofhttp:// - Save changes
If you encounter issues (like a white screen or login problems) after changing these settings, you can fix them using MySQL:
Bash
Modify wp-config.php
Add the following code to your wp-config.php file, right before the line that says require_once(ABSPATH . 'wp-settings.php');:
php
This ensures WordPress properly detects HTTPS, especially when behind proxies or load balancers.
Step 5: Update Internal Links in Your Database
The database may contain hardcoded HTTP links in posts, pages, and options. Use the "Better Search Replace" plugin to fix these:
- Install the "Better Search Replace" plugin (it's safer and more feature-rich than the older "Search and Replace" plugin)
- Go to Tools → Better Search Replace
- In the "Search for" field, enter
http://yourdomain.com - In the "Replace with" field, enter
https://yourdomain.com - Select all tables except those containing transients
- Enable the "Run as dry run" option first to see what would be changed
- If the results look good, uncheck "Run as dry run" and run the search/replace for real
Step 6: Set Up Automatic Certificate Renewal
Let's Encrypt certificates expire after 90 days, so setting up automatic renewal is crucial:
Bash
Add the following line to run the renewal check twice daily (recommended by Let's Encrypt):
Bash
Step 7: Test Your HTTPS Setup
Visit these tools to verify your SSL configuration:
Check for:
- Valid certificate
- No mixed content warnings
- Proper redirects
Troubleshooting
Mixed Content Warnings
If you see mixed content warnings in your browser console:
- Use the "Better Search Replace" plugin again to find any remaining
http://references - Check your theme and plugin files for hardcoded HTTP URLs
- Consider using the "Really Simple SSL" plugin to automatically fix mixed content issues
White Screen After URL Change
If you encounter a white screen:
- Try accessing wp-admin directly with HTTPS
- Use the MySQL fix mentioned earlier
- Verify file permissions and ownership
Certificate Renewal Issues
If automatic renewal fails:
- Test the renewal process manually:
sudo certbot renew --dry-run - Check logs:
sudo journalctl -xe - Ensure the Cloudflare API credentials are correct (for wildcard certificates)
Conclusion
Congratulations! Your WordPress site is now fully secured with HTTPS. This improves your site's security, SEO ranking, and user trust. Remember to:
- Monitor certificate expiration (though automatic renewal should handle this)
- Keep an eye on mixed content warnings when adding new content
- Consider additional security measures like HTTP Strict Transport Security (HSTS)
With SSL properly configured, your WordPress site is now more secure and ready for the modern web!