WordPress: Settings -> General Settings

Adding SSL to your web site

Changing the site from http til https.

It is important to shift a web site from http to https. As a site can get punished by Google for for using http.

Here is the process I usually follow when I make a site secure.
1. I go to the web host documentation to find instructions. If needed I will contact the web host support.

2. Login to the WordPress site. In the backend go to Settings -> General
and change the WordPress Address (URL) and the Site Address (URL) from https:// to https:// .
After the changing a site from http to https one needs to login to the site again. Be sure to clear the cache (A hard refresh CTRL/CMD+Shift+R.)

WordPress: Settings -> General Settings
WordPress: Settings -> General Settings

3. Install the plugin Better Search Replace.
Use it to locate the leftovers of http. Search for http and replace it with https.
Select all the tables listed. Do a dry run first then uncheck the dry run to make the adjustment.

4. If the web site is still not secure. It might still contain mixed content.
Then check the site at Why No Padlock or for even more details at SSL Server Test.

Case examples of changing http to https.

The site I tested used the plugin Smush – Lazy Load Images, Optimize & Compress Images to make images smaller. 3 images were still missing the https. I deactivated Smush and used Better Search and Replace to see if the 3 images could be found. They were found and I adjusted the http to https using the Better Search and Replace plugin. I checked the front-end and now finally noticed the green padlock.

There were some fonts that I had a hard time adjusting over to use https. I had to dig into the theme’s CSS files (style.css) and make a search for http. The fonts were located and I changed them over to https://

Some theme settings add images by using http. I went into the theme settings and removed the images and added these back again. This time https had been automatically added. Do also check the customizer if needed and remove and add the images back again and see if that helps.

The site Why No Padlock should give some hints to what has not been converted over to use https. Or test out ssllabs.com/ssltest/.


Another example case. A WordPress multisite.
When checking the site at whynopadlock.com the Force HTTPS was still not secure.
I had to login to the web host and open cPanel. Go to Domains and there I noticed a column with toggles to Force HTTPS Redirect. I toggled it on. I retested but it was still not secure.
I moved on to adding the following fix by adding this code into the top of the htaccess file located inside the multisite directory/folder.

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I retested at whynopadlock and noticed that Force HTTPS was now secure.
NB! Add the code outside of any plugin block code. Example I had added the code into the iThemes Security Pro plugin code block area. The code was removed, so I had to add the above code again outside of the Ithemes Security code area.

Using the browser developer tools

Another way to figure out what is not secure is to use the browser developer tools. Right click anywhere on the front-end and select Inspect in the drop down.
Notice any errors that might show up. Click the errors and see if they are related to any links. The link URL location will likely be seen. Most often these might be font related. The errors can hopefully be adjusted through Appearance -> Theme Editor in the style.css or the functions.php files or in another file. If you are making changes to a parent theme, then you might need to go back and adjust the http to https when updating the theme.




Leave a Reply

Your email address will not be published. Required fields are marked *