WordPress Development
WordPress SSL and HTTPS: How to Install, Force, and Fix Mixed Content Issues
HTTPS is a ranking signal, a browser trust indicator, and a basic security requirement. Here is the complete setup — from certificate installation to mixed content fixes.
HTTPS is no longer optional for WordPress sites — it is a Google ranking signal, a browser trust indicator, and a basic security requirement. Setting it up is straightforward on modern hosting, but the details matter: mixed content, redirect loops, and certificate renewal are the most common issues that leave sites partially or incorrectly secured.
Why HTTPS matters for WordPress sites
| Factor | HTTP | HTTPS |
|---|---|---|
| Data encryption | None — data transmitted in plain text | Encrypted — intercepted data is unreadable |
| Browser indicator | ‘Not Secure’ warning in address bar | Padlock icon — visible trust signal |
| Google ranking | Minor negative factor | Confirmed positive ranking signal since 2014 |
| Password submission | Passwords visible on the network | Encrypted in transit |
| Cookie security | Cookies readable in transit | Cookies can be set as Secure and HttpOnly |
| Form submissions | Contact form data unencrypted | Form data encrypted in transit |
Step 1 — Install an SSL certificate
An SSL certificate is the technical credential that enables HTTPS. Most modern hosting providers install SSL automatically:
Step 2 — Force HTTPS in WordPress
After installing an SSL certificate, ensure all traffic is redirected from HTTP to HTTPS:
Install and activate Really Simple SSL. The plugin automatically detects your SSL certificate, updates your WordPress URL settings to HTTPS, and adds .htaccess redirect rules. This is the simplest approach for most WordPress sites.
Go to Settings › General. Change both the WordPress Address and Site Address fields from http:// to https://. Then add the .htaccess redirect rule manually.
Add these lines to your .htaccess file above the WordPress block: RewriteEngine On / RewriteCond %{HTTPS} off / RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
In Cloudflare, create a Page Rule for http://*yourdomain.com/* with the setting Always Use HTTPS. This redirects at the CDN level before the request reaches your server.
Step 3 — Fix mixed content warnings
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Browsers block or warn about mixed content, and it prevents the padlock from appearing in the address bar.
- Open Chrome DevTools (F12), go to the Console tab, and look for ‘Mixed Content’ warnings. These identify the specific HTTP resources causing the issue.
- The most common source of mixed content: hardcoded http:// URLs in the WordPress database (post content, widget settings, theme options).
- Use the Better Search Replace plugin to replace all instances of ‘http://yourdomain.com’ with ‘https://yourdomain.com’ in your WordPress database. Do a dry run first before applying.
- For mixed content from external resources (third-party scripts, images from other domains loaded over HTTP), contact the resource provider or replace with an HTTPS-serving alternative.
- Use the SSL Insecure Content Fixer plugin for automatic mixed content detection and fixing.
Step 4 — Update Google Search Console and GA4
Search Console treats HTTP and HTTPS as separate properties. Go to Search Console and add your https:// site as a new property. Verify ownership. Submit your XML sitemap from the new HTTPS property.
In the old HTTP property, use the Change of Address tool to indicate that the site has moved to HTTPS. This helps Google transfer ranking signals to the HTTPS version.
In GA4, go to Admin › Data Streams › your web stream. Verify the URL begins with https://. If it shows http://, update it.
If you have links to your site on social media profiles, directory listings, partner sites, or email signatures using http://, update them to https://. While 301 redirects pass most SEO equity, direct HTTPS links are cleaner.
Common HTTPS problems and fixes
| Problem | Symptom | Fix |
|---|---|---|
| Redirect loop | Site shows ERR_TOO_MANY_REDIRECTS | Check Cloudflare SSL/TLS mode — set to Full (Strict), not Flexible |
| Mixed content | Padlock broken or absent | Use Better Search Replace to update DB URLs; check Console for specific resources |
| Certificate expired | Browser shows security warning | Renew via your host dashboard or run Certbot renew via command line |
| HSTS errors | Browser blocks access to HTTP version | HSTS is working correctly — this is expected behaviour. Clear browser cache. |
| Old backlinks still use HTTP | 301 redirects work but equity diluted | Update high-authority backlinks to use HTTPS directly where possible |
HSTS — the advanced HTTPS enforcement
HTTP Strict Transport Security (HSTS) is a browser security header that tells browsers to only ever access your site over HTTPS, even if someone types http://. Once a browser has seen the HSTS header, it will refuse HTTP connections to your site for the specified duration (max-age).
HSTS is very difficult to undo — browsers cache HSTS instructions and refuse HTTP connections until the max-age expires. Only add the HSTS header after HTTPS is fully configured and you are confident you will not need to revert to HTTP. Add it via the Really Simple SSL plugin’s Headers tab or your .htaccess file.
Need HTTPS configured correctly on your WordPress site?
Simple Automation Solutions configures SSL, HTTPS, mixed content fixes, and HSTS for WordPress sites worldwide.
Frequently asked questions
Does HTTPS significantly improve Google rankings?+
HTTPS is a confirmed but minor Google ranking signal. Google has described it as a ‘tiebreaker’ — sites with equivalent content and authority will rank the HTTPS version higher than the HTTP version. The direct ranking impact is small compared to content quality, backlinks, and page speed. The indirect impact is larger: HTTPS prevents the ‘Not Secure’ browser warning that reduces click-through rates and erodes visitor trust, particularly on contact forms and checkout pages.
How do I know if my WordPress SSL certificate is working correctly?+
Use the Qualys SSL Labs Server Test (ssllabs.com/ssltest/) — enter your domain and run the test. A grade of A or A+ means your SSL is correctly configured. The test also shows certificate details, expiry date, and any configuration issues. For a quick check, look at your browser address bar — a padlock icon without any ‘Not Secure’ warning indicates a valid certificate. Click the padlock to see certificate details including expiry date.
Can I switch from HTTPS back to HTTP?+
Technically yes, but practically extremely problematic. If you have HSTS headers in place, browsers will refuse HTTP connections until the max-age expires (potentially years). You would need to revoke your SSL certificate, remove HTTPS redirects, and wait for HSTS cache to expire across your visitor base. Google would also treat the move from HTTPS to HTTP as a significant site change requiring reindexing. There is virtually no legitimate reason to move from HTTPS to HTTP — if you are experiencing issues, fix the HTTPS configuration rather than reverting.
