How to Force HTTPS in WordPress: Secure Every Page, Image, and Redirect in 2026

Written by: Abigail Ivy
Published on:

How to Force HTTPS in WordPress

Learning how to force HTTPS in WordPress is one of the most important steps you can take after installing an SSL/TLS certificate.

It protects logins, improves trust, and helps ensure browsers and search engines treat every page as secure.

The basic change is simple, but the real value comes from making sure WordPress, your server, and all site assets consistently load over HTTPS without errors or mixed content warnings.

Why HTTPS matters for WordPress sites

HTTPS encrypts traffic between a visitor’s browser and your server using SSL/TLS.

For WordPress sites, that means login credentials, form submissions, and checkout data are far less exposed to interception.

  • User trust: Browsers display the padlock icon and security indicators.
  • SEO compatibility: Google uses HTTPS as a ranking signal.
  • Data integrity: Encryption reduces the risk of tampering in transit.
  • Modern browser support: Many browser features require secure origins.

If your site still serves some pages over HTTP, you can create redirect conflicts, duplicate URL versions, and mixed content issues that weaken both security and performance.

Before you force HTTPS in WordPress

Before changing redirects or settings, confirm that your SSL certificate is active and valid.

Most hosts provide free certificates through Let’s Encrypt, but the certificate must be installed correctly and cover your domain and preferred version, such as www or non-www.

Check these items first:

  • Your certificate is issued and not expired.
  • Both https://example.com and https://www.example.com resolve correctly, if applicable.
  • Your hosting provider supports automatic renewal.
  • You have a backup of your site and database.

It is also wise to clear any caching layer, including a CDN like Cloudflare, after making changes so old HTTP URLs do not linger in cache.

Set WordPress Address and Site Address to HTTPS

The first WordPress-level step is updating the site URLs.

In the WordPress dashboard, go to Settings > General and change both WordPress Address (URL) and Site Address (URL) from http:// to https://.

This tells WordPress to generate secure links for core pages and admin areas.

If you cannot access the dashboard, you can set the values in wp-config.php by defining the site URLs directly.

define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');

Use the correct domain format for your installation.

If your site uses www, keep it consistent across both values.

How to force HTTPS in WordPress with redirects

Changing WordPress settings is not enough on its own.

To fully force HTTPS in WordPress, you need a server-level redirect that sends every HTTP request to the secure version.

Apache redirect with .htaccess

On Apache servers, add a redirect rule to your .htaccess file near the top, before WordPress rewrite rules.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This performs a permanent 301 redirect from HTTP to HTTPS.

A 301 redirect helps search engines consolidate ranking signals to the secure URL.

Nginx redirect

On Nginx, the redirect usually belongs in your server block configuration.

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

After editing Nginx config, reload the server to apply the change.

If your site uses a reverse proxy or load balancer, make sure it forwards the original protocol correctly so WordPress detects HTTPS without loops.

Cloudflare and CDN redirects

If you use Cloudflare, check the SSL/TLS mode.

Full or Full (strict) is generally recommended when the origin server has a valid certificate.

You can also enable Always Use HTTPS to redirect visitors at the edge.

Be careful not to create duplicate redirects at the host, CDN, and plugin level.

Multiple redirects can slow page loads and complicate debugging.

Fix mixed content after forcing HTTPS

Mixed content happens when the page loads over HTTPS but includes images, scripts, stylesheets, fonts, or iframe content still requested over HTTP.

Browsers may block some of these resources or mark the page as insecure.

Common mixed content sources in WordPress include:

  • Hardcoded image URLs in posts or page builders
  • Theme files referencing HTTP assets
  • JavaScript or CSS loaded from old URLs
  • Embedded media from external sources
  • Database entries created before the SSL migration

To fix this, search your content and database for old HTTP references and replace them with HTTPS.

Popular migration tools and plugins can help with search-and-replace tasks, but use them carefully and always back up first.

Also inspect custom theme files, widgets, menus, and Elementor, WPBakery, or Gutenberg blocks that may contain absolute URLs.

Relative URLs can reduce this problem, but existing absolute URLs still need cleanup.

WordPress plugins that can help

Several plugins can simplify parts of the migration, especially if you are not comfortable editing server configuration or database entries.

  • Really Simple SSL: Detects SSL setup and helps force HTTPS across WordPress.
  • Better Search Replace: Updates old HTTP URLs in the database.
  • Redirection: Useful for managing URL rules if you need additional control.

Plugins are helpful, but they should support your server configuration rather than replace it.

A proper 301 redirect at the web server or CDN level is still the most reliable foundation.

How to verify HTTPS is working correctly

After making changes, test the site from multiple angles.

Open the homepage and several internal pages directly with http:// to confirm they redirect to https://.

Then check for these signals:

  • The browser address bar shows HTTPS and no warning icons.
  • Internal links point to HTTPS URLs.
  • Images, CSS, and JavaScript load securely.
  • Login and checkout pages use secure connections.
  • Search Console and analytics report the HTTPS property, if configured.

You can also use browser developer tools to inspect the Console and Network tabs for blocked mixed content or redirect errors.

If pages are still loading over HTTP, revisit your theme, plugin settings, and database.

SEO and analytics considerations after the switch

When you move a WordPress site to HTTPS, update your SEO infrastructure so search engines and analytics tools reflect the secure version.

Add the HTTPS property to Google Search Console, confirm your XML sitemap uses HTTPS, and update canonical tags if needed.

Review these places carefully:

  • Google Analytics or other analytics property settings
  • Search Console property and sitemap submissions
  • Canonical URLs generated by SEO plugins like Yoast SEO or Rank Math
  • Open Graph and social share metadata
  • CDN and cache purge rules

If your site uses external integrations, such as payment gateways, membership systems, or CRM forms, verify they accept the HTTPS domain without breaking callbacks or webhook endpoints.

Common problems when forcing HTTPS

Most HTTPS migration issues come from inconsistency.

The site may redirect correctly but still load some assets from the old protocol, or WordPress may generate secure admin URLs while the front end remains partially mixed.

Watch for these common problems:

  • Redirect loops: Often caused by conflicting rules at the host, proxy, or plugin level.
  • Mixed content warnings: Usually caused by hardcoded old links in content or theme files.
  • Wrong canonical URLs: Can confuse search engines if SEO settings were not updated.
  • Broken images or fonts: May indicate cached HTTP references or blocked third-party resources.
  • Login issues: Sometimes related to cookie domain settings or reverse proxy detection.

Resolving these issues usually requires checking the redirect path, clearing caches, and replacing any remaining HTTP references in the database or file system.

Best practices for a clean HTTPS migration

A clean migration is easier when you treat HTTPS as a sitewide standard, not just a visual padlock.

Use one preferred host version, keep certificates renewed automatically, and audit your content for insecure hardcoded URLs.

For long-term stability, follow these practices:

  • Use a 301 redirect from every HTTP URL to its HTTPS equivalent.
  • Keep your WordPress core, theme, and plugins updated.
  • Run periodic scans for mixed content after design changes.
  • Configure your CDN, caching plugin, and server to respect HTTPS.
  • Document your domain and redirect rules for future maintenance.

Once the migration is complete, new posts, images, and integrations should all be created with HTTPS from the start, reducing technical debt and keeping your WordPress environment secure.