high risk

How to Force HTTPS (SSL) on WordPress

Without HTTPS, logins and form data travel in plain text and browsers flag your site as "Not Secure." A free certificate plus a redirect fixes it in minutes.

  1. 1

    Install an SSL certificate

    Most hosts offer free Let's Encrypt certificates in the control panel. Enable it for your domain (and www) first.

  2. 2

    Set your site URL to https://

    In Settings → General, update both WordPress Address and Site Address to use https://. For hard-coded values, set them in wp-config.php.

  3. 3

    Redirect all HTTP traffic

    Force HTTPS at the server so old links upgrade automatically:

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  4. 4

    Fix mixed content

    Update any http:// image/script URLs in your content and database to https:// so the padlock shows on every page, then add the HSTS header.

Related concept: SSL/TLS Certificate

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides