7 Steps to Move Your WordPress Blog From HTTP to HTTPS Without Losing Rankings

To move or not to move - that is the question!

And it seems you have finally decided to take the plunge and move your wordpress site from HTTP to HTTPS.

Since a couple of years, Google has been pushing webmasters to choose HTTPS (HTTP Secure) over HTTP to the extent of labeling HTTP sites as insecure in their Chrome browser.

As it seems, this push is only going to get stronger as SSL gets cheaper and with the emergence of services like LetsEncrypt.org that offer free SSL.

How is HTTPS different from HTTP

Before proceeding, let's have a quick look at how HTTPS is different from HTTP.

HTTPS: Data exchanged between the server and the client is encrypted. Hence this data cannot be read or altered in any way. Example, if Facebook did not use HTTPS, anyone could read the 'username' and 'password' when a user logs in.

HTTP: - There is no encryption. Hence the data can be sniffed (read) and there is a possibility that the data can also be altered. Example, an ISP could inject their ads into any website that uses a HTTP connection.

Generally speaking, HTTPS is required for any website that wants your credit card information or a website that needs you to login to access their service.

But how is it helpful for an informational/personal blog? An informational/personal blog does not need you to login, neither does it ask for your credit card or paypal details.

So does such a website also need HTTPS? Yes and No. HTTPS is certainly not a requirement for such blogs, but it does have some apparent advantages.

Let's see what they are.

How does HTTPS help you as a wordpress user?

Here are few advantages of HTTPS for bloggers:

1.) Your wordpress login page is secured. When you enter your wordpress username and password, it will be sent via an encrypted channel and hence cannot be looked at by anyone.

2.) It blocks tampering of your website data by third parties.

3.) It can give you a minor ranking boost from Google.

4.) Chrome and other browsers will display a 'secure website' message or icon in the browser window will makes you site look like a trusted source as opposed to the 'Not Secure' message which is displayed when the site is running on HTTP.

So as you can see, HTTPS does have its fair share of benefits for everyone.

Will I lose my organic rankings in Google if I make the switch to HTTPS?

No, you will not lose any of your organic rankings as long as you redirect the site properly, add canonical tags and inform Google of your move.

In-fact, there is a possibility that you might see a minor boost.

Also, your site's backlinks will still pass on the same link value so you need not bother about asking websites to update them for you.

Do I need a dedicated IP Address?

For the most part, you do not need a dedicated IP. This is because, all the modern browsers support SNI (Server Name Indication) that can load your HTTPS site on a shared IP without any issue.

The issue happens with older internet explorer browsers (older than internet explorer 7) that do not support SNI (Server Name Indication). In these browsers, the user will get a warning message that the certificate is unverified, and will need to click okay to enter.

But this shouldn't be much of a concern as the major will not be using these browsers.

7 Steps to properly move your site from HTTP to HTTPS

Here are 7 steps to move your wordpress blog from HTTP to HTTPS so you retain your organic rankings plus get an additional boost in your rankings.

Step 1: Check to see if HTTPS is working

The first step of-course is to install the SSL certificate.

If your host supports 'Cpanel AutoSSL' or LetsEncrypt.org, your free SSL certificate will automatically be installed.

This means, you will be able to access your website using HTTP (http://sitename.com) as well as HTTPS (https://sitename.com).

Check to see if your HTTPS version is loading properly.

Step 2: Add HTTPS version in Google search console

Login to 'Google search console' and verify the 'HTTPS' version of your site.

To do this, click on 'Add a Property', enter the HTTPS version of your website (https://sitename.com) and click 'Add'. You will be taken to the verification page.

If you have already verified the HTTP version of your site, then all you need to do is click the 'Verify' button. This will auto verify your HTTPS version. You need not do anything else.

It's a good practice to verify all versions of your site including the 'www' and 'non-www' versions. So if you have not done so, verify all the four versions:


You might also want to set a preferred version - WWW or NON-WWW. To do this, click on any one of your properties, then click the 'gear icon' on the 'top right' of the screen and select 'Site Settings'. Now select your preferred version by clicking on the respective radio box.

After adding all your website versions, you might also want to create a set. You can do that by clicking on the 'Create a set' button next to the 'Add a property' button. Add all your four versions in the set.

Step 3: Change website version to HTTPS in wordpress general settings

Login to your wordpress dashboard, and go to 'Settings > General' from the left panel.

On the general settings page, change the 'Website Address' and 'Site Address' from HTTP to HTTPS. Scroll down and click on 'Save Changes'.

Once you save changes, you will be logged out. You can log back in to check if changes have taken effect.

Step 4: Add a HTTP to HTTPS redirection rule (directive) to your HTAccess file

You now need your server to redirect all your HTTP URLS automatically to HTTPS URLS.

To do this, edit your .htaccess file with the following code:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://sitename.com/$1 [R=301,L]

Make sure to replace, sitename.com, with your domain name.

The above code will work if your site uses the NON-WWW version (Eg: http://sitename.com )

If your site uses the WWW version (Eg: http://www.sitename.com), then use the following code instead:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.sitename.com/$1 [R=301,L]

Make sure to add this code above the wordpress code.

Once added, check to see if all pages on your website are redirecting properly. You might also want to check your server headers to see if the redirection is clean.

Here's a good tool to check your server headers: http://tools.seobook.com/server-header-checker/

To use the tool, simply paste the HTTP version of a URL in the 'Enter URL' section and click 'Check Headers'. The tool will show you exactly how your server is redirecting the URL to HTTPS.

You need to get a single 301 redirection and then a 200 OK response from the server.

Step 5: Change internal links to HTTPS using search and replace plugin

It is a good practice to change all your internal links and image/media sources to HTTPS.


<img src="http://sitename.com">


<img src="https://sitename.com">

If your image sources are not HTTPS, some browsers will display the 'Connection is not secure' message in the browser window.

Below is an example of Firefox displaying this message:

Chrome displays the following message:

You can easily achieve this using the 'Better search replace plugin'.

Here are the steps to achieve this:

1.) Install and activate the plugin.

2.) Enter your HTTP domain name in the 'Search' field. Eg: http://sitename.com

3.) Enter the HTTPS domain name in the 'Replace' field. Eg: https://sitename.com

4.) Select the 'Posts' table in the 'Select Tables' section.

5.) Un-check the 'Run as dry run' box. (You can run the first test with this box checked to see if everything is working properly. Uncheck it if you want the changes to take effect.)

6.) Click 'Run Search/Replace' button.

Step 6: Check and remove insecure elements from your pages

You will need make sure that all your Javascript liberaries, external font references, and CSS are loading from HTTPS and not HTTP.

If your pages still contain insecure elements, like a script that uses HTTP or a CSS reference that links to the CSS file using HTTP, Chrome and Firefox will block these elements from loading.

Chrome displays an 'unauthorized sources' icon as shown in the image below:

Firefox displays a message when you information click on the icon in the browser window.

If your page has insecure elements, you can spot the scripts/files that are causing this error by going to the 'Developer console'.

In both Firefox and Chrome, you can reach the 'developer console' by right clicking on the page and selecting 'Inspect Element'. Or you can also reach the 'developer console' by clicking the menu (represented by three lines in Firefox and three vertical dots in Chrome located on the top right of the browsers)

In Chrome, select 'More Tools > Developer Tools' and in Firefox, select Developer.

Once the developer tools menu opens, click on 'Console' to see the problem scripts.

Here's how it looks like in Firefox:

Once you identify the problem scripts, you can change them from HTTP to HTTPS and your error will not appear again.

Step 7: Make a few other checks

Here is a list of a few other minor checks that you need to make to ensure everything is working fine:

  • Check your website in Firefox, Chrome and IE to make sure the HTTPS version is loading fine.
  • Check your widgets and menus to see if you have HTTP links and change them to HTTPS.
  • Change favicon URL (if you hav one) to HTTPS.
  • Check your robots.txt file to see if you have a sitemap added. Change the sitemap link to HTTPS.
  • Check your header and footer links to make sure they are HTTPS, if not make required changes in your theme.
  • Check your site's canonical tags to see if they use the HTTPS version. You can check your site's canonical tags by viewing to the HTML source (CTRL + U) of anyone of your post page and the front-page.
  • Check to see if image sources for your website logo and other site icons are HTTPS.
  • Check the HTML source of your homepage and a few other internal pages to make sure all internal links are HTTPS.

Step 8: Change your setting to HTTPS in Google Analytics (Optional)

If you use Google analytics to track your website traffic, you will need to change your account from HTTP to HTTPS.

To do this, go to your Admin panel and click on 'Property settings' under the 'Property' menu. Now change the default URL to 'HTTPS' and click save.

You will need to do the same for 'View settings' located under the 'View' menu. Change the URL to 'HTTPS' here too.

Step 9: Change OG:URL to HTTP to retain Facebook likes/share count (Optional)

You will notice that once you have shifted your site to HTTPS, all your Facebook like/share counts have gone back to zero. To retain your Facebook like/share count, you will need to change your OG:URL meta tag to reflect the older HTTP URL.

Here's a complete tutorial on how you can this: https://orbitingweb.com/blog/http-to-https-retain-facebook-likes/

If you have any further queries, feel free to leave a comment.



  1. Andy Globe says:

    Hello, I went into settings and changes http to https and now I am locked out of wordpress completely. Do you have a solution to this as it is a clients website and I am concerned I have lost everything completely. Nick

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.