Force HTTPS on Your Entire WordPress Site (Safely)
Having an SSL certificate isn't the same as using HTTPS everywhere. Redirect all traffic, secure admin, fix mixed content and enable HSTS—without locking yourself out.
Getting an SSL certificate is the easy part—most hosts hand you one for free now. What trips people up is that a certificate sitting on your server doesn’t mean your site actually uses it everywhere. I’ve seen plenty of sites with a valid certificate still flagged “Not Secure,” because half their pages and images loaded over plain HTTP. Forcing HTTPS is what closes that gap. Here’s how to do it completely—and how to do it without locking yourself out of your own site.
The essentials
- An SSL certificate enables HTTPS; it doesn’t force it—you still have to redirect and fix mixed content.
- Forcing HTTPS properly means four things: redirect HTTP→HTTPS, secure admin/login, fix mixed content, and optionally HSTS.
- The module is off by default with a warning, because forcing HTTPS without a valid certificate locks everyone—including you—out.
- HSTS is configurable (1-year max-age by default), with opt-in includeSubDomains and preload—the latter being semi-permanent, so handle with care.
- It also offers SSL certificate expiry monitoring, emailing you before your certificate lapses.
What does forcing HTTPS actually involve?
More than flipping the site URL in Settings. A complete switch needs four pieces:
1. Redirect all HTTP traffic to HTTPS. Every HTTP request should return a 301 permanent redirect to the HTTPS version of the same URL, telling browsers and search engines the move is permanent so your SEO transfers cleanly.
2. Secure admin and login. wp-admin and wp-login.php handle passwords and session cookies. If those load over HTTP, credentials can be intercepted—so they must be forced to HTTPS specifically, not just the front end.
3. Fix mixed content. A “mixed content” warning happens when an HTTPS page loads an image, script or stylesheet over HTTP. Browsers either warn or block the resource outright, breaking your layout. Every internal URL has to be HTTPS.
4. Send HSTS headers. HTTP Strict Transport Security tells the browser to always use HTTPS for your domain—so after the first visit it won’t even attempt an HTTP connection, closing the tiny window before your redirect fires.
Here’s what each piece fixes—and the trap that comes with it:
| Step | What it fixes | Watch out for |
|---|---|---|
| 301-redirect HTTP→HTTPS | Sends every visitor to the encrypted URL and transfers SEO cleanly | Never enable it without a working certificate—it locks everyone out, you included |
| Secure admin & login | Stops passwords and session cookies traveling over plain HTTP | Must be forced specifically, not just the front end |
| Fix mixed content | Clears the “Not Secure” flag when an HTTPS page pulls HTTP resources | Every internal resource URL has to be HTTPS |
| HSTS header | Makes the browser use HTTPS before it even sends the first request | preload is near-permanent—6–12 months to undo |
How do you force HTTPS in WordPress?
To force HTTPS, make sure a valid SSL certificate is installed, then enable a module that 301-redirects all HTTP to HTTPS, forces wp-admin and login over HTTPS, rewrites mixed-content URLs, and optionally sends an HSTS header. In Blaminhor Essentials, activate HTTPS Redirect, confirm your certificate loads cleanly, then switch the redirect on.
The module arrives switched off behind a warning on purpose—turning it on without a working certificate would redirect everyone to a page that can’t load. Once you’ve confirmed your certificate (see below), enable and configure:
- Automatic redirect — all HTTP traffic is 301-redirected to HTTPS.
- Admin and login — force HTTPS on
wp-adminandwp-login.php(on by default). - Mixed-content fix — optionally rewrite HTTP resource URLs in the page output to HTTPS.
- HSTS — enable the Strict-Transport-Security header with a configurable max-age (one year by default), plus opt-in
includeSubDomainsandpreload.
Off by default behind a clear warning—so you enable it deliberately, after your certificate is confirmed working.
Should you enable HSTS preload?
HSTS itself is a safe, worthwhile upgrade once your HTTPS is stable. Its preload option is different, and it’s the one setting here that can genuinely bite you. Submitting your domain to the browsers’ built-in preload list bakes “HTTPS only” into the browser itself—and removing it can take six to twelve months to propagate, during which you cannot serve anything over HTTP, on any subdomain, for any reason.
So enable plain HSTS freely, turn on includeSubDomains only once you’re certain every subdomain has HTTPS, and treat preload as a near-permanent commitment—not a checkbox to tick “for extra security.” The module keeps these as separate opt-ins precisely so you don’t switch on the irreversible one by accident.
The result
Every page, every resource, every request over an encrypted connection: browsers show the padlock, search engines favour the secure version, and your visitors’ data is protected in transit. Done once, correctly, it’s the kind of thing you never think about again—especially with an expiry alert quietly watching the certificate.
If forcing HTTPS is part of a bigger move, pair it with changing your WordPress domain safely and, for the login side of security, hiding your login page from bots.
HTTPS Redirect is one of the 20+ tools in Blaminhor Essentials—free and open-source on WordPress.org.
– blaminhor
FAQ
Why does my browser still say « Not Secure » with a valid certificate?
Because a certificate only enables HTTPS; it doesn't force it. If pages still load over HTTP, or an HTTPS page pulls in an image or script over HTTP (mixed content), browsers show « Not Secure ». You need to redirect all HTTP to HTTPS and make sure every internal resource uses HTTPS too.
Is it safe to force HTTPS on WordPress?
Yes—if a valid SSL certificate is already installed and working. If it isn't, forcing HTTPS redirects every visitor (including you) to a URL that won't load, locking you out. Always open your site with https:// manually first and confirm there are no certificate errors before enabling a redirect. Good modules ship disabled with a warning for exactly this reason.
Does forcing HTTPS help my Google ranking?
A little. Google has confirmed HTTPS is a lightweight ranking signal, and browsers now flag HTTP pages as insecure, which hurts trust and conversions far more than the ranking nudge itself. The bigger SEO win is the clean 301 redirect, which passes your existing authority to the HTTPS URLs without loss.
How do I find what's causing a mixed-content warning?
Open the page, then your browser's developer console (F12): mixed-content resources are listed there with their exact HTTP URLs. It's usually a hard-coded image, script or stylesheet. Fixing the source is cleanest, but a module that rewrites internal URLs to HTTPS on the fly catches the stragglers you'd otherwise miss.
Do I still need a plugin like Really Simple SSL?
Not if your toolkit already forces HTTPS. Really Simple SSL does one job—redirect and fix mixed content—which the HTTPS Redirect module covers alongside admin hardening, HSTS and certificate-expiry monitoring. Running both would only duplicate the redirect logic, so pick one and avoid stacking two SSL plugins against each other.
What is HSTS and should I enable it?
HSTS (HTTP Strict Transport Security) is a header telling browsers to always use HTTPS for your domain, even before the first request. It's a solid security upgrade once HTTPS is stable. Be cautious with its « preload » option, though—submitting to the browser preload list is hard to undo and can persist for months after you remove it.
Comments