After installing an SSL certificate, you need to ensure all HTTP traffic is redirected to HTTPS. Without proper redirects, your site may be accessible on both HTTP and HTTPS, causing duplicate content issues and security gaps.
Step 1: Update WordPress URLs
Go to Settings → General and change both URLs to HTTPS:
- WordPress Address (URL):
https://example.com - Site Address (URL):
https://example.com
Step 2: Add Server-Level Redirect
Apache (.htaccess)
Add this at the top of your .htaccess file, before the WordPress rewrite rules:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Nginx
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}Step 3: Force HTTPS in wp-config.php
define('FORCE_SSL_ADMIN', true);
// If behind a reverse proxy or load balancer
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}Step 4: Fix Database URLs
Replace all HTTP URLs in the database:
wp search-replace 'http://example.com' 'https://example.com' --all-tablesStep 5: Add HSTS Header
After confirming HTTPS works, add the HSTS header to prevent future HTTP connections:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Verify with InspectWP
Run an InspectWP scan to confirm your site uses HTTPS, has a valid SSL certificate, and doesn't have mixed content warnings.