Force HTTPS on your WordPress site (free SSL included)

Every hosting plan with us includes a free Let’s Encrypt SSL certificate, auto-issued and auto-renewed. That means HTTPS works the moment your DNS resolves. But WordPress doesn’t always use HTTPS by default — even when SSL is available. Here’s how to fix it.

Quick check first

Visit https://yourdomain.com.au/ (with the s). One of three things happens:

1. Site loads with a padlock — you’re sorted, but read on to make sure HTTP redirects to HTTPS
2. Site loads but shows “Not Secure” warnings — mixed content, see below
3. Browser shows “Connection not private” — SSL isn’t issued yet, contact us

Step 1: Update WordPress URLs

Log in to WordPress as admin. Go to Settings → General. Look at:

• WordPress Address (URL)
• Site Address (URL)

If either starts with http://, change to https://. Save.

Important: this only changes how WordPress generates new links. Existing content with hardcoded http:// URLs still loads insecurely. The next step fixes that.

Step 2: Update internal URLs in the database

The reliable way is a search-and-replace plugin. We recommend Better Search Replace (free, well-maintained):

1. Install Better Search Replace from the plugin directory
2. Tools → Better Search Replace
3. Search for: http://yourdomain.com.au
4. Replace with: https://yourdomain.com.au
5. Tick the dry-run box first to see what would change
6. Run for real once you’re happy

This updates content URLs, image embeds, and most theme settings. Some themes store settings in serialized arrays — Better Search Replace handles those correctly.

Step 3: Force the redirect at the server level

Add this to your .htaccess file (in the WordPress root) above the # BEGIN WordPress line:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

This redirects all HTTP requests to HTTPS at the web server level — faster and more reliable than a plugin doing it.

If you’re on a LiteSpeed-powered plan (Business or above), the same rule works because LiteSpeed reads .htaccess natively.

Step 4: Mixed content cleanup

Even with all the above, some content can still load insecurely — usually:

• Theme files that hardcode http:// for images or scripts
• Third-party widgets (older embed codes)
• CSS files referencing http:// background images

Open your site in Chrome, press F12 → Console. Reload. Any mixed content errors will be logged. Address them one at a time:

• Your own files: edit the theme/template to use protocol-relative // or explicit https://
• Third-party widgets: get the updated embed code from the vendor

Skip-the-manual-work option

If all the above sounds tedious, the plugin Really Simple SSL does steps 1–3 automatically. It’s reliable and used by millions of sites. The catch: it adds a small overhead to every request. For sites where you want every millisecond, the manual fix is better. For sites where “just work” is the priority, the plugin is fine.

Why this matters

• SEO: Google has used HTTPS as a ranking signal since 2014
• Trust: Browsers actively warn users about HTTP sites now (“Not Secure” label)
• Performance: HTTP/2 and HTTP/3 require HTTPS — you can’t get the speed benefits otherwise
• Payments: Anything touching payments must be HTTPS

If you get stuck, open a ticket with your domain and a screenshot of any error. We’ve fixed thousands of these.