Changing a WordPress Site from HTTP to HTTPS

I have had to move two WordPress sites from HTTP to HTTPS (  and and both times I ran into the same problem – the site going into an infinite redirect.  There was a key piece that was missed and not well documented so I figured I would put those steps down here and hopefully not only help myself in the future, but others as well.

WARNING: Before doing ANY OF THIS completely back up the website and database.

Update URLs in admin control panel

Go into the sites Admin Control Panel and go to Settings -> General there you will see these two fields that need to be updated to the new URL.  Here instead of having http – you would put https.

Change Website URL iin WordPress


Update URLs through the database

If you prefer to make the changes through the database  you can go into the options table and manually change the siteurl column and the home column.  This also comes in handy if you lose access to the Admin Control Panel and need to change the URLs back.

The Infinite Redirects

Once these changes were made, the website would not load and went into a infinite redirect. As it turns out  it isn’t as simple to change a WordPress website from HTTP to HTTPS  by merely changing the URLs.

Add elements to WP-Config

I needed to add the following to the wp-config file…

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') $_SERVER['HTTPS']='on';

define('FORCE_SSL_ADMIN', true);

They must be placed ABOVE require_once(ABSPATH.’wp-settings.php’);

NOTE: I updated the formatting of the above code because WP automatically was changing the quote marks to slanted quotes and I didn’t realize it. 

For more information –
WordPress – Administration Over SSL

StackExchange – SSL Breaks WordPress CSS

StackExchange - WordPress wp-admin https redirect loop


At this point, while it was no longer getting the  infinite redirect, f I put in http – it did not automatically redirect to https.  Most of the recommendations I saw online to fix this issue involed modifications to the .htaccess file. However every one of the recommendations I tried caused an infinite redirect issue when using http.  I then discovered this… “Cloudflare Support - How do I redirect all visitors to HTTPS/SSL?” It seems that since my site is utilizing Cloudflare a setting within Cloudflare itself has to be set – “Always use HTTPS”

After this fix my site was using HTTPS 100% of the time without any infinite redirect issues.  Only one problem, the URL bar on Chrome was still indicating that my site was only partially secure and that there were still some items that were insecure.  I fixed this by setting the “Automatic HTTPS Rewrites” setting to “On”.


Finally I had a fully secure website…

Secure Connection Indicator

URL Cleanup

Now I discovered by using the Chrome developer tools that I had absolute links that still had http://  Even though the Cloudflare flag “fixed” this – I wanted to eliminate as many redirects and the rewriting of the URLs as possible,  The Cloudflare setting should only be for a fallback in case there are any links you are unable to change.  There is a plugin I found that will search for and update the URLs.  It worked perfectly for me.

Velvet Blues Update URLs

Posted in Security, Wordpress and tagged .
Notify of

Inline Feedbacks
View all comments