Move WordPress from HTTP to HTTPS and Strengthen with WP Ghost HSTS

HTTPS is a prerequisite for WordPress security. Your site needs SSL before WP Ghost’s (formerly Hide My WP Ghost) HSTS security header can enforce it. This guide covers moving WordPress to HTTPS and then strengthening the connection with WP Ghost’s security headers.

Why HTTPS Matters for WordPress Security

HTTPS encrypts the connection between your visitors’ browsers and your server. Without it, login credentials, form submissions, and payment data are transmitted in plaintext. Every modern browser marks HTTP sites as “Not Secure.” Google uses HTTPS as a ranking signal. Payment processors like Stripe and PayPal require SSL. HTTPS is not optional for any WordPress site.

How to Move WordPress to HTTPS

Get an SSL Certificate

Most hosting providers include free SSL certificates (via Let’s Encrypt) with every plan. Check your hosting control panel for a “SSL/TLS” or “Security” section. If your host does not offer free SSL, you can purchase a certificate from your domain registrar or a dedicated SSL provider and ask your host to install it.

Update WordPress URLs to HTTPS

After your SSL certificate is active, go to Settings > General in your WordPress dashboard. Change both the WordPress Address (URL) and Site Address (URL) fields from http:// to https://. Click Save Changes. WordPress will log you out. Log back in using the new https URL.

Set Up HTTP to HTTPS Redirects

You need a 301 redirect so all HTTP traffic goes to HTTPS. The simplest approach is to use a plugin like Really Simple SSL, which handles the redirect and mixed content fixes automatically. WP Ghost is fully compatible with Really Simple SSL. After installing it, save its settings, then re-save WP Ghost settings to ensure the correct .htaccess rule order.

Alternatively, add this to your .htaccess file manually (Apache servers):

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

For Nginx servers, add this to your server block:

server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}

Replace example.com with your own domain.

Fix Mixed Content Errors

After switching to HTTPS, some images, scripts, or stylesheets may still load over HTTP. This causes “mixed content” warnings and prevents the padlock icon from appearing. Use the browser DevTools Console (F12) to identify which resources still load over HTTP. Fix them by updating URLs in your database with a search-and-replace plugin (search for http://yourdomain.com, replace with https://yourdomain.com). Really Simple SSL handles most mixed content automatically.

Strengthen HTTPS with WP Ghost Security Headers

Once HTTPS is active, WP Ghost adds a critical security layer that a basic SSL certificate does not provide: Strict-Transport-Security (HSTS). This header tells browsers to always use HTTPS for your domain, preventing protocol downgrade attacks and cookie hijacking. Without HSTS, an attacker could intercept the initial HTTP request before the 301 redirect fires.

Go to WP Ghost > Firewall > Header Security. Switch on Add Security Headers for XSS and Code Injection Attacks. Click Save.

This enables seven security headers including HSTS, Content-Security-Policy, X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options. For details on each header and how to customize CSP, see the Header Security tutorial.

Verify your headers are active by visiting SecurityHeaders.com and entering your domain.

Frequently Asked Questions

Does WP Ghost have its own SSL redirect feature?

No. WP Ghost does not include a dedicated SSL redirect. It relies on your hosting, a plugin like Really Simple SSL, or Cloudflare to handle the HTTP to HTTPS redirect. WP Ghost’s HSTS header complements the redirect by telling browsers to always use HTTPS after the first visit.

Do I need to re-save WP Ghost settings after setting up Really Simple SSL?

Yes, if Really Simple SSL modifies .htaccess. Save Really Simple SSL settings first, then re-save WP Ghost settings. This ensures the correct rule order in .htaccess. This is a one-time step unless you change Really Simple SSL’s redirect settings later.

What is the difference between SSL and HSTS?

SSL encrypts the connection. HSTS tells the browser to always use that encrypted connection. Without HSTS, the first request to your site might be over HTTP before the 301 redirect kicks in. An attacker on the same network (like public WiFi) could intercept that first request. HSTS eliminates this window by instructing the browser to never even attempt an HTTP connection.

Will switching to HTTPS affect my search rankings?

Positively. HTTPS is a confirmed Google ranking signal. After switching, add your https:// URL as a new property in Google Search Console and resubmit your sitemap. Google will transfer your rankings to the HTTPS version. The 301 redirects you set up ensure no link equity is lost.

Is SSL required for WooCommerce?

Yes. Every payment processor (Stripe, PayPal, Authorize.net) requires HTTPS. WooCommerce itself warns you if SSL is not active. WP Ghost is fully compatible with WooCommerce and Really Simple SSL.

Does WP Ghost modify WordPress core files?

No. Security headers are added through server configuration and PHP output. No core files are modified. Disabling removes all headers instantly.

Related Tutorials

Header Security – all seven security headers WP Ghost enables (HSTS, CSP, X-Frame-Options, and more).

Content Security Policy (CSP) – customize which sources can load content on your HTTPS pages.

WP Ghost with Really Simple SSL – compatibility guide for using both plugins together.

Firewall and Geo Security – the 8G Firewall that protects your HTTPS endpoints.

Website Security Check – verify your overall security configuration.