brass colored metal padlock with chain

Making a WordPress site accessible via HTTPS only is about to get a lot easier

Since the inception of my Hardening WordPress guide nearly ten years ago, I’ve urged WP users everywhere to improve the security of their websites by setting up secure hosting and configuring WordPress to be accessible via HTTPS-only, at least on the backend (wp-admin). While enabling Forced HTTPS mode for administrative sessions has long been easy to achieve by setting a constant in wp.config.php, switching an entire WordPress site (backend + frontend) over to HTTPS has been unnecessarily difficult, requiring a number of carefully-executed steps.

But at long last, that is set to change, with WordPress 5.7. In a beta release announcement today, WordPress devs shared this very good news about a long-overdue enhancement that will make switching much simpler.

Migrating from HTTP to HTTPS is streamlined
Switching a WordPress site from HTTP to HTTPS has proven to be a pain for all involved. While on the surface, the Site Address and WordPress Address have to be updated, content with embedded HTTP URLs remains unchanged in the database. With this release, migrating a site to HTTPS is now a one-click interaction. URLs in the database are automatically replaced when the Site and WordPress Address are both using HTTPS.  Also, Site Health now includes an HTTPS status check.

Upon upgrading to WordPress 5.7, those who still are running unsecured sites will finally have an easy and officially supported migration path to HTTPS. As the excerpt above noted, it has historically been necessary to swap out http:// prefixes for https:// ones in a whole bunch of places to get a WordPress site working over HTTPS with no “mixed content” warnings:

  • The site URL and blog URL in Settings > General;
  • The site’s theme and widgets;
  • The site’s database tables (for instance, image URLs in post content);
  • … and sometimes even abandoned plugins still in use.

It’s far too easy to bork a site while doing the above, especially if the operations are being performed without care and without restorable backups.

WordPress sites built within the last few years are much more likely to have been set up with HTTPS enabled from the get-go, but there are plenty of older sites out there that aren’t. The advent of Server Name Indication (SNI) and Let’s Encrypt has eliminated barriers to the adoption of secure hosting, and it’s now essentially considered to be unethical for a host to charge extra for secure hosting as part of a hosting plan.

Yet there are still many WP sites that aren’t set up to be reached only via HTTPS because they date back to an era when secure hosting was unavailable or costly or harder to deploy. The work being done to create a proper migration path within WordPress in Version 5.7 could really help these old sites jump on the encryption bandwagon.

This looks like it could be one of my favorite WP releases ever.