If your site still serves pages over plain HTTP, browsers label it Not secure. That’s not new—but the bar keeps rising, and in 2025 there’s no good reason not to run full-site HTTPS with a tight redirect and a few modern safeguards. This guide shows the practical, no-nonsense way to do it in WordPress, Magento 2, Joomla, and PrestaShop—plus the small extras that separate “it works” from “it’s airtight.”
Before you touch your CMS, make sure you have a valid certificate installed (Let’s Encrypt is fine; its certs are 90-day by design and should auto-renew).
Pre-flight (do this once, regardless of CMS)
- Verify HTTPS actually loads. Manually hit
https://yoursite.comand confirm you get the site with the lock icon (no red strikes). Browsers have warned on HTTP since Chrome 68 and similar in other browsers; users notice. - Set a server-level 301 redirect from HTTP → HTTPS. Even if the CMS can “force SSL,” do the canonical redirect at Apache/Nginx or your load balancer. Example snippets:
Apache (.htaccess)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Nginx (server block)
server {
listen 80;
server_name yoursite.com www.yoursite.com;
return 301 https://$host$request_uri;
}- Tame mixed content. If you’ve got legacy
http://assets, add a Content-Security-Policy withupgrade-insecure-requeststo auto-upgrade old HTTP asset URLs in modern browsers (and considerblock-all-mixed-contentonce you’ve cleaned up). - Search Console housekeeping. If you use a Domain property, it already aggregates http/https and subdomains. If you still use URL-prefix properties, add the
https://version.
That’s it. Now flip the right switches in your CMS.
WordPress
Fast path (built-in): Since WP 5.7, WordPress can detect HTTPS support and offer a one-click switch under Tools → Site Health (look for the HTTPS notice). It updates the site/home URLs and rewrites insecure home-relative URLs on the fly.
Manual path (still fine):
- In Settings → General, set WordPress Address (URL) and Site Address (URL) to
https://…. - To force the admin over TLS, add to
wp-config.php:define('FORCE_SSL_ADMIN', true); - If you migrated from HTTP and have hardcoded links, run a database search-replace (WP-CLI or a migration plugin), or lean on Site Health’s built-ins as above.
Plugin help (optional, practical):
Really Simple Security (the project formerly known as Really Simple SSL) can enforce 301 HTTPS redirects, set sane SSL defaults, and handle common gotchas from the dashboard. If you prefer a button over config files, it’s a solid choice.
Magento 2
Path: Stores → Configuration → General → Web
- Under Base URLs (Secure), make sure your Secure Base URL begins with
https://…. - Toggle Use Secure URLs on Storefront = Yes and Use Secure URLs in Admin = Yes.
- When both are secure, Magento exposes HSTS options so the browser only uses HTTPS going forward. Enable them if you understand the commitment (see HSTS note below).
- Save Config and flush caches.
Tip: Magento can be configured to auto-upgrade unsecure requests to HTTPS so you don’t bleed traffic from old indexed HTTP URLs. Still keep the server-level 301 for authority.
Joomla (4/5)
Path: System → Global Configuration → Server
Set Force HTTPS to Entire Site and save. Joomla will also force secure cookies when HTTPS is enforced. Clear caches and test.
PrestaShop (1.7/8.x)
Path: Shop Parameters → General
- Click Enable SSL (PrestaShop will first run a quick HTTPS support check).
- After that succeeds, switch on Enable SSL on all pages.
- Optionally enable Increase front office security for per-session tokens. Save.
Lock it down properly (post-switch checklist)
- HSTS (HTTP Strict Transport Security). Adds a response header so browsers refuse
http://for your domain. Start with:Strict-Transport-Security: max-age=31536000; includeSubDomainsCaution: Once you enable—and especially if you preload—you’re committing. Make sure HTTPS works on all subdomains first. (Magento 2 exposes HSTS toggles when both Admin and Storefront are set to secure.) If you need guidance on how to do this, please see our dedicate article on enabling HSTS. - CSP for upgrades. Keep
upgrade-insecure-requestswhile you mop up old asset links; drop it later if you want stricter control and pair withblock-all-mixed-content. - Cookies and sessions. Ensure auth/session cookies use the Secure attribute (your CMS/admin or reverse proxy can enforce this).
- Sitemaps, canonicals, and CDNs. Regenerate sitemaps with
https://links, confirm canonical tags use HTTPS, and make sure your CDN is fronted by HTTPS. - Google Search Console. Domain property users are covered; URL-prefix users should add the HTTPS property and submit the HTTPS sitemap.
Troubleshooting
- Mixed content warnings: You missed a hardcoded
http://asset (usually theme images, CSS, or old page builder content). Use your database search-replace tools, and keepupgrade-insecure-requestsenabled temporarily to smooth the edges. - Infinite redirect loops: Usually a proxy/load-balancer issue where the app doesn’t realize the original request was HTTPS. Make sure your LB sets
X-Forwarded-Proto: httpsand your app is configured to trust it. - Admin over TLS only: In WordPress,
FORCE_SSL_ADMINsolves this. In Magento, “Use Secure URLs in Admin.” In Joomla, “Force HTTPS → Administrator only” is an interim option if you need it.
Let’s Encrypt’s 90-day lifetime is standard and by design (shorter validity is safer). Set auto-renew (typically every 60 days). If you’re on a managed host, they usually handle this for you.
Bottom line
Do the server-level redirect, flip the right switches in your CMS, enable HSTS when you’re ready, and clean up mixed content with a CSP assist. It’s not glamorous, but it’s the dependable way to get to full-site HTTPS and be done with it.
If you want the lazy route in WordPress, use the Site Health button or a reputable plugin; if you want the belt-and-suspenders route, do both.
Leave a Comment