I changed my site address from HTTP to HTTPS by simply changing the URL in Settings -> General (Wordpress address and Website address.) Absolutely no issue in the admin area, anything works fine.
What happens in the public facing portion of the website: there's a lot of "mixed content", so that Firefox complains the website isn't secure. I noticed (view source) almost any image that I have uploaded to the media gallery still is "rendered" with HTTP instead of HTTPS.
What can I do to serve the images, fonts, etc. with an HTTPS URL?
[UPDATE] I found a couple of issues can be fixed by editing two theme files with hardcoded "http://". Problem is with the images, if you don't want to alter the database there's apparently no solution
I changed my site address from HTTP to HTTPS by simply changing the URL in Settings -> General (Wordpress address and Website address.) Absolutely no issue in the admin area, anything works fine.
What happens in the public facing portion of the website: there's a lot of "mixed content", so that Firefox complains the website isn't secure. I noticed (view source) almost any image that I have uploaded to the media gallery still is "rendered" with HTTP instead of HTTPS.
What can I do to serve the images, fonts, etc. with an HTTPS URL?
[UPDATE] I found a couple of issues can be fixed by editing two theme files with hardcoded "http://". Problem is with the images, if you don't want to alter the database there's apparently no solution
This is happening because WordPress saves URLs in content absolutely by default (meaning that it's actually got your urls saved as http://example in the database). So to fix this you'll want to run a search and replace in your database to fix those errors.
I like to use the plugin Better Search Replace because it has a nice feature to let you try out your search/replace as a dry run to test. There are lots of other search/replace methods, and you could also make the changes in PhpMyAdmin, but I'll just put instructions for using the Better Search Replace plugin.
Assuming you are using Better Search Replace:
http://example) and the SSL version of your website to the replace field wp_posts and wp_postmeta table but you can add them all if you like. Just know that it could take longer and time out depending on your server specs.Note: Any time you search/replace there's a chance you could cause massive problems to your website. Hence step one, back up your website. If something goes wrong, you have a way to restore your data.
You will have to need to redirect all your traffics from HTTP to HTTPS. A rewrite rule can do this for you. Use this code instead of WordPress's original rewrite rule (if you are not using cache) in your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:HTTPS} !=on
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
# BEGIN WordPress
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
There are plugins that can do this for you too, such as Easy HTTPS Rediction.
I used Better Search Replace and Really Simple SSL and the winner is:
Really Simple SSL
Just do this:
Done
It also fixed all the problems with image redirection
Install this plugin: https://wordpress/plugins/http-https-remover/
Despite the name - HTTP / HTTPS Remover - the latest version will force all http to https, and your mixed content warnings will be gone.
I just moved my company site to the secure only version last Friday. I used the Really Simple SSL Plugin and then added a 301 redirect into my .htaccess file.
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Don't forget to also verify the HTTPS version of your site in Search Console / Webmaster Tools