Updating WordPress URLs from HTTP to HTTPS removes stored plain-HTTP links after the secure site is already live. It keeps browser requests, feeds, media links, profile URLs, and dashboard references pointed at the public TLS address instead of relying on redirects to cover stale database values.
The public URL settings live in the home and siteurl options, which appear in Settings → General as Site Address (URL) and WordPress Address (URL). Older http:// references can also remain in posts, metadata, user profiles, widgets, and plugin-managed tables, so a redirect or proxy change by itself does not rewrite stored content.
Start only after the HTTPS site already works at the web-server, load-balancer, or CDN layer. WP-CLI handles serialized database values during wp search-replace, keeps the rewrite scoped to the WordPress table set, and lets the stale URL check run as a dry run before anything is written. If wp-config.php defines WP_HOME or WP_SITEURL, update those constants before the database pass because they override the stored options.
Related: How to redirect HTTP to HTTPS in WordPress
Tool: HTTP Redirect Checker
$ cd /var/www/example.com/public_html
Run the remaining wp commands from the directory that contains wp-config.php.
Related: How to use WP-CLI safely on a production WordPress site
$ wp option get home http://www.example.com
$ wp option get siteurl http://www.example.com
On subdirectory installs, siteurl can differ from home by design.
$ mkdir -p ~/backups/wordpress
$ wp db export ~/backups/wordpress/pre-https-url-update-20260621120000.sql Success: Exported to '/home/user/backups/wordpress/pre-https-url-update-20260621120000.sql'.
A fresh SQL dump is the fastest recovery path if the target hostname, replacement scope, or multisite target URL is wrong.
Related: How to back up a WordPress site
$ grep -nE "WP_HOME|WP_SITEURL" wp-config.php
No output means the database options control the active URLs.
define( 'WP_HOME', 'https://www.example.com' ); define( 'WP_SITEURL', 'https://www.example.com' );
These constants override the database values, so wp option update alone may not change the active URLs while they are defined. Keep the final public URL free of a trailing slash.
$ wp option update home 'https://www.example.com' Success: Updated 'home' option.
$ wp option update siteurl 'https://www.example.com' Success: Updated 'siteurl' option.
$ wp search-replace 'http://www.example.com' 'https://www.example.com' --all-tables-with-prefix --skip-columns=guid --precise --dry-run --report-changed-only Table Column Replacements Type wp_postmeta meta_value 1 PHP wp_posts post_content 3 PHP wp_usermeta meta_value 1 PHP wp_users user_url 1 PHP Success: 6 replacements to be made.
--precise uses the PHP replacement path for serialized values, while --report-changed-only keeps unchanged rows out of the report. If a plugin stores URLs in a custom table that does not use the normal wp_ prefix, add that table name explicitly instead of widening the rewrite to the whole database.
$ wp search-replace 'http://www.example.com' 'https://www.example.com' --all-tables-with-prefix --skip-columns=guid --precise --report-changed-only Table Column Replacements Type wp_postmeta meta_value 1 PHP wp_posts post_content 3 PHP wp_usermeta meta_value 1 PHP wp_users user_url 1 PHP Success: Made 6 replacements.
Avoid raw SQL string replacement for this job. Serialized option and metadata values can break when string lengths are not recalculated. On multisite, target the correct site with --url=https://www.example.com and add --network only when the change is intentionally network-wide.
$ wp cache flush Success: The cache was flushed.
If a caching plugin, host page cache, CDN, or reverse proxy is in use, purge that layer from its normal control panel as well.
$ wp search-replace 'http://www.example.com' 'https://www.example.com' --all-tables-with-prefix --skip-columns=guid --precise --dry-run --report-changed-only Success: 0 replacements to be made.
Repeat the check for any second old URL when siteurl and home used different values.
$ wp option get home https://www.example.com
$ wp option get siteurl https://www.example.com
Open the front page, a post, and wp-admin over HTTPS and check the browser console for mixed-content warnings. Remaining HTTP references usually come from plugin-specific settings, page-builder data, or hard-coded theme files.
Related: How to fix WordPress asset loading behind CloudFront or CDN