There are two steps to migrating your WordPress site over to SSL (https instead of http) after you have set up your certificate and web server configuration.
The first is relatively easy: update your Settings > General and change the WordPress Address (URL) and Site Address (URL) from http to https.
The second, part is a bit trickier.
Basically for SSL to work correctly you want to avoid mix-mode content. This is where content is being served both via http (non-SSL) and https (SSL). When this happens your browser won’t show the site as being 100% SSL, and instead display different messages depending on your browser. Its enough to deter users from using the site if they are expecting the “green” secure padlock.
To fix this, you need to find and replace references to non-SSL content (hardcoded with http://) in two places — your code and your database.
For your code, the first place to check is your theme code and settings. Look for and replace any instances of http:// with https://
For your database, use a tool like Better Search & Replace to search your WordPress site for references to http://<yoursite>.com and replace it with https://<yoursite>.com.
If you’ve been unfortunate enough to be targetted by hackers who have added malware to your web server, here are a few Linux CLI tools you can use to troubleshoot.
The first is maldet which can be paired with Clam Antivirus to scan for malware. Here’s a good guide on how to do that.
Note you can install maldet via tools like yum or apt usually too. The key is to make sure it is running together with ClamAV which you should keep up to date. You can also get it to alert you and automatically quarantine suspicious files.
Another tool, which is much better at finding hacked PHP code (which is usually encoded) is PHP malware finder. You’ll notice that hacked PHP files aren’t plain PHP code, but have instead be encoded (e.g. base64) to make them unreadable without decoding.
This can be cloned to the server and run from the CLI with PHP. Just a note it will pick up a lot of positives depending on your app (e.g. WordPress) and you’ll need to work through these yourself.
Don’t forget to also have something like [All in One WP Security and Firewall] (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) installed to lock down your WordPress site and also to scan for and alert you of any changes.
As a final measure, it helps if your application code is kept under version control on the server using a tool like git. This helps to see any untracked or modified files which you can then investigate and quarantine.
When you move a WordPress installation (e.g. from production to your local development environment), you’ll need to update the wp_options table to reflect the new URL.
The following script (tested on MySQL) lets you find and replace all URLs that match the old url with a new one using a correlated update statement:
Just replace “http://www.oldurl.com” and “http://www.newurl.com” with your old and new URLs respectively.
update wp_options a inner join ( select option_id, replace(option_value, 'http://www.oldurl.com', 'http://www.newurl.com') as option_value from wp_options where option_value like 'http://www.oldurl.com%' ) b on a.option_id = b.option_id set a.option_value = b.option_value