Quick answer: Move WordPress to HTTPS by installing an SSL certificate, changing both addresses in Settings to https, running a serialization-safe search-replace of http to https across the database (skip the guid column), forcing HTTPS with a redirect, then clearing caches and fixing mixed content.
Moving WordPress to HTTPS is more than installing a certificate. Old http:// links stored in the database must be updated too, or you get mixed-content warnings and a padlock that never turns secure. Here is the complete, safe sequence.
Issue and install a certificate for the domain (a free Let's Encrypt certificate is fine - see the related Plesk and cPanel guides). Confirm https://yourdomain.com loads before changing anything in WordPress.
In Settings > General, change both WordPress Address and Site Address from http:// to https:// and save. You will be logged out and back in over HTTPS.
Content, widgets, and settings still contain hardcoded http:// URLs. Do a safe search-and-replace across the database - a serialization-aware tool matters, because a plain SQL find-and-replace can corrupt serialized data. The WP-CLI command is the cleanest:
wp search-replace 'http://yourdomain.com' 'https://yourdomain.com' --skip-columns=guid
Skipping the guid column is deliberate - those values should not change. If you prefer a plugin, a reputable search-and-replace plugin does the same job. Back up the database first.
Add a redirect so anyone arriving on HTTP is sent to HTTPS. On Apache, in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Many control panels offer this as a one-click "force HTTPS" toggle, which is simpler and avoids editing files.
Purge your caching layer and reload the site. If the padlock still shows "not fully secure", the browser console lists which assets are loading over HTTP - update those hardcoded links in your theme or page builder to https://.
Why do links break if I only change the settings?
Content and settings contain hardcoded http URLs; a database search-replace updates them safely.
Why skip the guid column?
The guid should not change, as it is an internal identifier, not a live link.
On SoftSys managed WordPress hosting, free SSL, the HTTPS redirect, and the database URL update are handled as part of setup, so your move to HTTPS is clean and complete.