I’ve been testing pages and files on various sites of mine to make sure they always use HTTPS (not insecure HTTP).
WordPress sites turn out to have an annoying tendency to ignore the root’s .htaccess file in which you have added code to supposedly force all files and pages to use HTTPS.
The solution is nicely detailed here. The first part — where he edits Settings in WordPress — was already in place for me. The key turned out to be adding two lines to the .htaccess file inside my WordPress directory. He’s got that under the subheading Fix .htaccess to process website assets such as CSS and JavaScript under HTTPS.
If you don’t fix that, a URL to a WordPress post or page pasted into the browser address bar will open insecurely.
NOTE: Do not ignore what he says about your WordPress cache. I had to manually change an http: to https: in the settings for the WP Super Cache CDN. Before I did so, my blog was wrecked and unreadable!