This repository provides a step-by-step guide on how to force HTTPS for a WordPress website. It includes configurations for .htaccess, wp-config.php, and other essential details for setting up SSL and enforcing secure connections.
- An SSL certificate installed (either via Let's Encrypt or a purchased one).
- Access to your WordPress Admin dashboard.
- Ability to edit server configuration files like
.htaccessandwp-config.php.
To force your WordPress live site to be accessible only over HTTPS, you need to follow a few steps to ensure that all traffic is redirected to the secure HTTPS version. Here's a step-by-step guide to implement this:
Before forcing HTTPS, make sure you have an SSL certificate installed on your website. Most hosting providers offer free SSL certificates through services like Let's Encrypt, or you may purchase one.
If you already have an SSL certificate installed, proceed to the next steps.
-
Go to WordPress Admin:
- Navigate to Settings > General in the WordPress dashboard.
-
Update the URLs:
- In the WordPress Address (URL) and Site Address (URL) fields, ensure both URLs start with
https://instead ofhttp://. - Example:
- WordPress Address (URL):
https://yourdomain.com - Site Address (URL):
https://yourdomain.com
- WordPress Address (URL):
- In the WordPress Address (URL) and Site Address (URL) fields, ensure both URLs start with
-
Save Changes:
- After updating the URLs, click Save Changes. This change ensures that WordPress itself is aware that it should use HTTPS.
If you're using an Apache server, you can use your .htaccess file to force all HTTP traffic to redirect to HTTPS.
-
Edit Your
.htaccessFile:- Using an FTP client (e.g., FileZilla) or your hosting provider's file manager, access your website's root directory where the
.htaccessfile is located. - Open the
.htaccessfile for editing.
- Using an FTP client (e.g., FileZilla) or your hosting provider's file manager, access your website's root directory where the
-
Add the Following Code to Redirect HTTP to HTTPS: Add this code to the top of your
.htaccessfile (above the# BEGIN WordPressline):<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule>
RewriteCond %{HTTPS} !=on: This condition checks if HTTPS is not enabled.RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]: This rule redirects all HTTP requests to the HTTPS version of the same URL. The301status code is used for a permanent redirect.
-
Save the File:
- Save and close the
.htaccessfile.
- Save and close the
You can also add the following to your wp-config.php file to ensure WordPress enforces HTTPS:
-
Edit the
wp-config.phpfile:- Access your website's root directory using FTP or your hosting file manager.
-
Add the Following Code to
wp-config.php: Place this code before the line that says/* That's all, stop editing! Happy publishing. */.define('FORCE_SSL_ADMIN', true); if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS'] = 'on';
-
Save the Changes:
- After adding the code, save and close the
wp-config.phpfile.
- After adding the code, save and close the
If you are using any caching plugins or your server has caching enabled, clear the cache to ensure the new redirect rules take effect.
After applying the changes, visit your website using http:// in the URL, and it should automatically redirect to the https:// version.
If you still see security warnings or mixed content issues (where some resources are still being loaded over HTTP), follow these steps:
- Install a plugin like Really Simple SSL which helps detect and fix mixed content issues.
- Or manually update internal links and resources (like images or stylesheets) to use HTTPS instead of HTTP.
- Ensure SSL is installed.
- Update WordPress URLs in Settings > General.
- Redirect HTTP to HTTPS using
.htaccess(or server config). - Optional: Add SSL enforcement to
wp-config.php. - Clear caches and test the redirection.