Forcing HTTP to HTTPS in WordPress (Apache Server)
You should always load your site with HTTPS. Aside from protecting your data integrity between your websites and your site users, HTTPS is now a requirement for many new browser APIs such as the Geolocation API.
HTTPS also carries on some weight in Google SERP ranking signal. So ensuring that your site will always load from HTTPS is crucial. We’ll show you how to do it with Apache in this tutorial.
Note that before proceeding this step, make sure that you’ve got the SSL cert installed and loaded in the server. Otherwise, check out our tutorial on Beginner’s Guide to Website SSL Certs.
If it is all set, you can proceed to the next step.
HTTP to HTTPS
If your WordPress website can be accessed directly at http://www.domain.com
and you want to direct all visitors from HTTP to HTTPS, then try either of the following .htaccess codes.
Option 1:
RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Option 2:
RewriteEngine On RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
Explanation
Both option 1 and 2 will redirect anyone accessing http://www.domain.com
to https://www.domain.com
Option 1 codes will check if the connection whether it’s TLS/SSL, while Option 2 codes will check if the site runs on port 80
which, by default, is the port number of HTTP.
Note: Using Option 1 codes generally is preferable. The syntax is more expressive, and it will redirect to HTTPS regardless of the port number because the site can technically is able to load with HTTP outside port 80
.
"non-www" > "www" & HTTP > HTTPS
If you want to force "non-www" to "www", and HTTP to HTTPS, then the .htaccess codes above will not suffice.
To put things into perspective, if your goal is to redirect the following URLS:
-
http://www.domain.com
-
http://domain.com
to:
-
https://www.domain.com
Then you will need to use the .htaccess codes below.
RewriteEngine On RewriteCond %{HTTP_HOST} ^domain.com$ [NC] RewriteRule (.*) http://www.domain.com/$1 [R=301,L] RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Explanation
First, it redirects any "non-www" to "www", then it checks for HTTPS, making sure the final result is: www + HTTPS.
"non-www" > "www" & HTTP > HTTPS (in subfolder)
Now, if you are – like us – hosting your WordPress website in a subfolder (i.e. www.domain.com/blog/
), then the above mentioned .htaccess codes will not work perfectly.
The goal here is to redirect all URLs (regardless if the homepage, or the post pages) to a www + HTTPS URL.
Let’s take a look at all possibilities of URLs that we will need to redirect “from“, and redirect “to“.
Condition 1
We need to redirect all the following URLs from:
-
http://domain.com
-
http://www.domain.com
-
http://domain.com/blog/
-
http://www.domain.com/blog/
to an unify URL of:
-
https://www.domain.com/blog/
Condition 2
and post URLs from:
-
http://domain.com/blog/example-page/
-
http://www.domain.com/blog/example-page/
to:
-
https://www.domain.com/blog/example-page/
When your WordPress is hosted in subfolder (E.g. /blog/
), chances are you will have two .htaccess files, I.e. one .htaccess file outside the subfolder, and one inside the subfolder where WordPress is installed. And we will need to alter both of them.
.htaccess blog/ blog/.htaccess
.htaccess outside subfolder
Insert the following codes into .htaccess outside the subfolder.
RewriteEngine On ### non-www to www, http to https RewriteCond %{HTTPS} !on RewriteCond %{HTTP_HOST} ^domain.com$ [OR] RewriteRule (.*) https://www.domain.com/$1 [R=301,L] ### subfolder RewriteRule ^$ /blog/ [R=301]
Here’s what this part of the code does. First, it makes sure the domain is redirected to www with HTTPS, then it is redirected to the subfolder. This will satisfy #condition 1 mentioned above but it will not work for condition #2, not yet, at least.
.htaccess inside subfolder
Next, we will need to alter the .htaccess code inside the subfolder.
By default, it should look something like this:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
Put the following .htaccess code on top, and before “# BEGIN WordPress”
<IfModule mod_rewrite.c> RewriteEngine On ## http to https RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] </IfModule>
With these two set of codes in place, it will ensure any URLs entered will be included with www and HTTPS.
I urge that you do not implement this on your live site. Try it out numerous times on a staging/test site, making sure you’re getting the results you want before deploying it live.
One more thing, to ensure your redirecting is accurate, be sure to clear browser cookies and cache before commencing every test.