Skip to Main Content

Force HTTPS with .htaccess

Here's how to redirect all non-secure HTTP traffic to HTTPS using your .htaccess file. No need to update anything. It's copy, paste, and forget it.

Force HTTPS with .htaccess

All the major browsers have started showing insecure warnings on sites without SSL certificates. Without SSL, your website will show insecure to the visitors. Therefore, using an SSL-encrypted connection for safety, accessibility or PCI compliance reasons is necessary. It becomes very important to redirect from HTTP to HTTPS.

In order to force your web traffic to use HTTPS, we need to add a little code in the .htaccess file.

What is .htaccess?

Before we get into the actual code to be added, what IS the .htaccess file?  There are instructions/directives in the .htaccess file that tell the server how to act in certain scenarios and directly affects how your website functions.  Be a little careful editing this file.  You can pretty easily take your website down if you add something you shouldn’t.

The Difference Between HTTP and HTTPS

Using HTTPS, computers agree on a secured “code” between them, and then they scramble (encrypt) the data between them so no one can see or access it in transit.  That helps keep things being sent between them (like usernames and passwords) safe (or safer) from hackers using a “Man in the Middle” attack.

The encryption is done over a “Secure Socket Layer,” or SSL.  Sometime referred to as “Transport Layer Security (or TLS).  That’s why you buy an “SSL” so you can access your site via HTTPS.

Anywho.  Assuming you understand all that, and have already purchased that SSL, you’re ready to start redirecting all HTTP traffic to HTTPS.

Redirect All HTTP to HTTPS (SSL)

In the .htaccess file, above any other rules/directives, paste the following. NOTE: No need to update anything here. It’s copy, paste, and forget.

# BEGIN Force SSL
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END Force SSL

Let’s break that down a bit.

Port 80 is the incoming non-SSL port number for web traffic. What we’re directing the server to do is to redirect anything coming in over port 80 (http) to the same page over https (as in https://yourdomain.com).

NOTE: If you’re using WordPress, be sure to paste this in your .htaccess file BEFORE the WordPress stuff.

Force SSL in WordPress

If you’re using WordPress, there’s also a directive in the wp-config.php file that you might want to add the following to force SSL on Administration pages and logins.  You’ve got an SSL now, why not use it?

define('FORCE_SSL_ADMIN', true);

Note: Be sure you paste that BEFORE the require_once(ABSPATH . 'wp-settings.php'); line (which is usually at the bottom of the file anyway).

Share the love:

Get Support

Nobody's perfect. If you need a little help, request support from the super-nerds at JDM Digital.

Any information you provide here will be kept confidential and only used for this purpose.

So we can follow-up.

The URL of the issue.

The more specific you can be, the better.

I am 100% robot

You're not a robot, are you? Sorry we have to ask.