All the major browsers have started showing insecure warnings on sites without SSL certificates. Without SSL, your website will show insecure to the visitors. Therefore, using an SSL-encrypted connection for safety, accessibility or PCI compliance reasons is necessary. It becomes very important to redirect from HTTP to HTTPS.
In order to force your web traffic to use HTTPS, we need to add a little code in the .htaccess file.
What is .htaccess?
Before we get into the actual code to be added, what IS the .htaccess file? There are instructions/directives in the .htaccess file that tell the server how to act in certain scenarios and directly affects how your website functions. Be a little careful editing this file. You can pretty easily take your website down if you add something you shouldn’t.
The Difference Between HTTP and HTTPS
Using HTTPS, computers agree on a secured “code” between them, and then they scramble (encrypt) the data between them so no one can see or access it in transit. That helps keep things being sent between them (like usernames and passwords) safe (or safer) from hackers using a “Man in the Middle” attack.
The encryption is done over a “Secure Socket Layer,” or SSL. Sometime referred to as “Transport Layer Security (or TLS). That’s why you buy an “SSL” so you can access your site via HTTPS.
Anywho. Assuming you understand all that, and have already purchased that SSL, you’re ready to start redirecting all HTTP traffic to HTTPS.
Redirect All HTTP to HTTPS (SSL)
In the .htaccess file, above any other rules/directives, paste the following. NOTE: No need to update anything here. It’s copy, paste, and forget.
# BEGIN Force SSL
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END Force SSL
Let’s break that down a bit.
Port 80 is the incoming non-SSL port number for web traffic. What we’re directing the server to do is to redirect anything coming in over port 80 (http) to the same page over https (as in https://yourdomain.com).
NOTE: If you’re using WordPress, be sure to paste this in your .htaccess file BEFORE the WordPress stuff.
Force SSL in WordPress
If you’re using WordPress, there’s also a directive in the wp-config.php file that you might want to add the following to force SSL on Administration pages and logins. You’ve got an SSL now, why not use it?
define('FORCE_SSL_ADMIN', true);
Note: Be sure you paste that BEFORE the require_once(ABSPATH . 'wp-settings.php'); line (which is usually at the bottom of the file anyway).