How to Force WordPress to use SSL

Adding an SSL to a website is becoming more and more common, especially now that Google considers it a factor for search engine optimisation (SEO). Although there’s still a bit of admin to and fro involved, ordering an SSL is usually quite straightforward, and most shared hosting providers will take care of the dirty work and get everything set up and installed for you. However, installing and activating the SSL isn’t always enough, and you may find that although your brand new https:// website works fine, users who have bookmarked the old one or have followed old links on the web may still see the http:// version, at least until they start browsing through the website. There are two things you need to do in order to ensure your SSL is fully functional in WordPress.

Firstly, you need to change the address of the website in the WordPress Settings. This is pretty simple, and most people will figure this out on their own, but just in case you haven’t tracked this down, log in to your WordPress admin and hover over Settings, and then click General. In here, update WordPress Address (URL) and Site Address (URL) to match the new secure domain (basically, just change http:// to https://). Once this is done WordPress will automatically rework any dynamic links into their https equivalents. You will need to go through your website double check and hardcoded links however, as anything that used absolute URLs ( rather than relative URLS (/about) will still be pointing to the insecure URL.

From this point, anyone who comes to your website and starts browsing will automatically start clicking on the new https:// links, so will be redirected to the secure site as soon as they do this. However, the first page they land on may still be insecure, so we need to set up a server-level redirect to move all users onto the https:// site automatically. This is done is the second stage:

To set up the redirect, you need to modify a file found in your public_html or htdocs folder, which should be accessible via FTP. The file is called .htaccess and you will need to download it via FTP. You may find that the file name is not valid for your desktop operating system, and if so the file may fail to show up on your computer once you have downloaded it. To fix this, use your FTP client (like Filezila) to rename the local copy of this file (i.e. the one on your computer not the one on the web server) to something like file.txt and you will then be able to edit the file within Windows or OSX (or macOS as it’s about to be known).

Once you have opened the file, assuming you are using Apache (if you’re ready this you probably will be), you need to add the following lines of text to the end:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

If you’re using nginx you need to use this code instead:

server {
listen 80;
return 301$request_uri;

Just remember to change to your actual website address. Once you have saved this, use Filezilla to rename it to .htaccess and then upload it to the server. If you’re a cautious type (never a bad trait) then rename your current (i.e. the one on the web server) .htaccess file to .htaccess.bak before you upload the new copy and then you can always revert if you may a mistake. Once you have done this, test out your website by going to the non-secure (i.e. http://) version of the website and check that it redirects to the secure version. If it does, you’re all sorted – the only thing left to do is remove the .htaccess file from your computer using Filezilla, as now that you’re changed it back to the original name it may not show up properly in Explorer or Finder, though it won’t do any harm to leave it there.