How to Force HTTPS in WordPress to Use SSL?

Nowadays, almost all hosting providers offer free SSL certificate with Let’s Encrypt. However, it is important to force HTTPS to redirect all your traffic to go through secured protocol. Otherwise, users will be able to access HTTP pages and you will see the HTTP URLs in Google Analytics and CDN traffic data. In this article, we will explain various methods for forcing HTTPS in WordPress to send the traffic through secured SSL.

Sending Traffic Through Secured SSL

Many users think that installing SSL is sufficient to access the URLs through HTTPS protocol. This is not true as you can also access HTTP URLs after installing SSL certificate on your site. What you need is to redirect or force all site’s URLs to use HTTPS by making use of the installed SSL certificate. This is important for the following reasons:

• HTTPS is a search ranking factor and gives you an edge over HTTP pages even for static content.
• Make sure all traffic goes through HTTPS after migrating from HTTP setup.  
• Efficient caching of pages with single HTTPS protocol.
• Safeguard the transactions when you collect data from users.
• Avoid browsers showing “Not Secure” message in the address bar affecting the trustworthiness of your site.
• Fix third-party content (like advertisements) blocked with mixed content warning in browser console.

If you have one or more of the above issues, then follow the below methods to force HTTPS in WordPress.

1. Change Site Address to HTTPS

Some hosting companies install SSL but assign HTTP site address when installing WordPress from hosting panel. For example, SiteGround will automatically assign HTTP URL for site address even though you add Let’s Encrypt SSL after WordPress installation. Actually, you will see a notification in the SSL installation page on this to configure your application (WordPress).

In this case, the site will be accessible through both HTTP as well as HTTPS and you should manually change the site address to HTTPS.

• Login to your WordPress admin panel (you can use either HTTP or HTTPS for login URL).
• Navigate to “Settings > General” section.
• Check “WordPress Address (URL)” and “Site Address (URL)” boxes and change to https:// if they are with http://.
• Scroll down to bottom of the page and click “Save Changes” button.

• You will be logged out of the admin panel. Now, try to login with http:// URL and you should be redirected to https:// automatically.

2. Add .htaccess Directive to Force HTTPS in WordPress

After changing the site address also if your http:// URLs are not redirecting to https://, then you should force it by adding a directive in .htaccess file.

• Login to your hosting account and open File Manager app.
• Navigate to the site’s root location which is generally under “/public_html/”.
• Find .htaccess file and edit it.
• Copy and paste the following code at the start of the file and save your changes.

# START FORCE HTTPS
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END FORCE HTTPS

• If you are already forcing WWW version (from non-www), then try the following code instead of the above code.

# START FORCE HTTPS with WWW
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END FORCE HTTPS

• Now, check all your URLs are forced to https://. Remember, adding this code will automatically change the “WordPress Address (URL)” to https:// in admin settings.

You can also use FTP clients like FileZilla to remotely access your server and edit .htaccess file. Since .htaccess has no name (it has only extension), the file will be hidden by default. You should enable “Show Hidden Files” or similar option in File Manager or FTP software to view .htaccess file.

3. Use Plugins to Force HTTPS

If you do not have access to File Manage or FTP, then you can try a plugin to add directive in .htaccess file. SG Optimizer is a caching and optimization plugin which you can use for this purpose. It works on all hosting platforms and comes preinstalled with WordPress installations in SiteGround.

• Login to your site’s admin panel and go to “Plugins > Add New” section.
• Search and install “SG Optimizer” plugin.
• Go to “SG Optimizer > Environment” section and enable “HTTPS Enforce” option.

You can also enable “Fix Insecure Content” option if you are seeing mixed content warnings in browser console. There are also alternate plugins like Really Simple SSL to force HTTPS and harden the security of your site.   

4. Check Hosting Setup to Force HTTPS in WordPress

Hosting companies like SiteGround, Kinsta and many others offer custom hosting panel with an option to force HTTPS. Here, we will explain with SiteGround hosting and you may need to check with your hosting support if you need assistance.

• Login with your SiteGround hosting account and go to “Websites” tab.
• Click “Site Tools” option for the site you want to force HTTPS.
• Go to “Security” section and “HTTPS Enforce” section.
• Enable “HTTPS Enforce” switch for the domains and subdomains showing in the list.

This will add the required redirective in .htaccess file and the changes will be saved automatically. From now, all your site’s http:// pages will be redirected to use secured https:// protocol.

5. Check SSL Setup in CDN

If you are using Cloudflare or similar setup to speed up your site, then make sure to apply strict SSL/TLS encryption to force all traffic goes through HTTPS. Go to “SSL/TLS > Overview” section in your Cloudflare account and select “Full” option. This will encrypt end-to-end communication from browser to server using server side SSL certificates like Let’s Encrypt.

Privacy and SSL Mismatch Errors

All the above methods assume you already have valid SSL certificate installed on your site. If you did not setup SSL or the certificate is expired, then you will see privacy or SSL mismatch error. In that case, there will be no traffic to your site as the browser will block all users. You should get free SSL and install it from hosting account to resolve SSL related problems. This is different issue than forcing HTTPS to access all pages through secured https:// protocol.