Make WordPress Force HTTPS With or Without a Plugin

Have you protected your site with an SSL certificate yet? If not, it’s officially time to put one in place and to force your WordPress website to use the HTTPS protocol it enables.

What was once considered a must-have for ecommerce sites and a nice-to-have for all others is now a necessity. Your site’s visitors are more privacy conscious than ever before, and for good reason. The tools for stealing mishandled data are countless, and so are the stories of those who have fallen victim to them.

The best approach to HTTPS depends in part on your skill level. Those that are new to WordPress or SSL certificates should start with the basics, while those who are ready to protect their sites can jump to plugin recommendations or .htaccess rules using the links that follow.

What is an SSL certificate?

Once installed, a valid SSL certificate (short for secure sockets layer) allows your visitors to browse your website over the HTTPS protocol instead of the older, insecure HTTP alternative. HTTPS protects sensitive data as it passes from a user’s computer to your website and back to the user again.

That’s why online shops have been forcing HTTPS on their sites for years. As far as data is concerned, a credit card number is pretty darn sensitive.

Customer Handing Over Credit Card

Webmasters passed on SSL certificates for years for a number of reasons. Until recently, SSL certificates were an additional cost to those paying for website products like domain names, hosting, and more. Now, most great hosting providers offer free SSL certificates with their plans. Cost is no longer an excuse for not protecting your visitors.

What will I need to move my WordPress site to HTTPS?

So you’ve decided that you’re ready to protect your website with an SSL certificate and HTTPS? Great! You’ve made the right choice. Here’s all you’ll need to get started:

  • Administrative access to your WordPress website
  • Valid SSL certificate for your WordPress website’s domain name
  • Trustworthy SSL plugin or access to your website’s files

You can force HTTPS with a free WordPress plugin or by updating a single file in your hosting account. But first, you’ll need to make sure you have an SSL certificate installed and ready to go.

Installing and testing your SSL certificate

Adding an SSL certificate to your website was a big pain before hosting companies really started to embrace HTTPS. Now, providers like SiteGround offer automatic certificate installation to all customers at no extra cost.

If you’re a SiteGround customer, head to the Let’s Encrypt page of your cPanel. From there, scroll all the way down and select your WordPress website’s domain name from the dropdown. Choose “Let’s Encrypt SSL” over the wildcard alternative then click or tap the “Install” button.

SiteGround Let's Encrypt Tool

SiteGround’s installation of your SSL certificate shouldn’t take more than a minute or two to complete. Our WordPress guide outlines the entire process in greater detail, so be sure to download that for free if you haven’t already!

The process of installing a free SSL certificate varies from one hosting provider to the next. Don’t hesitate to reach out to your host with questions regarding their SSL offerings or the installation process.

After installing your certificate, it’s time to test. Qualys SSL Labs provides a free tool for running this test.

Head that direction and enter your site’s domain name into the SSL Server Test tool. The tool will scan your site for a minute or two and will then offer a letter grade or a notice depending on its findings. High letter grades suggest that your WordPress website is ready for HTTPS.

SSL Labs High Letter Grade

If you receive a “certificate name mismatch” notice or a similar warning, you should review the status of your free certificate before proceeding. It’s possible that the installation process is still running or that your host ran into an error when attempting to create the certificate.

SSL Labs Certificate Name Mismatch Notice

Move to HTTPS with a WordPress plugin

After confirming that your SSL certificate is active, you’re ready to create the rules that will force WordPress HTTPS connections across your site. Many WordPress plugins will add these rules on your behalf, but Really Simple SSL is (not surprisingly) one of the most simple.

Sign into your WordPress control panel then click or tap the “Add New” item in the “Plugins” dropdown. Search for, install, and activate Really Simple SSL by Kostas Vrouvas.

Really Simple SSL Plugin

Once activated, the plugin will encourage you to replace “HTTP references” and to prepare a website backup before inviting you to activate SSL. You probably won’t need to replace any HTTP references as long as your theme was well developed and you’re not adding custom code to your website. You should, however, prepare a complete backup of your site as the plugin suggests. Our free guide walks readers through a WordPress backup step by step.

With a backup in place and ready to restore from, go ahead and hit the plugin’s “activate SSL” button. The switch from HTTP to HTTPS will probably log you out of your WordPress control panel, but this is normal. Just log back in again.

WordPress HTTPS with Really Simple SSL

That’s all there is to it! Go ahead and browse pages from the front end of your website as a visitor might. Browsers like Google Chrome and Mozilla Firefox should show a padlock next to the address bar as you navigate from one page to the next, indicating that the move to HTTPS was successful.

How to force HTTPS without a WordPress plugin

As alluded to earlier, the Really Simple SSL plugin creates rules that send visitors to the HTTPS version of your website. Imposing SSL with a plugin is easy, but many WordPress users prefer to avoid the overhead of extra plugins whenever possible.

Fortunately for those users, making WordPress force HTTPS without a plugin is fairly straightforward. In fact, the rules are added to a single file and are made up of no more than three or four lines!

In order to continue, you’ll need access to the files that make up your website. You can access these files over FTP using a free program like FileZilla or from your host’s web-based file manager.

You’ll also want to prepare a site backup before proceeding. A seemingly harmless typo can take your whole WordPress site down when editing files directly.

Updating your website’s address

Before pasting any rules, you’ll need to change your website’s HTTP address to its HTTPS equivalent. Head to your WordPress website’s “General Settings” screen. This screen is linked to from the “Settings” dropdown of your website’s admin area.

Locate the “WordPress Address” and “Site Address” fields. Both values should begin with “http” instead of “https” if you’ve not yet created HTTPS rules for your website. Go ahead and switch the “http” part of both addresses to “https” without changing anything else in either value. Next, scroll down and save your changes.

Site Address Fields in WordPress Settings

WordPress will probably log you out immediately after the change. You’re now ready to add the rules required to force HTTPS on your site’s pages.

Locating and editing your .htaccess file

It’s easy to assume that installing an SSL certificate and replacing “http” with “https” in WordPress settings would guarantee a secure connection to your site’s pages, but that’s not the case. Additional rules are required to redirect users who visit your site’s insecure URLs, and those rules are added to your website’s .htaccess file.

Note that your WordPress site will need to be running in an Apache environment in order for these rules to work. Modern hosting companies like SiteGround will serve customer sites from Apache environments almost exclusively. Contact your provider if you’re unsure of how your site is hosted.

Go ahead and fire up your FTP client of choice or visit the file manager included with your hosting provider’s cPanel tool. Your host likely sent you FTP and cPanel credentials shortly after you purchased your plan.

Next, navigate to the root (or topmost) directory of the WordPress site you’re protecting with HTTPS. This directory should include at least three folders and several files beginning with the “wp-” prefix.

Root WordPress Directory in cPanel File Manager

Locate the .htaccess file in your site’s root directory then download and/or open it for editing. If you’re using cPanel’s file manager and cannot find the file, hit the “Settings” link inside the file manager. Some hosts will hide files that begin with dots by default, so check the box that shows those files then save the updated settings.

Show htaccess and Hidden Files with cPanel

Adding HTTPS rules to your WordPress .htaccess file

Drop the following lines into your WordPress site’s .htaccess file. These rules should be positioned above all of the file’s existing rules and text:

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

These three lines will check to see if a visitor has omitted the important HTTPS part from your site’s web address. If she has, these rules will politely and silently redirect her. The rules will not take effect until you save and/or upload your modified .htaccess file.

Fixing WordPress HTTPS mixed content warnings

If you’ve installed a certificate, updated your site address, added the redirect rules, and still aren’t seeing that highly sought-after padlock next to your site’s pages, you’re probably suffering from mixed content. Browsers will trigger a mixed content warning when a site served over HTTPS includes insecure content.

Padlock on Laptop

For a page to be completely secure, all of the items served from it need to be secure as well. If you or the author of your theme has included images, scripts, or other resources from insecure addresses, you’ll need to correct them.

Replacing these insecure references by hand can be tedious, especially if your WordPress website includes many pages or posts. To correct all WordPress HTTPS mixed content warnings more quickly, add this line to the top of your website’s .htaccess file.

Header always set Content-Security-Policy: upgrade-insecure-requests

With this rule in place, resources requested over an insecure protocol will be served over HTTPS instead. The rule can be added immediately below or above the three redirect lines added earlier.

Many websites have not yet adopted HTTPS. If your site includes references to resources from these sites and your new .htaccess rule attempts to upgrade them to HTTPS, those resources will break. Sometimes this can cause an image or two to go missing, but in extreme cases, the failed upgrade can prevent an essential script from loading.

On the off chance that this newest rule negatively impacts site functionality, consider ways in which you can eliminate your dependency on the insecure script. If it’s not possible, remove the line from your .htaccess file, save it, then immediately begin your search for a secure alternative to the resource.

Notifying others of your move to HTTPS

Now that you’re serving your WordPress website over HTTPS, it’s time to share the news! Update your web address in social media profiles and anywhere else you’ve featured your site.

And be sure to update your site’s address in Google Analytics, Google Search Console, and in Bing Webmaster Tools if you’re using those services (and you definitely should be)! Properties like these are often tied to a specific domain name and protocol pair.

Depending on how you configured your Search Console property, you might need to register your HTTPS address as a new property. Be sure to keep the old property around so that you can monitor the deindexing of your old insecure pages. Alternatively, consider moving your Search Console property to the newer “domain” type.

Moving your WordPress website to HTTPS is a win-win

It no longer makes sense to serve your WordPress website over an insecure protocol. The plugins that make WordPress force HTTPS range from inexpensive to free and SSL certificates are just too easy to come by.

While the switch to a secure WordPress website certainly benefits your visitors, you too stand to gain from the upgrade. Search engines like Google use HTTPS as a ranking factor, so the move can yield a slight search ranking boost. And no matter how you spin it, helping your customers while helping yourself is a win-win.

Our blog posts and email updates contain occasional affiliate links to third-party products and services. This means that we stand to earn a commission on any sales delivered with the links, but we do not recommend products or services that we don't use and love.