How to Force Redirect HTTP to HTTPS in WordPress?

Installing an SSL certificate can seem like a never-ending process. 

Right when you think you are close to the finish line, there is still some distance left to cover. 

You have installed the SSL certificate and now it’s time to ensure that it was in fact installed on every single page of your site. 

This is where forcing HTTPS comes in.

Many websites experience issues while configuring SSL. The certificate is not properly activated on some pages. Hence you need to force the certificate (or HTTPS) on those pages.  

In this article, you’ll learn how to do just that. 

Forcing HTTPS is known to cause issues. Don’t worry, we’ve got your back. We’ll show you how to troubleshoot those issues. Your entire site will be running on SSL in no time. 

TL;DR: The quickest way to force your website over HTTPS is to install and activate the Really Simple SSL plugin. It works automatically, you don’t have to lift a single finger. In case forcing HTTPS leads to an issue, come back to this article and check out our troubleshooting section. 

Have You Installed An SSL Certificate?

Before you proceed to force HTTPS in WordPress, you need to have the SSL certificate installed. Do not install any plugin that’ll help you enforce without first installing the certificate.

We have encountered situations where site owners had activated the Really Simple SSL plugin without installing an SSL certificate. In consequence, their websites broke and access to their admin dashboard was lost. 

Hence, please ensure that you have an SSL certificate installed on your site before moving to the next section. Here’s a guide that’ll help you do just that – How to Install an SSL Certificate?

How To Force HTTPS in WordPress? 

There are two ways to force WordPress to use HTTPS:

1. Forcing HTTPS using a plugin (easy way)
2. Forcing HTTPS manually (hard way)

Let dive into both methods – 

1. Forcing HTTPS Using A Plugin (Easy Way)

Step 1: Create a staging site. It’s an exact replica of your live site. On the staging site, you can test if the plugin can properly enforce HTTPS. 

If it can’t, your live website remains unharmed. Moreover, you can troubleshoot what went wrong and fix the issue on the staging site. Later you can merge the staging site with the live one to incorporate the changes without replicating the steps. 

→ So, install and activate BlogVault Staging on your live WordPress website. 

→ From your website dashboard, select BlogVault. 

→ Next, insert your email ID, then click on Get Started. 

→ BlogVault will ask you to create an account. All you need to do is enter a password. 

→ Add your site to the BlogVault dashboard just by clicking on Add. 

→ The plugin will start taking a backup of your complete website. When the process is complete, on your BlogVault dashboard, click on Sites and then select your website. 

→ Scroll down to the Staging section and select Add Staging > Submit. BlogVault will start creating a staging site for you. 

→ When the staging site is ready, you will be given a username and password. Note them down, you’ll need them. 

→ Then open the staging site by clicking on the Visit Staging Site button. 

→ The staging site will open in a new tab and you will be asked to enter the credentials that you noted down.

→ Now you can access your staging site. Just add /wp-admin/ at the end of your URL to open the login page. 

→ And login via the same credentials you use to log into your live site. 

Step 2: Now install and activate the Really Simple SSL plugin on your staging site. 

Step 3: After activation, this particular WordPress force HTTPS plugin will tell you to take a backup, which you have already done. Next, it’ll ask you to go ahead and click on “Go ahead, activate SSL.” Do that and HTTPS will be forced site-wide. 

Step 4: Clear your site and browser caches. Here’s a guide that’ll help you through that – How to Clear WordPress Cache?

Step 5: Check all pages of your staging site. The most important ones include login and admin pages, contact page, cart pages, service or product pages, archive pages, all-important landing pages, and posts. 

If there are just too many pages on your website to check manually? Use one of the tools below to do it automatically. If the SSL certificate is not active on any page, you’ll get a notification.

• https://www.jitbit.com/sslcheck/
• https://www.sslchecker.com/insecuresources
• https://www.ssllabs.com/ssltest
• https://www.whynopadlock.com/

If the certificate has not been forced properly then you will experience issues like mixed content, redirection loops, or no HTTPS  on the login and admin page. 

Luckily, our test site had no mixed content issue.

If you do find an issue, don’t panic, there’s a solution. Jump to the troubleshooting section to fix your website. 

After you have fixed the site, merge the staging site with your live site. 

Step 6: Open BlogVault’s dashboard and go to the Staging section. Click on Merge, then select Continue and the process of merging will begin. (Follow this guide if needed: Merging Staging Site With Original Site.)

That’ll all, folks. SSL certificate has been forced on your website. 

2. Forcing HTTPS Manually (Hard Way)

Using the plugin is the recommended way because it’s automated. You don’t have to do much apart from activating the plugin. 

With the manual method, you need to be slightly more experienced and comfortable with handling WordPress backend files. If you aren’t proficient in working on the website’s backend, you may make mistakes. 

Unfortunately, the smallest mistake can lead to catastrophic results, like your website breaking and you losing access to your admin dashboard. 

In case we weren’t clear: the manual method is not recommended. However, if you are feeling adventurous today, then go ahead and try the manual method. 

Here  are the two steps that you need to take to force WordPress HTTPS without plugin:

Step 1: Backup Your Site

Take a complete backup of your website before implementing any of the steps below. If something goes wrong, you can quickly restore your site to normal. This is a safety precaution that even the most experienced developers take. 

If you are not subscribed to a backup service, here are the best backup services you can get for WordPress. 

Step 2: Change The WordPress & Site Addresses Setting

→ Login to your WordPress dashboard and go to Settings > General. 

→ Go to WordPress & Site Addresses. 

→ Change the URLs from https:// to https://

→ Save and close the window.

Step 3: Insert A Code Snippet Into Your Server 

There are two types of servers –

• Apache 
• Nginx

The code snippet that you need to insert onto an  Apache server is different from the one you need to insert onto an Nginx server. 

Hence, you need to first figure out which server is your site hosted on. Here’s how to do that – 

> What Server Is Your Site Hosted On?

You could just talk to your hosting provider. But there’s a quicker way that we’ll show you below: 

→ Open your website, right-click anywhere in the window and select Inspect. A window pops up from underneath. 

→ From that window, select Network, then the name of your website, and then click on Header. 

→ In the header section, scroll down to find the server of your site. 

> Inserting Code Snippet Onto An Apache Server

→ Download and install Filezilla onto your computer. 

→  Open the software and enter your FTP details at the top of the window. You can find your FTP credentials with the help of this guide and this video. Or just talk to your hosting provider.

→ The Remote site panel will populate with the files and folder of your website. You should find a public_html folder in that panel. Expand that folder.

→ Inside the public_html folder, you will find the .htaccess file. Right-click on it and select View/Edit.

→ Inside the .htaccess folder, insert the following code snippet:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please ensure that you are inserting it between “# BEGIN WordPress” and “# END WordPress.”

→ Remember to save the file and exit. 

That’s it. It’ll enforce HTTPS  on your website.

> Inserting Code Snippet Onto An Nginx Server

→ Download and install Filezilla into your computer. 

→  Open it and enter your FTP credentials. You can find your FTP details from your hosting provider. If you don’t know how to find your credentials, this guide and this video will give you step-by-step instructions. 

→ The Remote site panel will populate with WordPress files and folders. You should find a public_html folder in here. Click to expand that folder.

→ Inside the public_html folder, you will find the wp-config.php file. Right-click on it and select View/Edit.

→ Inside the .htaccess folder, insert the following code snippet:

server {
listen 80;
return 301 https://domain.com$request_uri;
}

Please remember to replace domain.com in the snippet with your own website URL. 

Also, make sure to insert the code above the sentence /* That’s all, stop editing! Happy blogging. */

→ Remember to save the file and exit. 

→ Next, clear your website cache, as well as the browser cache. This guide will help you do just that – How to Clear WordPress Cache?

→ Check your website thoroughly. Important pages of your website include the login and admin pages, contact page, cart pages, service, or product pages, archive pages, all-important landing pages, and posts. 

If your website has too many pages to verify manually, use tools to check whether HTTPS was forced properly. 

• https://www.jitbit.com/sslcheck/
• https://www.sslchecker.com/insecuresources
• https://www.ssllabs.com/ssltest
• https://www.whynopadlock.com/

The tools will notify you if the SSL certificate is not reflected on any of your pages. 

If there is a notification, don’t panic. There’s a solution. Jump to the troubleshooting section to fix your site.

But if all goes well, then proceed to the next section. 

Update Your Site To Web Services 

If you are anything like us, you are probably using many web services. Examples of commonly used services are X, Y, and Z. Updating the URL on all your accounts is crucial for them to continue working.

→ Update Your Sitemap: Ideally, SEO plugins like Yoast should automatically update the sitemap. If it doesn’t then you need to log into your WordPress admin and navigate to SEO > Features > XML Sitemaps > disable the sitemap. Then enable it again. This will regenerate the sitemap with the changed URLs. 

→ Update URL on Google Services: Google Analytics considers HTTP  and HTTPS  to be  different websites, hence you need to update the link to your website on Analytics. Log into your Analytics account, then go to Admin > Property Settings > Default URL. Pick HTTPS from the dropdown menu right before your URL.

On Google Search Console, you need to add it as a new property. Then upload your updated sitemap onto the Search Console.

→ Update Your CDN: Most CDNs are equipped with a built-in feature that allows you to change the URL. If your CDN doesn’t, then it’s best to talk to their support. 

→ Update Your Social Media Account: It’s good practice to keep the site URL updated on your social profiles. 

Troubleshooting Issues Caused By Forcing HTTPS

When forcing HTTPS on your WordPress website, you are likely to come across one  of these three issues:

1. No SSL on login & admin page
2. Broken padlock or padlock showing warning signs (mixed content issue)
3. Redirection loops

Here’s how to fix them – 

1. No SSL On Login & Admin Page

Is your login page and admin area showing the “Not Secure” warning? 

This happens when the SSL certificate is not configured properly. 

If you carry on logging in without the SSL certificate, the login credentials, if obtained by hackers, can be easily exploited. Before such a disaster happens, you need to force HTTPS on the login and admin pages. 

This article will help you do just that – WordPress Login Not Secure.

2. Broken Padlock or Padlock Showing Warning Signs (Mixed Content Issue)

Is your SSL certificate showing warning signs?

This is due to a mixed content issue. It means you have links, images, scripts and/or stylesheets from WordPress plugins and themes that don’t use HTTPS. 

To ascertain if your site has mixed content, all you need to do is run your site on SSL checkers like Whynopadlock & Jitbit. Alternatively, you can do a manual check by following the steps below: 

1. Open your website. Right-click and select Inspect. 

2. A small window pops up from below. In that, go to Console and it’ll show you the mixed content warning, along with details about where the mixed content issues are originating. 

For instance, the issue could be caused by a  WordPress plugin or theme. 

It could be caused by an image on your site. 

To fix this issue, following this guide on Removing Mixed Content in WordPress.

3. Redirection Loops

Is your website being constantly redirected? 

Redirection loops occur due to a number of reasons. Those are:

• Your WordPress & Site Addresses are wrong 
• Wrong redirection instructions in the .htaccess file
• Forcing HTTPS without installing the SSL certificate
• Configuration issues with a redirection plugin

If you followed our guide carefully, then the first three issues are not likely. However, we suggest you review the steps you took once more. Since it’s a critical change,   a small mistake could have led to the redirection loop.

All good? Then it’s very likely that a redirection plugin on your website is the real culprit. Try disabling it. 

The redirection loop will prevent you from accessing the admin dashboard. So you need to disable the plugin via FTP. 

→ Open Filezilla and go to public_html > wp-content > plugins. 

→ Select the redirection plugin installed on your site. Right-click and select Rename it. Just add .deactivate and the plugin will be deactivated. 

→ Next, clear your cache and check if the site is still redirecting. Hopefully, it’s fixed. If not, then consider posting about it on the WordPress support forum and on Facebook groups like WordPress Experts, WPCrafter, WordPress, WPSecure, among others.

When all fails, you can hire developers to investigate the matter. Please ensure that you hire developers from trusted sources like – 

• WordPress Jobs 
• Smashing Jobs 
• Codeable.io 
• WPMU Dev Pros 
• StackOverflow Careers

That’s all folks. And that’s how you force HTTP to HTTPS in WordPress. We hope you found the guide valuable and easy to follow.

What Next?

We are confident that, if you followed our guidelines carefully, you were able to force HTTPS throughout your WordPress website. 

But moving your site to HTTPs alone will not secure it from hackers and bots. 

You need to take other proactive security measures. 

The most important security measure that you can take for your WordPress website is to install a trustworthy and reliable security plugin. 

An effective security plugin will protect your website by taking the steps below:

• Block bad traffic from accessing your site with a firewall and login protection features. 
• Conduct automatic scans of your website on a daily basis. 
• Clean your website thoroughly and within a few hours. 
• Help implement website hardening measures. 

Secure Your Site With MalCare Security Services