Forcing HTTP to HTTPS in WordPress (Apache Server)

By Hongkiat Lim. in Hosting. Updated on October 18, 2022.

You should always load your site with HTTPS. Aside from protecting your data integrity between your websites and your site users, HTTPS is now a requirement for many new browser APIs such as the Geolocation API.

HTTPS also carries on some weight in Google SERP ranking signal. So ensuring that your site will always load from HTTPS is crucial. We’ll show you how to do it with Apache in this tutorial.

Note that before proceeding this step, make sure that you’ve got the SSL cert installed and loaded in the server. Otherwise, check out our tutorial on Beginner’s Guide to Website SSL Certs.

If it is all set, you can proceed to the next step.

HTTP to HTTPS

If your WordPress website can be accessed directly at http://www.domain.com and you want to direct all visitors from HTTP to HTTPS, then try either of the following .htaccess codes.

Option 1:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Option 2:

RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Explanation

Both option 1 and 2 will redirect anyone accessing http://www.domain.com to https://www.domain.com

Option 1 codes will check if the connection whether it’s TLS/SSL, while Option 2 codes will check if the site runs on port 80 which, by default, is the port number of HTTP.

Note: Using Option 1 codes generally is preferable. The syntax is more expressive, and it will redirect to HTTPS regardless of the port number because the site can technically is able to load with HTTP outside port 80.

"non-www" > "www" & HTTP > HTTPS

If you want to force "non-www" to "www", and HTTP to HTTPS, then the .htaccess codes above will not suffice.

To put things into perspective, if your goal is to redirect the following URLS:

http://www.domain.com
http://domain.com

to:

https://www.domain.com

Then you will need to use the .htaccess codes below.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Explanation

First, it redirects any "non-www" to "www", then it checks for HTTPS, making sure the final result is: www + HTTPS.

"non-www" > "www" & HTTP > HTTPS (in subfolder)

Now, if you are – like us – hosting your WordPress website in a subfolder (i.e. www.domain.com/blog/), then the above mentioned .htaccess codes will not work perfectly.

The goal here is to redirect all URLs (regardless if the homepage, or the post pages) to a www + HTTPS URL.

Let’s take a look at all possibilities of URLs that we will need to redirect “from“, and redirect “to“.

Condition 1

We need to redirect all the following URLs from:

http://domain.com
http://www.domain.com
http://domain.com/blog/
http://www.domain.com/blog/

to an unify URL of:

https://www.domain.com/blog/

Condition 2

and post URLs from:

http://domain.com/blog/example-page/
http://www.domain.com/blog/example-page/

to:

https://www.domain.com/blog/example-page/

When your WordPress is hosted in subfolder (E.g. /blog/), chances are you will have two .htaccess files, I.e. one .htaccess file outside the subfolder, and one inside the subfolder where WordPress is installed. And we will need to alter both of them.

.htaccess
blog/
blog/.htaccess

.htaccess outside subfolder

Insert the following codes into .htaccess outside the subfolder.

RewriteEngine On
### non-www to www, http to https
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP_HOST} ^domain.com$ [OR]
RewriteRule (.*) https://www.domain.com/$1 [R=301,L]

### subfolder
RewriteRule ^$ /blog/ [R=301]

Here’s what this part of the code does. First, it makes sure the domain is redirected to www with HTTPS, then it is redirected to the subfolder. This will satisfy #condition 1 mentioned above but it will not work for condition #2, not yet, at least.

.htaccess inside subfolder

Next, we will need to alter the .htaccess code inside the subfolder.

By default, it should look something like this:

# BEGIN WordPress
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
&lt;/IfModule&gt;
# END WordPress

Put the following .htaccess code on top, and before “# BEGIN WordPress”

&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
## http to https
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
&lt;/IfModule&gt;

With these two set of codes in place, it will ensure any URLs entered will be included with www and HTTPS.

I urge that you do not implement this on your live site. Try it out numerous times on a staging/test site, making sure you’re getting the results you want before deploying it live.

One more thing, to ensure your redirecting is accurate, be sure to clear browser cookies and cache before commencing every test.

HTTP to HTTPS

Option 1:

Option 2:

Explanation

"non-www" &gt; "www" & HTTP &gt; HTTPS

Explanation

"non-www" &gt; "www" & HTTP &gt; HTTPS (in subfolder)

Condition 1

Condition 2

.htaccess outside subfolder

.htaccess inside subfolder

"non-www" > "www" & HTTP > HTTPS

"non-www" > "www" & HTTP > HTTPS (in subfolder)