WordPress 301 Redirect to Force HTTP to HTTPS
WordPress 301 Redirect to Force HTTP to HTTPS

Introduction

Google and other leading search engines have announced that they will place a higher emphasis on secure sites in their ranking algorithms. Their ranking factors, out of hundreds, will favor a secure (https) site and rank higher than a non-secure (http) counterpart. Read further to learn more about SSL Certificates and how to force https with a 301 redirect for your WordPress site by adding a rewrite rule into your .htaccess file.

SSL Certificates

To secure your site from http to https you will need an SSL Certificate installed on the server that your site is hosted on. There are many types of SSL Certificates, which we won’t get into detail in this article. The majority of you reading this will be fine with what’s called a Domain Validated (DV) SSL Certificate.

Most WordPress web hosting providers will sell third-party SSL Certificates and many WordPress web hosts also support Let’s Encrypt.

Let’s Encrypt

Let’s Encrypt is a Certificate Authority that issues free SSL Certificates to your domain. A Let’s Encrypt SSL Certificate will renew automatically every 90 days. The growth of Let’s Encrypt and number of SSL Certificates issued is staggering and continues to be adopted by web hosting providers every day.

Redirect and Force HTTP to HTTPS

Now that you have a SSL Certificate installed for your domain, you will want to force HTTPS. When a visitor types your domain into their browser’s address bar it will automatically redirect them to https://yourdomain.com (HTTPS) rather than http://yourdomain.com (HTTP). The 301 redirect to force HTTPS is desired so the visitor trying to access your site won’t see a Your connection is not private page or insecure browser warning if they land on the non-secure version of your site.

Your connection is not private

The WordPress redirect code example below will ensure that visitors who go to your site will be redirected to the secure (HTTPS) version of your site as long as you have an SSL Certificate installed properly on the server your site is hosted on.

301 Redirect Code Example .htacess

Add the following code to the top of your WordPress site’s .htaccess file.

# FORCE HTTP TO HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

After adding the rewrite to your WordPress site’s .htaccess, you will need to clear your browser’s cache, restart your browser, and access your site again if you aren’t being redirected to the secure version of your site.

.htacess Placement

Edit the .htaccess file. The .htaccess (dotfile) can be accessed using FTP or inside of cPanel. We’ll use the File Manager inside of cPanel to edit and place the rewrite in the .htaccess as shown below.

Edit .htaccess File
Edit .htaccess File

Testing a Permanent 301 Redirect

After updating your .htaccess with the 301 redirect to force HTTP to HTTPS you’ll want to make sure that the redirect is working.

You can test the 301 redirect by typing the non-secure version of your URL in the address bar of any browser. If it redirects you to the HTTPS version of the URL then the 301 redirect to force HTTPS is working.

301 Redirect Checker

There are also handy tools such as RedirectCheck.com. If you enter the non-secure (HTTP) version of your URL into the redirect checker, you should see output from the test similar to below.

In the example below you’ll see that http://wphelper.com (HTTP) was moved permanently to http://wphelper.com (HTTPS).

Results:
http://wphelper.com

HTTP/1.1 301 Moved Permanently
Date: Wed, 26 Jun 2019 01:24:31 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df902247909f404af1d1784559e2912e71561512271; expires=Thu, 25-Jun-20 01:24:31 GMT; path=/; domain=.wphelper.com; HttpOnly
Location: http://wphelper.com/
Server: cloudflare
CF-RAY: 4ecb61d2fec7d0e4-SJC

http://wphelper.com/

HTTP/1.1 200 OK
Date: Wed, 26 Jun 2019 01:24:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d96763a3fd11c6c535f18679ac76f73081561512272; expires=Thu, 25-Jun-20 01:24:32 GMT; path=/; domain=.wphelper.com; HttpOnly
Link: ; rel="https://api.w.org/"
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 4ecb61d41f1ad0e0-SJC

Update Cloudflare Crypto (SSL) Settings

If you’re using Cloudflare please read on. For those of you who are not familiar with or using Cloudflare you do not need to follow this next step.

When your site is secure (HTTPS) and you’ve added the .htaccess rule from above you’ll need to update the Crypto settings in your Cloudflare account for your domain.

Log into Cloudflare and click the Crypto icon.

Cloudflare Crypto Settings
Cloudflare Crypto Settings

From the dropdown menu, update the Crypto SSL setting from Flexible to Full (strict).

SSL Full (Strict)
SSL Full (Strict)

Sign Up for Our Newsletters

Get notified of the best deals on our WordPress themes.

You May Also Like

How to Add www in Your WordPress URL

Introduction Most web hosting providers will auto-install WordPress for you when you…

How to Limit WordPress Post & Page Revisions

Introduction By default, WordPress stores unlimited post revisions and page revisions in…

How to Enable WordPress Debug & Debug Log File

Debugging is a skill set any developer or webmaster will need to…

[FIX] WordPress User “Account Pending Not Currently Active”

Does your WordPress site allow new user registrations? If you’re seeing new…