Force your site to load securely with an .htaccess file

After you have added an SSL certificate to your domain, DreamHost automatically redirects the URL visitors use to view your site from HTTP to HTTPS. The S ensures that your connection is encrypted. For example:

• https://example.com

There's nothing on your end you must update in order to force your site to use the secure URL. However, in some special cases, it may be necessary for you to create your own custom configuration file to force the redirect from HTTP to HTTPS.

This page lists examples of how to do this depending on how your site is hosted. View either of the following articles for instructions on how to create/edit an .htaccess file on your server.

• Creating and editing a file via FTP
• Creating and editing a file via SSH

The .htaccess file should be located in your website's primary directory. Change username to your Shell user and example.com to your website. For example:

/home/username/example.com

You can also confirm your site's web directory in the panel.

1. Navigate to the Manage Websites page.
2. Click the Manage button to open the Domain Settings page, which allows you to adjust various settings for your site.
   • If in Grid view, click the Manage button at the bottom of the website box.
   • If in List view, click the Manage button at the far right of your domain name.
3. Scroll down to the Additional Settings section, and click the Modify button to the right of the Paths subsection.

   Your site's web directory displays.

The examples below can be entered into your .htaccess file exactly as shown.

Only if the example contains a URL in bold should you change that to your actual URL. For example, if you see the domain example.com, change this to your own domain name.

The following forces any http request to be rewritten using https. For example, the following code forces a request to http://example.com to load https://example.com. It also forces directly linked resources (images, css, etc.) to use https:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

If this isn't working for you, first check your line endings. Copy/paste from your web browser into a text editor may not work right, so after pasting into your text editor you should delete each line break and add it back in (line break = return key).

It's possible for a visitor to enter in a direct HTTP URL on your WordPress site, even when an SSL certificate is active. To force any HTTP request to redirect to HTTPS, you can add code to your WordPress .htaccess file. There are two code options below for you to use. The first should work as shown, but if not, try option two instead.

Option #1

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

Full example including the default WordPress code

Below is what your .htaccess file looks like with both the new HTTPS code and existing WordPress code.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Option #2

In this example, make sure to change example.com to your actual domain name.

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

Full example including the default WordPress code

Below is what your .htaccess file looks like with both the new HTTPS code and existing WordPress code.

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

It's possible for a visitor to enter in a direct HTTP URL on your DreamPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

WordPress

This can also be an issue with WordPress as it requires URLs in the database to either use or or not use 'www' in order to operate correctly. View the following article for further details:

• When removing "www" breaks WordPress

Infinite redirect error

View the following article if you're seeing your site redirect in a loop after making these changes,.

• WordPress 'too many redirects' error

Even when your site is correctly redirecting to the secure URL, it's possible the browser will still throw a warning indicating that some resources such as links are pointed to the non-secure version. You can add additional code to your .htaccess file to resolves those warnings. View the following article for details.

• Resolving the warning by adding code to your .htaccess file