Overview
This article explains how to force your website to redirect to redirect your site from HTTP to HTTPS. The S ensures that your connection is encrypted. For example:
- https://example.com
Adding custom code is only necessary if your website requires specific code to force the redirect.
After you have added an SSL certificate to your domain, DreamHost automatically redirects to HTTPS. You need not update anything on your end to force your site to use the secure URL. However, in some special cases, you may need to create your own custom configuration file to force the redirect from HTTP to HTTPS. If so, you will need to first disable the automatic redirect in your panel.
Once disabled, you can then proceed with adding your custom .htaccess file.
Forcing HTTP for WordPress and DreamPress sites
View either of the following articles for instructions on how to create/edit an .htaccess file on your server.
- Creating and editing a file via FTP (Hidden files must be enabled to see the .htaccess file.)
- Creating and editing a file via SSH
The .htaccess file should be located in your website's primary directory. For example:
/home/username/example.com
WordPress sites
It's possible for a visitor to enter a direct HTTP URL on your WordPress site, even when an SSL certificate is active. To force any HTTP request to redirect to HTTPS, add the following code to your WordPress .htaccess file.
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] Header always set Content-Security-Policy "upgrade-insecure-requests;"
Full example including the default WordPress code
If your .htaccess file already contains some default WordPress code, enter the following above or below that code. Never enter code inside of the comment tags that start and end with:
- # BEGIN WordPress
# END WordPress
Below is what your .htaccess file looks like with both the new HTTPS code and existing WordPress code.
RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] Header always set Content-Security-Policy "upgrade-insecure-requests;" # BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
Forcing HTTPS with DreamPress
It is not possible to use an .htaccess file with DreamPress since it uses Nginx, which instead automatically forces HTTPS.
Troubleshooting
Resolving mixed content warnings
Even when your site is correctly redirecting to the secure URL, it's possible the browser may still throw a warning indicating that some resources such as links are pointed to the non-secure version.
To resolve these warnings, follow these instructions to add additional code to your .htaccess file.