Force your site to load securely with an .htaccess file

If you have added an SSL certificate to your domain, you can force all visits to your site to use HTTPS to ensure your traffic is secure. This page lists examples on how to do this depending on how your site is hosted.

View either of the following articles for instructions on how to create/edit an .htaccess file on your server.

Please note that your FTP client must be configured to show hidden files. If not, you will not see the .htaccess file. View the following article for details on how to view hidden files:

What to change in the examples below?

The examples below can be entered into your .htaccess file exactly as shown.

Only if the example contains a URL in bold should you change that to your actual URL. For example, if you see the domain 'example.com', change this to your own domain name.

Forcing the domain to serve securely using HTTPS (for any site)

The following forces any http request to be rewritten using https. For example, the following code forces a request to http://example.com to load https://example.com. It also forces directly linked resources (images, css, etc.) to use https:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

If this isn't working for you, first check your line endings. Copy/paste from your web browser into a text editor may not work right, so after pasting into your text editor you should delete each line break and add it back in (line break = return key).

Forcing HTTPS with WordPress

If your .htaccess file already contains some default WordPress code, enter the following above or below that code. Never enter code inside of the comment tags that start and end with:

# BEGIN WordPress
# END WordPress

It's possible for a visitor to enter in a direct HTTP URL on your WordPress site, even when an SSL certificate is active. To force any HTTP request to redirect to HTTPS, you can add code to your WordPress .htaccess file. There are two code options below for you to use. The first should work as shown, but if not, try option two instead.

Option #1

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

Full example including the default WordPress code

Below is what your .htaccess file looks like with both the new HTTPS code and existing WordPress code.

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Option #2

In this example, make sure to change 'example.com' to your actual domain name.

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Full example including the default WordPress code

Below is what your .htaccess file looks like with both the new HTTPS code and existing WordPress code.

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Forcing HTTPS with DreamPress

It's possible for a visitor to enter in a direct HTTP URL on your DreamPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

Troubleshooting

Cloudflare

If you've enabled Cloudflare in the DreamHost panel, your site must use the 'www' subdomain. Make sure your .htaccess file does not have any redirects to the non-www version of your URL. If it does and you're using Cloudflare, you may experience a 'Too many redirects' error in your browser.

WordPress

This can also be an issue with WordPress as it requires URLs in the database to either use or or not use 'www' in order to operate correctly. View the following article for further details:

See also

Did this article answer your questions?

Article last updated PST.