How do I force my site to load securely with an .htaccess file?

If you have added an SSL certificate to your domain, you can force all visits to your site to use HTTPS to ensure your traffic is secure. This page lists examples on how to do this depending on how your site is hosted.

View either of the following articles for instructions on how to create/edit an .htaccess file on your server.

Please note that your FTP client must be configured to show hidden files. If not, you will not see the .htaccess file. View the following article for details on how to view hidden files:

If you've enabled Cloudflare in the DreamHost panel, your site must use the 'www' subdomain. Make sure your .htaccess file does not have any redirects to the non-www version of your URL. If it does and you're using Cloudflare, you may experience a 'Too many redirects' error in your browser.

Forcing the domain to serve securely using HTTPS

The following forces any http request to be rewritten using https. For example, the following code forces a request to http://example.com to load https://example.com. It also forces directly linked resources (images, css, etc.) to use https:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

If this isn't working for you, first check your line endings. Copy/paste from your web browser into a text editor may not work right, so after pasting into your text editor you should delete each line break and add it back in (line break = return key).

Force a domain to only use SSL (HTTPS) when using an .htaccess file to create a login prompt

This method fixes a double login problem if you're using an .htaccess file to create a login prompt. This prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:

The code below may cause a 'Let's Encrypt' certificate to not renew properly. If you have added a 'Let's Encrypt' certificate to your domain, make sure to disable the code below in your .htaccess file when your certificate is about to renew. Once renewed, you can re-enable the code below.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "example.com"

Make sure the URL you enter next to SSLRequire is your site's base URL. If you're securing a subdirectory such as 'example.com/blog', this URL would still be 'example.com'.

Forcing HTTPS with WordPress

It's possible for a visitor to enter in a direct HTTP URL on your WordPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

Forcing HTTPS with DreamPress

It's possible for a visitor to enter in a direct HTTP URL on your DreamPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

See also

Did this article answer your questions?

Article last updated .