How do I force my site to load securely with an .htaccess file?

If you have added an SSL certificate to your domain, you can force all visits to your site to use HTTPS to ensure your traffic is secure. This page lists examples on how to do this depending on how your site is hosted.

View either of the following articles for instructions on how to create/edit an .htaccess file on your server.

Please note that your FTP client must be configured to show hidden files. If not, you will not see the .htaccess file. View the following article for details on how to view hidden files:

Forcing the domain to serve securely using HTTPS

The following forces any http request to be rewritten using https. For example, the following code forces a request to http://example.com to load https://example.com:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The following alternative also forces directly linked resources (images, css, etc.) to use https:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

If this isn't working for you, first check your line endings. Copy/paste from your web browser into a text editor may not work right, so after pasting into your text editor you should delete each line break and add it back in (line break = return key).

Force a domain to only use SSL (HTTPS) when using an .htaccess file to create a login prompt

This method fixes a double login problem if you're using an .htaccess file to create a login prompt. This prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "example.com"
ErrorDocument 403 https://example.com

Forcing HTTPS with WordPress

It's possible for a visitor to enter in a direct HTTP URL on your WordPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

Forcing HTTPS with DreamPress

It's possible for a visitor to enter in a direct HTTP URL on your DreamPress site. To force any HTTP request to redirect to HTTPS, add the following to your WordPress .htaccess file:

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] 

See also

Did this article answer your questions?

Article last updated .