How to Make Your WordPress Site Secure with HTTPS (Apache Server)
It’s important to keep your website secure and protect your users’ information. One way to do this is by using HTTPS, which encrypts the data sent between your website and your visitors. HTTPS is also required for many browser features, like the Geolocation API, and it can even impact your site’s ranking on Google.
If you’re using Apache as your web server, you can easily configure it to always load your site over HTTPS. I’ll walk you through the steps to do that in this tutorial. But before we begin, please make sure that you have installed and enabled an SSL certificate on your server. If you haven’t done this yet, you can check out our Beginner’s Guide to Website SSL Certificates.
Assuming you’re all set with your SSL certificate, let’s move on to the next step.
Contents
Redirecting from HTTP to HTTPS
If your WordPress website is accessible through the URL http://www.domain.com and you prefer to direct all visitors from HTTP to HTTPS, you can choose between two different .htaccess codes.
Option 1:
“`
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://www.domain.com/$1 [R=301,L]
“`
Option 2:
“`
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://www.domain.com/$0 [R=301,L]
“`
Let me explain both options.
Both Option 1 and Option 2 will redirect anyone trying to access your website through http://www.domain.com to the secure version, https://www.domain.com.
Option 1 checks if the connection is using TLS/SSL before performing the redirection. On the other hand, Option 2 checks if the site is running on the default HTTP port number, which is 80. These conditions help ensure that visitors are always directed to the secure version of your website.
Note: I recommend using Option 1 codes. They are more expressive and will redirect to HTTPS regardless of the port number, as the site can technically load with HTTP outside of port 80.
“non-www” > “www” & HTTP > HTTPS
If you want to make sure that “non-www” becomes “www” and HTTP becomes HTTPS, the .htaccess codes mentioned above won’t be enough.
To give you some perspective, if you want to redirect the following URLs:
– http://www.domain.com
– http://domain.com
Then you’ll need to use the .htaccess codes below:
“`
RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%%{HTTP_HOST}/$1 [R=301,L]
“`
Explanation
First, let’s make sure that whenever someone types in our website address without “www” at the beginning, they are automatically redirected to the version that includes “www”. Then, we want to check if the website is using a secure connection (HTTPS) and, if not, redirect it to the secure version as well.
Redirecting “non-www” > “www” and HTTP > HTTPS (in subfolder)
If you’re like us and hosting your WordPress website in a subfolder (for example, www.domain.com/blog/), the codes we mentioned earlier might not work exactly as intended.
Our objective is to redirect all URLs, whether it’s the homepage or post pages, to a version that includes “www” and uses a secure connection (HTTPS).
Now, let’s go over all the different types of URLs that we need to redirect “from” and where we want to redirect them “to”.
Condition 1
We need to redirect the following URLs:
- http://domain.com
- http://www.domain.com
- http://domain.com/blog/
- http://www.domain.com/blog/
To a unified URL:
Condition 2
Hey there! So, if you’re looking to post URLs from the following websites:
- http://domain.com/blog/example-page/
- http://www.domain.com/blog/example-page/
Then listen up! If your WordPress is hosted in a subfolder (like /blog/), you might have two .htaccess files – one outside the subfolder and one inside the subfolder where WordPress is installed. And guess what? We’re gonna have to make changes to both of ’em!
.htaccess blog/ blog/.htaccess
.htaccess outside subfolder
Alright, so here’s what you need to do for the .htaccess file outside the subfolder. Just insert the following codes:
RewriteEngine On ### non-www to www, http to https RewriteCond % !on RewriteCond % ^domain.com$ [OR] RewriteRule (.*) https://www.domain.com/$1 [R=301,L] ### subfolder RewriteRule ^$ /blog/ [R=301]
Let me explain what this portion of the code does. First, it ensures that the domain is redirected to the subfolder, with “www” and HTTPS. This takes care of satisfying condition #1. However, it doesn’t yet address condition #2.
Now, let’s move on to the .htaccess file inside the subfolder. We need to make some changes here.
By default, the code should look something like this:
“`html
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
“`
To make the necessary adjustments, add the following code at the top, before the “# BEGIN WordPress” section:
“`html
RewriteEngine On
## Redirect from HTTP to HTTPS
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R=301,L]
“`
These modifications will set up the necessary redirects and ensure that your website functions properly.
By using these two sets of codes, you can make sure that any URLs you enter will include “www” and “https”. It’s important to note that you shouldn’t implement this on your live site right away. Instead, try it out on a staging or test site first to make sure it’s giving you the results you want. Only after you’ve done that should you deploy it live.
One more important point: To make sure your redirects are working correctly, be sure to clear your browser’s cookies and cache before starting each test.
And don’t forget: To ensure your redirects are accurate, clear your browser’s cookies and cache before each test.
