Erwin Bierens

Knowledge is Power

Force HTTPS On Your WordPress Site

2016-05-12 2 min read Security Erwin Bierens

I’m running my wordpress site for quite some time now.. My site is HTTPS enabled and signed with a certificate. HTTP was also possible in the past for reaching my site. In this guide i’m going to point all of the pages (including the administrative) to force HTTPS.

To simplify this, the guide will build into the following 3 parts:

  1. Force SSL for administrator pages (including the login page)
  2. Secure all normal pages with HTTPS
  3. Change .htaccess to redirect all HTTP to HTTPS

When all of this is completed you should have a WordPress site completely running secure with HTTPS.

Force SSL for administrator pages (including the login page)

Go to your FTP and change the following file in the root of the directroy: wp-config.php

Add to top of the file:

define('FORCE_SSL_ADMIN',true);

Many tutorials tell you to include define('FORCE_SSL_LOGIN', true); this is deprecated in version 4.0.  Using FORCE_SSL_ADMIN is the new and working one.

From this point, every time you are visitting http://erwinbierens.com/wp-admin you should be redirected to the https version.

Secure all normal pages with HTTPS

Google rewards site owners that put their entire site behind HTTPS.  In your WordPress administrator dashboard, go to Settings -> General and change both URLs to have https://.

wordpress https

After changing the WordPress and Site Address, all links internal to your site will include https at the beginning.

Change Wordpress .htaccess to redirect all HTTP to HTTPS

Now we are going to do a full transition to HTTPS. The only thing we need to change is the .HTACCESS file. You can find the .HTACCESS file in the root of your Wordpress installation directory.

We need to add 2 lines after the RewriteEngine On:

RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

We’re going to say that if the current port isn’t matching 443, then rewrite the URL to use HTTPS with a 301 redirect. (simple as hell). The rest of the code should already exist.

wordpress htaccess

Save the file and go test you webiste! Every page u will go to will now be redirected to HTTPS. image source: www.wphulp.nl

comments powered by Disqus