How to Force HTTPS on WordPress Without a Plugin? [Easily]

Force HTTPS on WordPress

In this post, I will show you how to force HTTPS on WordPress without a plugin by editing the .htaccess file (and with a plugin as a bonus).

But first, make sure your site is already configured to redirect www to non-www or vice versa depending on your preference.

When your SSL certificate is installed properly, you will be able to visit the secure (HTTPS) version of your website.

However, your site’s visitors are still able to access the non-secure (HTTP) version of your website by either typing the URL directly or by following an old link to your website.

That’s why you need to force HTTPS on your WordPress website to ensure your visitors are always served the secure HTTPS pages.

But why this is important and why you should care?

By the way, if you prefer watching a video, I have created this step-by-step video that will walk you through the whole process.

Force HTTPS on WordPress: Why This is Important?

Here is why this is important for both security and SEO concerns.

HTTPS is more important than ever nowadays. So much important that Google started using it as a ranking factor years ago.

HTTPS is important for security too. By using HTTPS, you ensure sensitive data of your website’s visitors like login details and personal information are securely encrypted. Without it, your user’s information can be easily compromised.

Chrome users will even see a warning in the search bar if your website pages are not served with HTTPS which will cause your site to lose traffic as a result.

Are you convinced now? Ok, let’s see how you can fix it on a WordPress website…

Step 1: Change Your Website URLs from HTTP to HTTPS

Start by logging into your WordPress admin dashboard.

From your dashboard, go to Settings > General and update WordPress Address (URL) and Site Address (URL) as follow:

WordPress Address (URL) and Site Address (URL)

Simply replace http with https.

Don’t forget to save your changes.

That’s it, now to the next step…

Step 2: Edit Your .htaccess File

Your .htaccess file is located in the root folder of your WordPress installation. Usually, this folder is called public_html.

You need to open this file with the code editor of your choice and add the following code (preferably at the very top):

# Force HTTPS on all pages
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

If your .htaccess file contains this code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Just add it right before it, so it looks like this:

# Force HTTPS on all pages
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
On most servers, changes to the .htaccess file take effect instantaneously. There is no need to reboot the server or restart the Apache service.

Edit .htaccess from cPanel

If you are using cPanel, login into your account, and choose the File Manager.

cPanel dashboard

Once you are inside the File Manager, navigate to the public_html folder, choose the .htaccess file then click Edit from the top right corner.

cPanel file manager

Sometimes, dotfiles (files their names start with a dot) as the .htaccess file are hidden from the manager. To make them visible, click the Settings button in the top right corner and check the Show Hidden Files (dotfiles) option from the Preferences tab.

When the Edit screen is open, click Edit without changing anything.

Now add the code above code and click Save Changes.

Force HTTPS on WordPress from htaccess

Edit .htaccess Using FTP

If you prefer using FTP instead, you can use a program like Filezilla to download the file to your computer and use a code editor to edit it.

FileZilla ftp program

When done, upload the file again to overwrite the existing one.

Edit .htaccess Using a Plugin

I don’t like using a plugin when not necessary, but in this case, you can use a lightweight plugin to edit the .htaccess file and uninstall it when you are done with it.

My plugin of choice to edit the .htaccess file is Htaccess Editor by WebFactory.

Simply download the plugin and install it on your website.

After you activate it, go to Settings >> WP Htaccess Editor and add the code then click Save Changes to apply the changes.

Force HTTPS on WordPress using WP htaccess editor

How to Force HTTPS on an Nginx Server?

Most servers are using Apache, but if your site is running on an Nginx server, updating the .htaccess file will change nothing.

Instead, you need to add this code to your Nginx configuration file (don’t forget to replace example.com with your website domain):

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://example.com$request_uri;
}

If you don’t know how to edit your Nginx configuration file, here is a beginner-friendly guide by Linode.

Force HTTPS on Login and Administrator Pages Only

I don’t know why you would want this, but if you want to force HTTPS on login and admin pages only, this is possible by editing the wp-config.php file.

Open your wp-config.php file and add this line:

define('FORCE_SSL_ADMIN', true);

Right before this line:

/* That's all, stop editing! Happy publishing. */

Bonus: Force HTTPS Using a Plugin

Editing any files in WordPress might cause issues or even worse, make your website go offline.

If you are a beginner and don’t want to edit the .htaccess file manually, you can use a simple WordPress plugin which will force HTTPS on your website automatically.

The plugin I recommend for this job is Really Simple SSL.

Force HTTPS on WordPress using Really Simple SSL

After you install and activate the plugin, you just need to click Go ahead, activate SSL! and the plugin will force HTTPS on your website. No further steps are needed.

Step 3: Fix “Mixed Content” Errors

When you switch over to HTTPS, you should see the green padlock ?in your browser search bar if you are using Chrome, Firefox, or any modern browser.

However, if this is not the case, then your website has a “mixed content” issue that you need to fix.

What is Mixed Content

Mixed content errors and warnings occur when your browser is loading the page’s content and files over both HTTP and HTTPS.

A typical mixed content example is when a page (https://example.com) loaded over HTTPS contains a link to an HTTP image (http://example.com/image.png).

These errors appear in the Chrome DevTools like this:

Mixed content error example

In Chrome, you can open the DevTools by right-clicking anywhere on the page and choose Inspect. Click the Console tab to view mixed content errors and warnings.

How to Fix Mixed Content Errors?

If you have mixed content errors after updating your website URL from the settings by replacing http with https, then you probably have HTTP links hardcoded into your site’s content in the database.

To search for these links and update them, we can use a free plugin called Better Search Replace.

Simply download the plugin from the Plugin directory and activate it.

This plugin can do permanent changes to the database. It’s extremely important to backup your database before proceeding to the next step, just in case.

Once the plugin is activated, go to Tools > Better Search Replace.

Now add your website URL to the Search for option (with http) and to the Replace with option (with https).

After that, you need to select the tables you want to look into. In this case, I recommend selecting all tables.

Click Ctrl+A on Windows or Cmd+A on Mac to select all tables.

Make sure you don’t have a forwarding slash on both URLs as shown in the screenshot below:

WordPress Better Search Replace plugin

Better to have the Run as dry run option enabled.

Now click Run Search/Replace button.

The plugin now will search your database for all occurrences of your search phrase and give you a details table if you checked the dry run option without changing anything.

After you review the dry run table, feel free to click Run Search/Replace button again but this time without the dry run option enabled.

Once all your HTTP links are updated to use HTTPS, the mixed content errors should disappear and the green padlock should appear in the search bar.

However, it’s possible that you still have mixed content errors. In this case, you might need to check your theme files.

To keep this guide relatively short, I didn’t cover many things but if you need help or have questions, you are welcome to leave a comment below and I will be happy to assist you!

Conclusion

It’s true that enabling HTTPS on your website is a step in the right direction. However, by no means, you should consider by doing this, your website is now bullet-proof against attackers and hackers.

In fact, what HTTPS and an SSL certificate will do to your website is encrypting data between your site and its visitors. That’s all.

To make your WordPress site secure enough you need to use a theme and plugins from reputable companies and developers, use a strong password and backup your site regularly and much more.

I will write an easy to follow guide about WordPress security in the future so stay tuned.

Share

About the author

Hey, I’m Khalil Asmi, a full-stack web developer, and a huge WordPress enthusiast! In the past 6 years, I have been creating WordPress websites and building custom solutions for my amazing clients from all around the world.

Leave a Comment

Your email address will not be published. Required fields are marked *