How to force HTTPS with .htaccess

So you know all about SSL. You need it for your website, because if you don’t have it, Chrome is going to show an error message. And that’s going to leave a bad taste in your mouth.

But… a fully SSL enabled website that doesn’t let users access the insecure version at all? That tastes much better.

That’s the problem that most users are going to be worried about, despite all the myriad benefits of having SSL enabled. So let’s work to that end.

Just because you have an SSL certificate setup (and make sure to do so before using these tips), doesn’t mean HTTPS is working correctly. A step webmasters often forget to take is to force all traffic over to the SSL-enabled version of their website.

Why would you want to do this? Because ideally, you don’t want Google to be indexing the less secure version of your website, and you don’t want users to be accessing it either. Having two versions of your website running on HTTP and HTTPS can also trip up search engines who see the two sites as having duplicate content.

So if your website runs on the Apache webserver, here’s the way to set that right. Bear in mind, you will want to ensure your website’s asset URLs are all relative and don’t include ‘http://”. For WordPress, this is best achieved with the SSL Insecure Content Fixer plugin, which offers a number of different levels of intensity.

The reason I prefer going this route as opposed to using a plugin which enables and forces SSL all in one, is that if for some reason a plugin like that doesn’t work, or you become otherwise locked out of your admin area, the SSL is controllable via an entirely separate file.

If your website URL begins with http://www. (most common), you’ll want to use this option. Simply place the provided code as near to the top of the ‘.htaccess’ file in your website’s ‘public_html’ folder as possible. You can often access this via FTP, or via cPanel’s file manager if you’re using the software.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
If your website URL begins with http:// (less common, no 'www'), you'll want to use this option.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

If for some reason you wanted to force SSL off, for example for development purposes, you could use this option.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

And there you have it, an easy way to control which version of your SSL-enabled website your users get redirected to if you’re hosted on Apache.

find your reason

to choose courage

Agency Quality, Low Cost

bringing you the best, without all the overheads

12 Years Experience

real agency and industry history behind our staff

No Phone Queues

talk directly to our head expert, no waiting or receptionists

We Help You

we'll think outside the box to reach your hosting dreams

Quick Response Time

we keep a watchful eye on our tickets and get back to you fast

WHM Experts

excellent, industry standard web hosting

cPanel Experts

individual accounts in WHM, done smart

Plesk Experts

a budget-friendlier cPanel alternative

welcome to the jungle

let’s help you climb to the top

    Roar at us

    Make it loud and proud - let us know exactly what we can do to help you!