The war on HTTP has been won. With Google now enforcing HTTPS on all sites, under penalty of a ranking hammer, most serious web admins have migrated their sites to SSL. This has also been helped along by two things.
First, Chrome now treats non-https sites as dangerous, scaring users into expecting SSL protection at all times. Since Chrome has the dominant market share, this is a pretty effective tactic. More importantly however I think, is the rush by hosting providers to make HTTPS easy for everyone to implement on their site for free.
NameHero for example, allows users to install AutoSSL on their sites by default. Not all Auto-SSL certificates cover wildcard subdomains however, so that’s something to look out for. But the other major initiative in addition to AutoSSLs, is Let’s Encrypt. This has now become ubiquitous across all hosting providers (except for GoDaddy). Let’s Encrypt now automatically includes wildcards as well.
But Installing HTTPS Isn’t Enough!
Having an SSL enabled site is great! But it’s not enough. There are several things you need to do before your site works properly with HTTPS. Just because SSL is enabled, doesn’t mean that every connection will automatically use it. Your site is still accessible over plain HTTP.
This means that any existing links to your site using HTTP will show the unencrypted version. Your users will still see the scary message. It’s up to you to redirect all requests from HTTP to HTTPS.
Maintaining a Consistent URL with www
This is a matter of choice. Some web owners don’t care whether or not their users access the site with “www”, or without. However, from a technical point of view, these are viewed as different properties (though there are some who are trying to change that).
It’s good to have just one version of your site. Taken together with the HTTPS issue, any given URL on your site can be accessed in four ways like this:
-
http://example.com
-
http://www.example.com
-
https://example.com
-
https://www.example.com
What we’re going to do is to use htaccess to redirect all URLs to the last version. The one with https, and with www.
The Wrong Way to Do it
If you check on the Internet, many sites will give a two-step approach to the problem. For example, rules like this:
#Redirect to HTTPS RewriteCond %{HTTPS} off [NC] RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] #Add www to all non www http requests RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
This will work, but it’s wasteful, and leads to more redirects than are necessary. If a visitor comes to your site with the URL:
http://example.com
The following will happen:
- The user will first be redirected to https://example.com
- The user will again be redirected to https://www.example.com
Two redirects are wasteful. It increases the response time, and no one is happy – including Google.
What we want is just one htaccess redirect to solve both problems. But first, we need to change a setting in WordPress itself.
Step 1: Changing the Site URL in WordPress
In your WordPress dashboard, go to Settings -> General, and ensure that your site URLs reflect both “https”, as well as “www” like this:
If you omit this step, and say leave out the “www”, then the following code will lead to an infinite loop and you’ll get an error saying that the page redirected you too many times. So first make this change.
Step 2: Add the Following Code to .htaccess
Your .htaccess file is found in the root directory of your WordPress installation. It may or may not have code already inside it (most likely it will). Open it up for editing either through FTP, or via your cPanel file manager and add the following code at the beginning:
RewriteEngine on RewriteCond %{HTTPS} off [OR] RewriteCond %{HTTP_HOST} !^www RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ RewriteRule ^ https://www.%1%{REQUEST_URI} [NE,L,R=301]
This is general purpose code that will work on any site. There’s no need to replace anything. More importantly, it rewrites the URL to include both www and https in a single stroke and uses just one redirect to solve both problems. This avoids extra load and increases response times!
So if you’ve just enabled SSL on your site, make sure you follow the above steps to ensure that your WordPress installation is properly secured, even when someone deliberately tries to access your site using an incorrect URL.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Rene says
Thanks this did fix a cookie set problem on my website!
Josiah says
This was helpful in 2020 🙂 Thanks so much
J Matlock says
Great Article, straight to the point, Thank you!
Vishal Mehta says
My newly created WP install did not re-route http to https. I applied above code and works. Is this code still valid in 2023 or do we need to make any updates? Thanks!