Force WordPress to Use  HTTPS

Serve all WordPress website visits from https:// and not https://.

/

Loading all requests on your WordPress website over HTTPS is a must-have these days, for security as well as SEO reasons. According to Google’s Transparency Report, about 90% of web traffic through Google Chrome, one of the most popular web browsers, is secured via HTTPS.

To force your WordPress website to always use https:// (and not https://) you can modify your sites’ configuration file at ./wp-config.php.

Here’s a simple step-by-step guide:

Step 1: Get an SSL Certificate

Before doing any of this, you need to make sure you have a valid SSL certificate installed on your server. If you do, you should be able to load your website with the https:// protocol at the beginning without any warnings reported. If you can’t, and you follow these instructions, then your site may become inaccessible.

This initial step is critical. For more information about installing a certificate, login to your web host and look for settings/options related to SSL or Let’s Encrypt. If you’re using CloudFlare you can configure a universal SSL certificate separate from your web host.

Both Let’s Encrypt and CloudFlare certificate automatically renew each year, which makes managing your SSL certificates a breeze.

Step 2: Connect with SFTP

Access the file system of your website using an FTP/SFTP connection. This is typically configured through your hosting control panel like my.wpengine.com, my.kinsta.com or if you host a VPC yourself cPanel.

Step 3: Find the wp-config.php file

The next step is to find the wp-config.php file, which is usually located in the root directory of your WordPress installation. This is your WordPress sites’ configuration file, and it controls many of the global configuration values for your WordPress installation.

Step 4: Backup the wp-config.php File

Before making any changes to our site configuration file (wp-config.php) it’s best to make a backup copy. If anything goes wrong, this makes it quick and easy to revert to what we’ve started with.

To do this, you can duplicate the wp-config.php file as .wp-config.php.backup. This ensures that it’s not publicly available, and clearly identifies it as a backup.

Step 5: Editing the wp-config.php File

Next, open the wp-config.php in a text editor and search for any existing mention of FORCE_SSL_ADMIN or HTTP_X_FORWARDED_PROTO. If you find anything, then you’ll need to make sure you edit or update the existing values rather than adding new duplicate rules. If you add duplicates rules, it will cause issues with the site.

Once you’ve confirmed where and what to update, you’ll add (or update) the following lines to your file.

The standard advice is to add them right before this line:

/* That's all, stop editing! Happy publishing. */

But they can really be added anywhere. I like to add them towards the bottom of the define( 'WP_*', '...' ); rules.

// Force https:// for all requests
define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
  $_SERVER['HTTPS']='on';
}

Step 6: Save & Upload Your Changes

Once you’ve added those configuration rules to your WordPress config you can save the changes you have made, and then upload them to your site.

It’s best to test these changes out first on a staged environment or localhost environment to verify you haven’t made any mistakes.

Step 7: Test Your Site

After uploading the new wp-config.php file, visit your website at https://www.yourwebsite.com and verify that it automatically redirects to https://www.yourwebsite.com. Next, login to the WordPress admin area and confirm that it’s always using an HTTPS connection as well.

Step 8: Update Your Site URL

After you’ve confirmed the changes are working, you should update the site URL in the WordPress admin under Settings > General, making sure that the following begin with https://:

I hope this helps! Let me know if you have any other questions.

Additional Resources