Forcing HTTPS on a WordPress Site

Before we begin, a couple of definitions. An https connection is the protocol that defines how the visitor and the server negotiate a secure connection.

An SSL Certificate is the document that proves the authenticity of the server.

How To Force HTTPS

This is how to force HTTPS if, for example, you have an e-commerce WordPress site and want to put it under https for security or because your payment system requires an SSL certificate.

First make sure your web host can deliver an https site. They might only provide this under certain plans and may need to move your site to another server.

Buy an SSL certificate - your web host can probably sell you one.

Activate this plugin with which you can make the whole site secure or only certain pages (such as checkout pages) secure, if you wish: WordPress HTTPS

Change the URLs to https in Settings / General in the admin panel on your site.

Add instructions to your .htaccess file to tell it to redirect any http enquiries to https. You will find the following code mentioned around the web but you may find it causes the site to hang.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R,L]

The following code works. Add it before the comment line in the .htaccess file that reads #BEGIN WordPress

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Now test it with this SSLLABS test and give yourself an A.