How to force SSL on a WordPress website

Why should you do it?

Google wants to make the web a safer place and they’ve said that use of SSL is now a ranking signal. (Although no one knows for sure just how much it matters.) Besides this, it lends credibility to your website and your business.

SSL certificates used to cost you lots of money, but today, you can get them for absolutely free. Of course, many hosts will still try to steer you toward their paid certificates (when you host with us, SSL is free and standard operating procedure), but unless you genuinely need an EV or wild-card cert, there’s simply no reason to either pay or go without nowadays.

Here’s how to do it

Once you’ve installed your SSL certificate, you need to make three different changes, outlined below.

Before you begin, you want to determine whether you want you’ll use www.example.com, or example.com? You can use either; the important thing is to be consistent.

First, from within WordPress, you’ll update your site to use https://. Click Settings, then General, then update your WordPress Address (URL) and Site Address (URL) to use https://. (At each step, replacing “example.com” with your own domain name.)

Or, you can also add these two lines to your wp-config.php file:

define('WP_HOME','https://www.example.com');
define('WP_SITEURL','https://www.example.com');

No matter what, I also recommend adding these lines to wp-config.php, for increased security:

define('FORCE_SSL_ADMIN', true);
define('DISALLOW_FILE_EDIT', true);
define('AUTOMATIC_UPDATER_DISABLED', true);

That last line disables all automatic updates. Why, you ask; especially given that keeping your WordPress site regularly updated is a critical security measure? My reason is simple; automatic updates can fail due to various causes and break your site. For this reason, I do keep my sites updated regularly, but run the processes manually when I’m able to babysit it.

Next, you’ll edit .htaccess file in your /public_html folder. But first, a word of caution, and then two important notes:

[caution_htaccess]

Note: Be sure to leave the punctuation: slashes, exclamation points, etc. intact so that the directives match correctly.

Note: it’s important to add them above the # BEGIN WordPress block, both so that these lines (a) execute before the standard WordPress redirect does, and (b) so that they aren’t overwritten by any changes which WordPress itself writes to .htaccess.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

That’s it!

Posted in ,

Chris Aram

I'm a developer who specializes in whipping your technology into shape so that it makes your professional and personal life better.

Leave a Comment