How to force HTTPS on your website

black and gray code padlock anchored on chain-link fence
Last updated:
Originally published:

Having HTTPS enabled (ie: having an SSL Certificate) on your server is important for the security of your website. It means that the browsing habits of your users are encrypted and that there’s a much smaller chance that any intercepted traffic could actually be deciphered by a nefarious third party (or an Internet Service Provider).

HTTPS is also a huge part of your Technical SEO efforts and is a substantial ranking factor for search engines, including Google.

For most web hosts, installing an SSL Certificate is just a matter of pressing a button.

But what happens when both the HTTP and the HTTPS versions of your webpages are visible?

It means that your user could be using an unencrypted page, and it also means any analytics software you’re using is probably miscalculating your traffic. A hit at and a hit at will count as two separate webpages with one hit each, as opposed to one page with two hits.

The fix is reasonably straight forward, assuming you’re comfortable with SFTP, or some other way of accessing the root directory of your server. Note that this article also assumes you’re using a web server with Apache installed.

There is a more than probable chance your server is running Apache. If you have CPanel, then you’re using Apache. If you’re using WordPress then you’re also very likely to be using Apache.

If in doubt check with your web hosting provider.

We’re also assuming that you actually have an SSL Certificate installed on your server so that navigating to does not throw some sort of error.

What we’ll be doing here is adding to an existing file that is called .htaccess. If your server doesn’t already have a .htaccess file, then we’ll create one.

What code do I need to add to the .htaccess file?

This is the block of code we’ll be adding:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

If we were to write this in ‘human speak’, it would read something like:

  1. Make sure that the web server (Apache) has it’s Rewrite Engine turned on so that we can tell some webpages to point to other webpages.
  2. Does a rule exist to say we should divert traffic to HTTPS?
    1. If the rule does already exist, then do no more and exit this block of code.
    2. If the rule does not exist, go to the next instruction.
  3. Create a rule so that any traffic that hits the HTTP address is diverted to the HTTPS address, using a 301 (permanent) redirect.

If you already have an .htaccess file

If you’re using WordPress or another CMS platform, you’ll already have a .htaccess file in the root directory of your website.

Log in via SFTP and you’ll see it there along with all the files of your site.

Using Filezilla, you can right click and edit the file.

The code inside will look something like:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

There may be more than that in there, but the important thing to note is to keep out of the code between # BEGIN WordPress and # END WordPress.

Directly before whatever is already in that file, copy and paste this code:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Save the file back to your server (if you’re using FileZilla it will automatically do this for you).

Now when you go to it will automatically redirect to

How to create an .htaccess file

If when logging in to your server there is no .htaccess file, you can easily create one.

Again assuming you’re using SFTP software like Filezilla, you can either right click and ‘create new file’ or do the same from the File menu of whichever piece of software you’re using.

Create the file and call it .htaccess

Yes, the file name starts with a dot.

Within that new file, copy and paste the same code from above:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Save the file and you’ll now have all your HTTP traffic divert to your HTTPS address.

Happy days!

Avatar for Sam HemphillNow a digital veteran, Sam Hemphill initially trained as a drummer and high school teacher and spent 10 years as a touring musician and tour manager. During that time, he...

Read more about Sam Hemphill