◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Force HTTPS
How to force HTTPS in WordPress
If your WordPress site still loads over HTTP, you’re not just missing out on a small browser icon—you’re putting security, SEO, and trust at risk. Forcing HTTPS ensures every visitor lands on the secure, encrypted version of your site, no matter how they get there.
Let’s look at why it’s important and a few ways to get it done.
What HTTPS is and why it matters
HTTPS (Hypertext Transfer Protocol Secure) encrypts data exchanged between your website and your visitors. It’s essential for protecting passwords, payment info, and other sensitive data. But it’s also important for:
- Improving Google rankings
- Avoiding browser warnings like “Not Secure”
- Gaining user trust and boosting conversions
Modern browsers and users expect secure sites. HTTPS is no longer optional.
Why force HTTPS?
Just installing an SSL certificate isn’t enough—many visitors will still reach the insecure version of your site unless you actively redirect them. This happens because:
- Old bookmarks or backlinks may still use http://
- Search engines may have indexed the HTTP version
- Users might type your domain without specifying HTTPS
Forcing HTTPS ensures that anyone visiting your site, no matter how they got there, is automatically redirected to the secure version.
It also helps consolidate your site’s URL structure, so Google doesn’t see HTTP and HTTPS as separate versions of the same site. Without redirection, you risk content duplication, mixed content warnings, and security holes.
Make sure your SSL certificate is active
You can’t force HTTPS without an SSL certificate. Here’s how to check:
- In your browser: Visit your site and look for a padlock icon in the address bar
- In your hosting control panel: Many hosts like cPanel or Plesk show SSL status next to each domain
- Use a tool: Try SSL Shopper or SSL Labs to scan your domain
If you don’t have an SSL certificate, most hosts offer free options via Let’s Encrypt.
Update your WordPress settings
WordPress stores your site’s URL, and you need to update it to HTTPS:
- Log in to your WordPress dashboard
- Go to Settings → General
- Change both WordPress Address (URL) and Site Address (URL) to start with https://
- Click Save Changes
- You may be asked to log in again—this is normal
Force HTTPS using a plugin (easy method)
The simplest way to enforce HTTPS across your entire site is with a plugin. The most popular choice is Really Simple Security (formerly Really Simple SSL):
- Go to Plugins → Add New and search for “Really Simple Security.”
- Install and activate the plugin.
- Let it automatically detect your SSL certificate.
- Enable the recommended settings.
- Clear your site and browser caches.
This handles redirects, mixed content, and most edge cases without code.
Force HTTPS with .htaccess (manual method for Apache)
If you prefer a manual solution or want tighter control, you can edit your .htaccess file. This only applies to Apache servers:
- Back up your site and .htaccess file first
- Open .htaccess in your site’s root directory
- Add the following code at the top:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule> - Save and re-upload the file if needed
- Visit your site to confirm the redirect works
Force HTTPS with NGINX (alternative to Apache)
If your site runs on NGINX, you’ll need to update the server block:
- Locate your NGINX config file, often at /etc/nginx/sites-available/
- Open the server block for port 80 (non-SSL)
- Add this redirect:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
} - Reload NGINX: sudo systemctl reload nginx
Make sure you have a valid SSL block for port 443 before enabling the redirect.
Fix mixed content warnings
Even if HTTPS is enabled, your site might still load some resources (like images, scripts, or stylesheets) over HTTP. This triggers mixed content warnings.
Fix them by:
- Using Better Search Replace to replace http://yourdomain.com with https://yourdomain.com in the database
- Manually updating theme files or hardcoded URLs
- Using browser dev tools to identify insecure assets
- Ensuring your CDN supports HTTPS if you’re using one
Test your site over HTTPS
Once everything’s in place, test your site:
- Visit several pages and make sure they load with the padlock icon
- Use Why No Padlock to scan for issues
- Test your SSL setup with SSL Labs
Final tips and troubleshooting
After forcing HTTPS, there are a few final steps to fully transition your WordPress site and avoid any lingering issues. These tips help reinforce the redirect and keep your analytics and SEO data accurate.
- Update your site’s URL in Google Search Console to the HTTPS version.
- Do the same in Google Analytics.
- Enable HSTS headers for stronger browser-side HTTPS enforcement (for advanced users).
- Clear all site, server, and browser caches to make sure changes take effect.
Next steps to force HTTPS on WordPress
Forcing HTTPS in WordPress is critical for site security, SEO, and professionalism. Whether you go the plugin route or configure it manually, the goal is the same: make sure every visit to your site is encrypted and secure.
The next step is to choose your preferred method—plugin or manual—and implement the HTTPS redirect on your site. Start by backing up your site and confirming your SSL certificate is active before making any changes.
Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy. Liquid Web’s WordPress hosting options configure business-class servers and support plans specifically for WordPress websites.
Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.
Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
WordPress malware removal techniques to try →
Learn effective methods to detect and remove malware from your WordPress site for enhanced security.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.