How to Force Redirect HTTP to HTTPS in WordPress?

Posted by Hack Recovery Team 19 Min Read
Website

It can feel like a never-ending task to instal an SSL licence.

Right when you think you’re almost to the finish line, some gap is always left to cover.

You have an SSL certificate installed, and now it’s time to make sure it has actually been installed on every single page on your web.

This is where HTTPS compliance comes in.

When configuring SSL, many websites encounter problems. For certain sites, the certificate is not correctly activated. Therefore, you ought to compel these sites to have a certificate (or HTTPS) on them.

You’ll learn how to do exactly that in this tutorial.

Forcing HTTPS is known to cause problems. Yeah, don’t worry. We have your back. We’ll teach you how to resolve those problems. In no time, the whole site will be running on SSL.

TL;DR

Installing and enabling the Very Basic SSL plugin is the easiest way to push your website to use HTTPS. You don’t have to raise a single finger, it operates automatically. Come back to this article and check out our troubleshooting section if forcing HTTPS leads to a query.

Have You Installed An SSL Certificate?

You need to get the SSL certificate enabled before you continue to push HTTPS into WordPress. Without downloading the certificate first, do not add any extension that will help you implement it.

We also experienced circumstances where site operators, without downloading an SSL licence, have enabled the Very Basic SSL plugin. As a result, their websites broke down and their admin dashboard access was lost.

Therefore, prior to moving to the next segment, please ensure that you have an SSL certificate enabled on your site.

How To Force HTTPS in WordPress 

There are two ways to force WordPress to use HTTPS:

  1. Forcing HTTPS using a plugin (easy way)
  2. Forcing HTTPS manually (hard way)

Let dive into both methods –

Forcing HTTPS Using A Plugin (Easy Way)

Step 1: Build a location for staging. This is an exact copy of a live website. You can verify on the staging site whether the plugin can implement HTTPS correctly.

Your live website stays unharmed if it does not. In addition, on the staging platform, you can troubleshoot what went wrong and resolve the error. Later, without replicating the moves, you will combine the staging site with the live one to integrate the improvements.

→ So, instal and activate BlogVault Staging on your live WordPress website.

→ From your website dashboard, select BlogVault.

→ Next, insert your email ID, then click on Get Started.

blogvault-get-started

→ BlogVault will ask you to create an account. All you need to do is enter a password.

→ Add your site to the BlogVault dashboard just by clicking on Add. 

blogvault-add-new-site

→ The plugin will start taking a backup of your complete website. When the process is complete, on your BlogVault dashboard, click on Sites and then select your website.

blogvault-dashboard-1

→ Scroll down to the Staging section and select Add Staging > Submit. BlogVault will start creating a staging site for you.

blogvault-add-staging-1

→ When the staging site is ready, you will be given a username and password. Note them down, you’ll need them.

blogvault-staging-username-and-password

→ Then open the staging site by clicking on the Visit Staging Site button

visit-staging-site-blogvault-1

→ The staging site will open in a new tab and you will be asked to enter the credentials that you noted down.

staging-site-username-and-password-1

→ Now you can access your staging site. Just add /wp-admin/ at the end of your URL to open the login page.

→ And login via the same credentials you use to log into your live site.

staging-site-wp-admin-1

Step 2: Now mount and trigger your staging site with the Very Quick SSL plugin.

Step 3: This particular WordPress Force HTTPS plugin will instruct you to make a backup after activation, which you have already done. Then, you’re going to be asked to go ahead and click on “Go ahead, activate SSL.” Do that and you’re going to push HTTPS site-wide.

really-simple-ssl-activate-button-1

Step 4: Clear the caches on your web and browser. How to Clear WordPress Cache? Here’s a tutorial that will get you through that.

Step 5: Review all of your staging site’s pages. Login and admin pages, email pages, cart pages, service or merchandise pages, archive pages, all important landing pages, and blogs are the most important ones.

If your website has way too many pages to search manually? To do so automatically, use one of the instruments below. You will get a warning if the SSL certificate is not available on any tab.

  • https://www.jitbit.com/sslcheck/
  • https://www.sslchecker.com/insecuresources
  • https://www.ssllabs.com/ssltest
  • https://www.whynopadlock.com/

If the credential is not correctly forced, problems such as mixed content, redirection loops, or no HTTPS on the login and admin page can arise.

Fortunately, our test site didn’t have a problem with mixed material.

no-mixed-content-1

If you find a problem, don’t worry, the answer is there. To repair the website, jump to the troubleshooting portion.

Merge the staging site with your live site after you’ve patched the site.

Step 6: Open the dashboard on BlogVault and go to the Staging area. Select Combine, then click Proceed, and the merging process will begin.

staging-merge-blogvault-1

That’ll all, folks. SSL certificate has been forced on your website.

Forcing HTTPS Manually (Hard Way)

The proposed approach is to use the plugin so it’s automatic. Apart from triggering the plugin, you do not have to do anything.

You ought to be somewhat more skilled and familiar with managing WordPress backend files with the manual process. You may make mistakes if you are not skilled at working on the backend of the website.

Unfortunately, the slightest error, like your website crashing and losing access to your admin dashboard, will lead to disastrous consequences.

In the event that we were not clear, the manual approach is not advised. If you sound ambitious today, though, then go ahead and attempt the manual process.

Here are the two moves you need to take without the plugin to push WordPress HTTPS:

Step 1: Backup Your Site

Before introducing any of the following measures, take a thorough backup of your website. You will easily return the site to normal if anything goes wrong. This is a security measure that is taken by all the most experienced developers.

Here are the best backup services you can offer for WordPress, if you are not subscribed to a backup plan.

Step 2: Change the Setting of WordPress & Web Addresses

→ Login to your WordPress dashboard and go to Settings > General.

→ Go to WordPress & Site Addresses.

→ Change the URLs from http:// to https://

→ Save and close the window.

change-wordpress-address

Step 3: Insert A Code Snippet Into Your Server 

There are two types of servers –

  • Apache
  • Nginx

The code snippet that you need to insert onto an  Apache server is different from the one you need to insert onto an Nginx server.

Hence, you need to first figure out which server is your site hosted on. Here’s how to do that –

> What Server Is Your Site Hosted On?

You could just talk to your hosting provider. But there’s a quicker way that we’ll show you below:

→ Open your website, right-click anywhere in the window and select Inspect. A window pops up from underneath.

→ From that window, select Network, then the name of your website, and then click on Header.

finding-what-server-your-site-is-on-1

→ In the header section, scroll down to find the server of your site.

server-nignx-1

> Inserting Code Snippet Onto An Apache Server

→ Download and instal Filezilla onto your computer.

→ Open the software and enter your FTP details at the top of the window. With the aid of this guide and this tutorial, you will find your FTP credentials. Or just talk to your company about hosting.

filezilla-credentials-1

→ The Remote site panel will populate with the files and folder of your website. You should find a public_html folder in that panel. Expand that folder.

filezilla-public_html

→ Inside the public_html folder, you will find the .htaccess file. Right-click on it and select View/Edit.

edit-htaccess-file-1

→ Inside the .htaccess folder, insert the following code snippet:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Please ensure that you are inserting it between “# BEGIN WordPress” and “# END WordPress.”

htaccess-edit-1

→ Remember to save the file and exit.

It’s that. It will enforce the website’s HTTPS.

> Insert Snippet Code on a Nginx server

→ Download and instal Filezilla into your computer.

→ Open it and enter your FTP credentials. Your FTP info can be found by your hosting company. This tutorial and this video will provide you with step-by-step guidance if you don’t know how to locate your credentials.

filezilla-credentials-1

→ The Remote site panel will populate with WordPress files and folders. You should find a public_html folder in here. Click to expand that folder.

filezilla-public_html-1

→ Inside the public_html folder, you will find the wp-config.php file. Right-click on it and select View/Edit.

wp-config-edit-1

→ Inside the .htaccess folder, insert the following code snippet:

server {
listen 80;
return 301 https://domain.com$request_uri;
}

Please remember to replace domain.com in the snippet with your own website URL.

Also, make sure to insert the code above the sentence /* That’s all, stop editing! Happy blogging. */

htaccess-edit-1

→ Remember to save the file and exit.

→ Next, clear your website cache, as well as the browser cache. How to clear the WordPress cache? This tutorial will help you do exactly that.

→ Check your website thoroughly. The username and admin pages, email pages, cart pages, programme, or merchandise pages, archive pages, all-important landing pages, and articles are important pages on your website.

If your website has so many sites to manually check, use software to verify that HTTPS has been correctly implemented.

  • https://www.jitbit.com/sslcheck/
  • https://www.sslchecker.com/insecuresources
  • https://www.ssllabs.com/ssltest
  • https://www.whynopadlock.com/

The tools will alert you if any of your pages do not reflect the SSL licence.

Don’t worry if there is a warning. A solution is there. To patch the web, jump to the troubleshooting link.

But if all is going well, then continue to the next segment.

Updating The Web Services Site

You’re already using a lot of online sites, if you’re anything like us. X, Y, and Z are representations of widely available programmes. For them to continue operating, upgrading the URL on all your accounts is important.

Check The Sitemap: Preferably, the sitemap can be automatically modified by SEO plugins like Yoast. If not, you need to log in to your WordPress administrator and navigate to SEO > Features > XML Sitemaps > Sitemap Disable. Then re-enable it. The sitemap with the modified URLs would be regenerated by this.

xml-sitemaps-yoast-1

→ Update URL on Google Services: Google Analytics considers HTTP and HTTPS to be different websites, hence you need to update the link to your website on Analytics. Sign in to your Analytics account, then go to Admin > Property Configuration > Default URL. Right before your URL, select HTTPS from the drop-down menu.

google-analytics-change-url-1You need to add it as a new property to Google’s Search Console. Upload the modified sitemap to the Search Console, then.

google-search-console-ad-property-1→ Update Your CDN: Most CDNs are equipped with a built-in feature that allows you to change the URL. If your CDN doesn’t, so the safest thing is to communicate for their support.

→ Update Your Social Media Account: It’s good practise to keep the site URL updated on your social profiles.

Troubleshooting Problems triggered by HTTPS Pushing

You are likely to come across one of these three problems when pushing HTTPS on your WordPress website:

  • No SSL on login & admin page
  • Broken padlock or padlock showing warning signs (mixed content issue)
  • Redirection loops

This is how to repair them—

No SSL on the login & administration tab

Is the “Not Secure” alert shown on your login page and admin area?

This arises when the SSL credential is not correctly installed.

not-secure-ssl-1

If you begin signing in without an SSL certificate, login credentials can be easily abused if intercepted by hackers. You need to force HTTPS on the login and admin pages before such a tragedy occurs.

Broken Padlock or Padlock Indicating Alarm Signals (Mixed Content Issue)

Is your SSL certificate showing warning signs?

This is attributed to a concern with mixed content. It means you have WordPress plugin connections, photos, scripts and/or stylesheets and themes that don’t use HTTPS.

All you need to do is run your site on SSL checkers like Whynopadlock & Jitbit to decide whether your site has mixed content. Alternatively, by following the steps below, you may do a manual check:

  • Open your website. Right-click and then pick Inspect.

browser-inspect

From below, a little window opens open. Go to the Console and the mixed content message will be shown to you, along with information of where the mixed content problems originate.

The problem, for example, may be triggered by a plugin or theme for WordPress.

theme-mixed-content-1
It could be triggered on your site by a picture.

mixed-content-image-1Redirection Loops

Is your website routed constantly?

Redirection loops exist for a multitude of causes. Those are as follows:

  • You have incorrect WordPress & Web Addresses
  • Wrong instructions for redirection in the .htaccess format
  • Forcing HTTPS without the SSL certificate being installed
  • Configuration problems with a plugin for redirection

If you have closely followed our guide, so the first three problems are not possible. We recommend, though, that you study the actions you took once more. A minor error may have contributed to the redirection loop because it’s a crucial move.

All good? All good? Then, it is very possible that the true culprit is a redirection plugin on your website. Try getting it disabled.

You would be stopped from reaching the admin dashboard by the redirection loop. So, via FTP, you need to uninstall the plugin.

  • Open Filezilla and go to plugins for public html > wp-content >.

filezilla-plugins-1

→ Select the redirection plugin installed on your site. Right-click and select Rename it. Just add .deactivate and the plugin will be deactivated.

disabling-plugin-filezilla

→ Next, clear your cache and check if the site is still redirecting. Hopefully, it’s fixed. If not, then consider posting about it on the WordPress support forum and on Facebook groups like WordPress Experts, WPCrafter, WordPress, WPSecure, among others.

When all fails, you can hire developers to investigate the matter. Please ensure that you hire developers from trusted sources like –

  • WordPress Jobs
  • Smashing Jobs
  • Codeable.io
  • WPMU Dev Pros
  • StackOverflow Careers

That’s all folks. And that’s how you force HTTP to HTTPS in WordPress. We hope you found the guide valuable and easy to follow.

Next What?

We are sure that you will push HTTPS through your WordPress website if you followed our instructions carefully.

But it won’t protect it from hackers and bots by switching the site to HTTPs alone.

There are other constructive security steps you need to take.

The most critical safety step that you will take is to add a trustworthy and stable security plugin for your WordPress website.

By taking the steps below, a powerful security plugin will secure your website:

  • Stop bad traffic with a firewall and login security tools from reaching your site.
  • Conduct regular, automated scans of the website.
  • Thoroughly scrub the website and within a couple of hours.
  • Support introduce steps for website hardening.
Tags: