Force HTTPS On All Pages of Your WordPress Site

Securing your WordPress site with SSL is well worth the effort. All information posted and processed by a website should be encrypted; there’s no reason not to have SSL enabled on your website especially since you can get a free SSL certificate from LetsEncrypt. Google also does favor websites that use HTTPS, especially when HTTPS is forced on every page of your WordPress site.

Force SSL for Administrative Page and Sign In Page

Modify the wp-config.php file and add the following:

define('FORCE_SSL_ADMIN', true);

At this point every time you visit http://blog.website.com/wp-admin, you will be redirected to an https version automatically.

Secure Entire Website with HTTPS

Ideally you force all pages on your WordPress site to automatically use SSL always. This not only boosts your search engine ranking but it makes your website more secure.

The following two steps are critical for locking down your entire WordPress site. 

Navigate to Settings –> General and change both the WordPress Address (URL) and the Site Address (URL) to use https:// instead of http://.

Write .htaccess to process everything under HTTPS

# BEGIN WordPress
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
# END WordPress

The above code is takes a request that isn’t using port 443, then rewrites the URL to use HTTPS with a 301 redirect. Most of the code above should actually already exist in the .htaccess file, the code towards the bottom of the statement specifically.

Leave a Reply

Your email address will not be published. Required fields are marked *