Setting up HTTPS in your WordPress site

In order to force your site to use HTTPS, you'll need to perform a couple of additional steps (see below). Making these changes does require modifying your site's files directly and may be outside the comfort zone of some users. If you're uncomfortable performing these steps, you can submit a support ticket and have us make these changes for you.

Note: You should perform these steps once you verify that your domain has an SSL certificate.

  1. Update your WordPress installation's URL
  2. Modify your .htaccess file to force SSL traffic

Update your WordPress installation's URL

To update the URL of your WordPress installation, log in to your WordPress Dashboard to navigation to Settings-->General Settings

On this screen, you'll see a series of options. Look for two fields named: WordPress Address (URL) and Site Address (URL). In almost all circumstances, these fields will have the same URL in them, but they may be different depending on your configuration.

If your site isn't running on SSL currently, both of these URLs will begin with "http://". Simply change the beginning to "https://" and then save.

Example: becomes 

Note: After making this change you will need to log back into your dashboard since the URL has changed.

Modify your .htaccess file to force SSL Traffic

Now that your WordPress site URL has been updated, you need to tell the web server to redirect any non-secure (http) traffic to secure (https) URLs. The simplest way to modify your .htaccess file is by using FTP.  Note: Your default FTP account username/password is your cPanel username/password. See Default FTP Account for details.

Start by accessing your site's FTP directory and then go to edit the .htaccess file in the root of your WordPress installation. Out of the box, this file will contain some entries from WordPress itself. If you're using a caching plugin such as WP-Rocket, W3 Total Cache, or similar, that plugin may also have added some entries to this file. 

Look for the default WordPress entry, which should look something like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Once you've located the default WordPress entry, add the sample code below above the default WordPress entry:

# Enable SSL
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END Enable SSL

Once your changes to .htaccess have been saved, your site should now redirect all non-secure traffic to the secure version of your domain.

What if I made a mistake?

Even if you completely mess up the .htaccess file for your site, WordPress can help out. Simply create an empty file called .htaccess in the root folder of your site. Then, log in to your site, navigate to Settings-->Permalinks, and click the save button. WordPress will automatically generate the appropriate content for the empty file you just created.

Have additional questions or feedback on this article?  Contact Support.