WordPress Guides

How to Force HTTPS in WordPress

Make WordPress load only with HTTPS by fixing site URLs and redirect rules properly.

Before you start

Make sure the SSL certificate is already installed and the HTTPS version of the domain actually opens.

If you force HTTPS before SSL works, the site may become unreachable with browser security warnings.

Back up the current .htaccess file before editing it.

Step-by-step instructions

1. Check that HTTPS already works on the domain

Before changing WordPress, open the HTTPS version of the domain directly in the browser and confirm it loads with a valid certificate.

What you are checking

The browser should open the site securely without certificate warnings. If HTTPS itself is not working yet, fix SSL first and only then continue with WordPress redirect setup.

2. Change WordPress site URLs to HTTPS

In WordPress admin, go to Settings → General and change both the WordPress Address (URL) and Site Address (URL) from HTTP to HTTPS.

Example

Change http://example.com to https://example.com in both fields.

Why this matters

If these values remain on HTTP, WordPress may continue generating insecure internal links even after SSL is installed.

3. Force redirect from HTTP to HTTPS in .htaccess

Changing the WordPress URLs is not always enough. Add a redirect rule so every HTTP request is sent to HTTPS automatically.

.htaccess

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Where to add it

Add this near the top of your existing .htaccess file, usually before the standard WordPress rewrite block.

4. Keep the normal WordPress rewrite block below it

Do not remove the normal WordPress rewrite section unless you have a specific reason. The HTTPS redirect rule should work alongside the standard WordPress block.

.htaccess example

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Practical point

This is the common structure when WordPress is running on Apache with .htaccess-based rewrites.

5. Clear cache and test different URLs again

After changing the settings and redirect rule, clear any cache that may still serve the old HTTP version.

Check these cases

Test the homepage, an inner page, a post URL, and both the HTTP and HTTPS versions directly in the browser.

Expected result

Any HTTP request should redirect to the HTTPS version automatically and consistently.

6. Check mixed content if HTTPS still looks broken

If the page opens with HTTPS but still shows warnings, some resources may still be loading through HTTP.

Typical examples

Old image URLs, hard-coded script links, CSS background images, or plugin settings that still contain HTTP addresses.

Common situations this fixes

The HTTPS version works, but the site still opens as HTTP

This usually means WordPress URLs or redirect rules are still incomplete.

Visitors can open both HTTP and HTTPS versions

Without a forced redirect, search engines and users may reach two versions of the same site.

The admin area keeps switching between HTTP and HTTPS

This often happens when the WordPress URL settings are inconsistent with the actual SSL setup.

The SSL certificate is installed, but the browser still shows warnings

The redirect may be fixed, but mixed content may still exist inside the page output.

Common mistakes

Forcing HTTPS before SSL is actually working

If the certificate is missing or broken, the redirect only sends users into an error state faster.

Changing only one WordPress URL field

In normal WordPress setups, both the WordPress Address and Site Address should be updated together.

Editing .htaccess without keeping a backup

A broken .htaccess file can make the site behave strangely or stop loading correctly.

Assuming redirect is enough to fix mixed content

Redirects solve HTTP access, but hard-coded HTTP resources inside content or settings may still need separate cleanup.

About this guide

This guide shows how to force HTTPS in WordPress when the site still opens with HTTP, redirects inconsistently, or shows mixed content after SSL installation. It focuses on the practical steps that actually fix the problem: checking WordPress URL settings, forcing redirects in .htaccess, and verifying that the site is loading securely.

How to follow this guide

Confirm that SSL is already installed and working on the domain.
Change the WordPress Address and Site Address to HTTPS.
Add a redirect rule in .htaccess so HTTP always goes to HTTPS.
Clear cache and test several URLs again.
If some pages still load insecure resources, review mixed content separately.

Why use this method?

A site can have SSL installed and still continue loading through HTTP if WordPress settings or redirect rules are incomplete. Forcing HTTPS properly makes the site load consistently, improves security, and prevents confusion caused by mixed HTTP and HTTPS access.

Frequently Asked Questions

Can I force HTTPS before SSL is installed?

No. HTTPS redirect should only be forced after a valid SSL certificate is already working on the domain.

Why does WordPress still open with HTTP after SSL installation?

Usually the WordPress URL settings still use HTTP, or the server redirect rule has not been added yet.

What is mixed content?

It means the main page loads with HTTPS but some images, scripts, or other resources still load through HTTP.

Should I change both WordPress Address and Site Address?

Yes. In normal cases both should use the same HTTPS version of the site URL.

Guides

Step-by-step practical fixes for everyday technical problems.