Subscribe

Search The WP Edit...

ByThe WP Edit
May 2, 2026

Lock It Down! How to Force HTTPS Using .htaccess

Just installed an SSL? Make sure your visitors stay protected by forcing HTTPS on your WordPress site. Learn how to edit your .htaccess file to automatically redirect all traffic to a secure connection in just a few simple steps!

So, you’ve grabbed an SSL certificate, installed WordPress, and you’re feeling like a total tech wizard. Your site is officially “Secure.” But here’s the catch: sometimes, visitors (or old links) might still try to sneak in through the “HTTP” side door.

We don’t want that! We want every single person who visits your site to enjoy that sweet, encrypted HTTPS connection automatically.

The secret weapon? A tiny, powerful file called .htaccess. Here is how to use it to force your site to load securely every single time.

Step 1: Find Your Way In

First things first, you need to get to your website’s “brain.” Head over to your site’s primary file directory. You can do this through your hosting control panel’s File Manager or by using your favorite FTP client.

Step 2: Locate and Edit .htaccess

Once you’re in the root folder, look for a file named .htaccess.

Pro Tip: If you don’t see it, make sure your file manager is set to “Show Hidden Files.” It likes to play hide-and-seek!

Step 3: The Magic Code

Open that file up. You’re going to see some existing code in there, but don’t let it intimidate you. The simplest way to get this working is to clear out the current text and replace it with this fresh block of code:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"

# BEGIN WordPress
# The directives (lines) between `BEGIN WordPress` and `END WordPress` are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Step 4: Save and Celebrate!

Hit save, close the file, and head over to your website. Try typing your URL with http:// at the start. Notice how it automatically bounces you to the secure https:// version?

That’s it! You’ve just leveled up your site security in under five minutes. Grab a coffee – you’ve earned it.

ByThe WP Edit
Published

Leave a Reply

The WP Edit is a dedicated resource for WordPress builders, creators, and enthusiasts. We provide timely updates on core releases, essential plugin insights, and expert tutorials designed to help you build, optimise, and grow your digital presence. Independent, focused, and always community-driven.
Facebook Twitter Instagram Pinterest
©️ 2026 — The WP Edit. All Rights Reserved.