1

I can't get my .htaccess file to work to force HTTPS traffic

Site structure that I see if I ftp to my hosting provider:

/
  domains
    mydomainname.com
      public_html
        blog
  • The files for my site start in public_html (index.html etc)
  • I have a WordPress installation in blog
  • Wordpress settings have been set to https: (General settings mention https://www.mydomainname.com/blog as the Wordpress URL).
  • SSL certificate is working fine if I go to the domain
  • Initially there was only a .htaccess in blog, containing:

# BEGIN WordPress

RewriteEngine On
RewriteBase /blog/
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]

# END WordPress

All kinds of tutorials I see mention that I should add this to the start of .htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mydomainname.com/$1 [R,L]

.. and that I should place this file 'in the root of my site'.

If I have no (other) .htaccess file:

  • I can browse go to https://www.mydomainname.com, follow links into the WP blog and browse around there, all https:
  • If I go to http://www.mydomainname.com, follow links into the WP blog, these will turn into https:

If I place a modified htaccess in several locations I get issues like (depending on what .htaccess contents/locations I'm trying):

  • If I go to www.mydomainname.com it redirects to https://www.mydomainname.com and I get "Server not found"; or:
  • No forcing from http: to https:

Questions:

  • Should the .htaccess be placed in mydomainname.com or public_html (i.e. which folder is that famous 'root of my site')? I have tried both.
  • Must it also be placed in blog? If so, do they need to be identical?
  • What are the proper contents of the .htaccess file(s)?

I have tried all kinds of variations, but can't get it to work - obviously not the right variation yet.

FWIW: I assume my hosting provider uses Apache. I have no control over its configuration.

Improve this question
6
  • Do you keep in mind that some browsers cache the webpage, and as such the .htaccess may not redirect properly? Chrome is particularly crazy about this. Shift-F5 should do a force reload, but sometimes even that doesn't work and you really have to clear the cache through the chrome menu. I've been stumbed getting the exact same to work and when I tried it in a different browser and it all worked, it finally hit me that it was the cache that played tricks on me.
    – LPChip
    Commented Aug 1, 2017 at 19:59
  • Another unfortunate possibility is that your provider might not allow .htaccess, or might not allow all possible features. This is especially true with shared hosting, where multiple customer's websites are hosted on the same server.
    – jpaugh
    Commented Aug 1, 2017 at 20:17
  • @LPChip I restart the browser (and I wait)
    – Jan Doggen
    Commented Aug 1, 2017 at 21:35
  • @jpaugh My provider allows htaccess. One of their support pages mentions those three lines and the phrase 'in the main folder of your website'
    – Jan Doggen
    Commented Aug 1, 2017 at 21:36
  • @JanDoggen Restarting the browser is not enough to clear the cache. Shift+F5 should do so; you might also try using another browser, which you usually don't use; or, you could try clearing the cache. Here's an app that does so conveniently. Disclaimer: never used it.
    – jpaugh
    Commented Aug 1, 2017 at 22:47

2 Answers 2

Reset to default
2
+50

I would argue you should put your new .htaccess file in public_html folder.

Try the following with mod_rewrite in your .htaccess file

RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf or .htaccess context

These three lines also have to be added to the .htaccess file in the blog folder, modifying the RewriteRule to reflect that subfolder:

RewriteRule ^/?(.*) https://%{SERVER_NAME}/blog/$1 [R,L]

It might be also useful to apply mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL. Keep in mind that this will not do a redirect to https by itself.

Improve this answer
2
  • This is basically it. I have added what also needs to be done to the .htaccess file in the blog subfolder
    – Jan Doggen
    Commented Aug 7, 2017 at 18:41
  • Can you past your htaccess file from your blog directory please?
    – iamsmug
    Commented Jun 20, 2019 at 15:26
0

This is a summary of the article Force HTTPS On All Pages Of Your WordPress Site describing how to make an entire WordPress blog secure via HTTPS.

  1. Force SSL for administrator and sign in pages
    Add the following line to the wp-config.php file at the root of your WordPress directory:
    define('FORCE_SSL_ADMIN', true);

  2. Set https in Settings
    In your WordPress administrator dashboard, go to Settings -> General and change both URLs to have https:// rather than http://:
    enter image description here

  3. Update .htaccess
    Add rewrite rules in the .htaccess file found at the root of the WordPress application:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

Two lines were added saying that if the current port isn’t 443, then rewrite the URL to use HTTPS with a 301 redirect:

RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  1. Empty all caches for your application
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .