How To Redirect HTTP To HTTPS With htaccess

On a site I run, we were occasionally having issues with the way plugins were redirecting HTTP requests to HTTPS.

We were trying to get the most speed out of the site and they were causing load on the database checking whether they should redirect.

We only had cPanel access, so I did it through .htaccess.

Pretty much every website now has an SSL certificate. There's no reason to do https to http redirects, so I've just covered the main scenarios you'll come across below.

If these don't work and you're using an Apache setup (if you're not sure, you're probably using Apache), you may not have the Apache mod_rewrite module installed and active.

How to redirect http to https in .htaccess

Edit the .htaccess file in cPanel or through FTP, edit the .htaccess file in the public_html folder. Add this code to the top:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

You can paste that directly, without changing anything.

If you don't see a file called .htaccess, you may need to turn "Show hidden files" on.

That will cause http://yourdomain.com to redirect to https://yourdomain.com and http://www.yourdomaincom to redirect to https://www.yourdomain.com. Any other subdomains will redirect similarly.

How this works

RewriteEngine On tells the server to process rewrite rules. You only need to specify it once in your .htaccess, before you use any rewrite rules.

Given you're putting this at the top of the document, you should leave it in here. Specifying it multiple times in .htaccess won't hurt your site.

RewriteCond %{HTTPS} off checks whether the request contains a https check. If it's off, it will trigger the rewrite rule below it. Think of RewriteCond as "if".

In some old code, you may have seen this line as RewriteCond %{SERVER_PORT} 80. That will often still work, but what if the server is configured differently to the usual? You want to know if the request contains https, so you should just check for that.

RewriteRule tells the browser to process the rest of the line if the condition above is satisfied.

^(.*)$ is a regular expression (also called regex) that means:

  • (.*) select everything
  • ^ from the start
  • $ to the finish

The period means any character. The asterisk means all of them. Technically no characters too, if there aren't any, but that's not important for here. If you see code on a forum that uses a + here, that does the same thing in this context.

The next part constructs the full URL from its parts. {HTTP_HOST} is the domain, with any subdomains. {REQUEST_URI} is any page and folder that the person is trying to navigate to.

The parts in the square brackets tell the browser what to do with the rule.

L means this is the last rule. So if the condition is fulfilled, go straight to the https page and don't process the rest of the .htaccess file.

R=301 means the server returns a "301 redirect", which is a permanent redirect.

Redirect http to https and non-www to www at the same time

If you don't have any subdomains and you want all visitors to be redirected to https://www.yourdomain.com, use this code:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [L,R=301]

This will redirect everything to https://www.yourdomain.com.

Obviously change yourdomain.com to whatever your domain is.

This code is identical to what we did above, other than where it goes.

Instead of redirecting to https://%{HTTP_HOST}%{REQUEST_URI} it goes to https://www.yourdomain.com/$1 where you replace yourdomain.com with your domain.

The $1 is a reference to the "everything" that the regular expression grabbed.

For example, if someone goes to

http://bluebaskets.com/contact-us/

The "everything" is actually contact-us/

So it will redirect to https://www.bluebaskets.com/contact-us/

Redirect http to https and www to non-www at the same time

To use a https, non-www domain and redirect the www version to it as well as any visits to the http version put this code at the top of your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} www\.yourdomain\.com
RewriteRule ^(.*)$ https://yourdomain.com/$1 [L,R=301]

In this code, we're testing for non-http as well as for www.

With [OR] at the end of the first RewriteCond, we're saying to redirect if either the URL entered is http:// or if includes www.yourdomain.com.

It will also run if both are present, but in reality, it will just see that it's http:// and jump to the RewriteRule line.

The reason we put \. instead of . in the RewriteCond line is because we want the period to be treated literally.

As we discussed above about the regular expression, the period means any character. By putting a backslash before the period each time we use it, we're telling the code we don't mean it in a regex way, we mean it in a literal period way.

Make sure to change yourdomain.com to whatever your domain is.

The benefit of doing it this way is that it will only send www.yourdomain.com visitors to yourdomain.com.

It's good for when you have other subdomains that you want to keep active.

Make sure you test whether http://subdomain.yourdomain.com redirects to https://subdomain.yourdomain.com. If it doesn't, you may need put a .htaccess file with the first redirect in this tutorial in the root folder for that subdomain.

Mike Haydon

Thanks for checking out my WordPress and coding tutorials. If you've found these tutorials useful, why not consider supporting my work?

Buy me a coffee

Leave a Comment