How do I Force my Website to use SSL?
From time to time we are asked how you can force your website visitors to view your website over https. For example, if a visitor access http://domain.com, you can force them to https://domain.com so that they are always using the SSL certificate.
NOTE:For SSL certificates on WordPress you should consider a SSL plugin to force content to HTTPS such as Really Simple SSL instead.
The following instructions gives you code to add to an .htaccess file. If your .htaccess file has existing code, then you shoud place the following code examples above the existing code of your .htaccess file so that the newly added code is executed first.
How to force your visitors to use your Dedicated SSL certificate
If you try to setup a Dedicated SSL redirect using the same steps above, cPanel will fail with an error message, similar to:
Redirecting to https://www.example.com/ will cause a redirection loop because 'http://example.com/'
which is located at /home/whhsup5/public_html/
is above 'https://www.example.com/'
which is located at /home/whhsup5/public_html/
The following changes to the .htaccess file will require that you make use of the edit options available within the cPanel. You will need to edit the .htaccess file to force the re-direct. Depending on your situation, you may need to re-direct all website traffic, only a specific domain, or a folder to use HTTPS.
Redirect All Web Traffic
To force all web traffic to use HTTPS, insert the following lines of code in the .htaccess file in your website's root folder.
NOTE: If you have existing code in your .htaccess, add this above where there are already rules with a similar starting prefix.
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Redirect Only Specified Domain
To force a specific domain to use HTTPS, use the following lines of code in the .htaccess file in your website's root folder:
NOTE: If you have existing code in your .htaccess, add this above where there are already rules with a similar starting prefix.
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
Make sure to replace example\.com with the domain name you're trying force to https. Additionally, you need to replace www.example.com with your actual domain name.
Redirect Specified Folder
If you want to force SSL on a specific folder, insert the code below into a .htaccess file placed in that specific folder:
NOTE: If you have existing code in your .htaccess, add this above where there are already rules with a similar starting prefix.
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} folder
RewriteRule ^(.*)$ https://www.example.com/folder/$1 [R=301,L]
Make sure you change the folder reference to the actual folder name. Then be sure to replace www.example.com/folder with your actual domain name and folder you want to force the SSL on.
How to force your visitors to use your Shared SSL Certificate
To force your visitors to use your Shared SSL certificate:
- log into your cPanel and access the redirects section
- Set Type to Permanent (301)
- Next to http://(www.)? choose the domain name you are working with
- Next to redirects to, enter your website's url using the Shared SSL Certificate
- We recommend having Redirect with or without www. selected, so that the user will be forced to use SSL whether they use domain.com or www.domain.com
- Ensure Wild Card Redirect is selected
- Click Add
When testing, we were redirecting example.com to https://secure21.webhostinghub.com/~whhsup5/
You can see below how the rewrite was setup before we clicked "Add"
When you save this redirect, cPanel actually sets up the redirect by editing your .htaccess file. You don't need to do anything further from here (other than test). If you were actually looking for the .htaccess code to perform this type of redirect, cPanel added the following code to the .htaccess file:
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example.com$ [OR]
RewriteCond %{HTTP_HOST} ^www.example.com$
RewriteRule ^(.*)$ "https\:\/\/secure21\.webhostinghub\.com\/\~whhsup5\/$1" [R=301,L]
If you need further assistance please feel free to ask a question on our support center website.
Did you find this article helpful?
Tweet
Comments
n/a Points
|
2018-01-23 8:32 am
The article says “use the following lines of code in the .htaccess file in your website's root folder”. I wish I knew which folder is the root folder. And I assume the .htaccess will need to be created since I didn't find it anywhere. I was at my /home/sitename folder and tried to create it there but I could not see it.
|
Staff 1,348 Points
|
2018-01-23 5:34 pm
By default, the website document root is the public_html directory, but for subdomains and addon domain it will be the subdirectory for that domain. This can be changed in the domain settings in cPanel.
|
n/a Points
|
2018-02-22 7:22 pm
The .htaccess file is in your cpanel ,public_html root directory.t the file |
n/a Points
|
2018-03-07 5:12 am
Hi, I am confused - any help would be appreciated. My http website sits on a shared server with shared SSL Certificate and uses Cpanel. I keep reading that there all sorts of steps involved in migrating a site from http to https including rebuilding all the pages and all its resources as a totally new site with https instead of http and 301 redirecting all the old pages to the new ones etc. Does this article mean none of that is necessary now? I simply perform the 7 steps in the article and my existing http site will appear as an https site to any visitors? |
Staff 17,314 Points
|
2018-03-07 7:40 pm
Hello Tim,
We recommend that you use either a free or dedicated SSL certificate for your website. The article above references using a shared SSL but it is not preferred as it does not use your actual domain name. The Free SSL option is new. For more information on a Free SSL, please see this article. There are links in the article that will help you get a free SSL if that is recommended over using a Dedicated SSL. The Shared SSL is still available on the shared server, but it is not recommended over the Free SSL. The main reason is that since the shared SSL does not use your domain name, then it will not be recognized for search purposes. Search engines such as Google are beginning to recommend using SSL if your site is accepting or transmitting user data. They currently flag sites that do not, so it is in your best interest to make sure that you're using https for your site URLs where needed. |
n/a Points
|
2018-08-22 7:48 pm
Hi. I'm having some issues. Maybe you can help. I added the code under 'Forcing a specific domain to use HTTPS' and the site doesn't load at all. It errors saying the page was reloaded too many times. I assume it's causing a loop? The code I currently have in the .htaccess folder is: RewriteOptions inherit <IfModule mod_suphp.c> #suPHP_ConfigPath /home/alexaoe8/public_html </IfModule>
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule>
# END WordPress All I am trying to do is force 'http://alexanders.com' to 'https://alexanders.com'. Thank you! |
|
Staff 17,314 Points
|
2018-08-22 10:44 pm
My recommendation is that you remove the added code first and then see if it makes a difference. If the error is happening when you add the code (that is a default WordPress entry above), then you will need to look to see if ANOTHER .htaccess file is causing the problem. If your website folder is underneath under, then it is possible that you have an .htaccess file above yours that is causing conflicts. Also, remember that .htaccess entries are processed from the top down. Therefore if you have anything in front of the entry, then the conflict may be occurring in that .htaccess file. You will need to simplify and then add items one-by-one to narrow down the cause of the issue.
|
n/a Points
|
2018-09-06 2:23 am
This thread was really helpful. Thanks to all. |
n/a Points
|
2018-10-06 2:10 am
Actually htaccess is only for Apache, not Nginx. And if you migrate your website can lost the htaccess rules. You can use the plugin like Force HTTPS (SSL Redirect & Fix Insecure Content). |
n/a Points
|
2019-04-28 11:09 pm
The article came handy when i was almost giving up. Thanks guys
|
n/a Points
|
2019-05-08 9:43 am
Thanks this helped me all lot. |
n/a Points
|
2019-07-23 6:06 am
I followed the instructions to force use of a shared SSL certificate and it worked perfectly for me. Thanks! |
Help Center Login
Related Questions
Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
We value your feedback!
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
new! - Enter your name and email address above and we will post your feedback in the comments on this page!