REDIRECT HTTP TO HTTPS WITH HTACCESS FILE | FORCE SSL

FORCE HTTPS/SSL

Today all websites must be configured to run traffic through SSL/HTTPS. If not configured correctly web browsers may show a warning in the address bar, warn visitors that a site is not secure or worse block visitors from visiting the website. There are many different reasons for a website to be considered not secure. The purpose of this tutorial is to fix one of the most common issues where visitors can visit both secure (https) and insecure (http) versions of a site. To resolve this we need to do what is referred as “Force HTTPS” by editing a server file named .htaccess

Recently I was asked to take a look at a friends website because he was getting a message in his browser that his blog was not secure. I have a fair bit of experience resolving these types of issues so I agreed to take a look.

There are various tools available to analyze website and browser security messages that pertain to SSL/HTTPS. The two I use most often are Why No Padlock and the developer tools built into Google’s Chrome browser. In this case  Why No Padlock was all I needed.


TESTING A WEBSITE FOR HTTPS and SSL SECURITY PROBLEMS

I entered my friends website home page into the Why No Padlock URL window and the website ran a string of tests. The results of the test pointed to three problems, two of which I could address and the 3rd would easily be handled by the webhost (Liquid Web) support team.

PROTOCOLS

You currently have TLSv1 enabled. This version of TLS is being phased out. This warning won’t break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.

This was resolved by Liquid Web through their help desk.

MIXED CONTENT

The mixed content was easy to fix. The mixed content was being generated from content being linked from other websites. That mixed content was in the form of banner advertisements. These banner ads had images that were not running over SSL. There was two easy fixes. The first was for ads that had a full path like http://bannerad.com/ad.jpg. I simply added an “s” to the http making the url https://bannerad.com/ad.jpg.

Mixed Content Error Examples

Mixed Content Error Examples

The other fix was was equally as easy just a little more time consuming. I saved the banner ad images and loaded them into the WordPress media library. I then updated the ads to the locally hosted images rather than those of the provider. This also helps with page speed and SEO. In general on all my websites that run banner advertisements if the source image is static (never changes) I always host the images myself.

FORCE HTTPS

The “Force HTTPS” message stated “Your webserver is not forcing the use of SSL. You may want to add a redirect to ensure a secure connection is used“. This basically means that if someone types http://andrewschur.com or http://www.andrewschur.com they will go to that non SSL/HTTPS version of my website. This means the resulting connection would be insecure. This is bad. The goal is to have ALL WEBSITE TRAFFIC routed over SSL/HTTPS https://andrewschur.com and https://www.andrewschur.com.

FORCE HTTPS MESSAGE

FORCE HTTPS MESSAGE

Fortunately forcing https will be very easy once I show you how to do it in the steps below.


HOW TO REDIRECT HTTP TO HTTPS WITH A .HTACCESS FILE

Forcing or redirecting http to https is simple and straight forward with the proper knowledge and tools. The goal is to modify a file in the root directory of your website. This file is named .htaccess. and we need to edit this file and add a few lines of code to it. Don’t worry you are just going to copy and paste the code I provided below or copy and paste from this text file.

FORCE HTTPS

Copy and paste the code below at the very end of your .htaccess file
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

 


HOW DO I EDIT A HTACCESS FILE?

There are multiple ways edit a .htaccess file. I recommend any one of the following methods.

  1. Edit the .htaccess file directly in an FTP client. I suggest Filezilla
  2. Download the .htaccess file to your computer with an FTP client and edit with notepad, then upload
  3. Edit the .htaccess file in Adobe Dreamweaver. This is my prefered method because it is the fastest and easiest method.
  4. Use the cPanel File Manager at your webhost

Important: Always create a backup copy of your .htaccess file in case something goes wrong. 


EDIT THE .htaccess FILE DIRECTLY IN A FTP CLIENT – Filezilla

Edit htaccess File In Filezilla Ftp

Edit htaccess File In Filezilla Ftp

picture of the htaccess file being edited in Notepad

Edit the htaccess file in Notepad

  1. Open Filezilla and select File > Site Manager > Connect to connect to your website.
  2. In the right pane Remote Site click the directory (public_html or www) to expand the files in the pane below.
  3. Right click the .htaccess file and select View/Edit to edit the file in Notepad.
  4. Paste the redirect code above the existing content and save the file.
  5. When closing the file you will be prompted to upload the modified or changed file. You need to do this for the changes to work

DOWNLOAD THE .htaccess FILE WITH AN FTP CLIENT AND EDIT ON YOUR COMPUTER

  1. Open Filezilla and select File > Site Manager > Connect to connect to your website.
  2. In the right pane Remote Site click the directory (public_html or www) to expand the files in the pane below.
  3. Right click the .htaccess file and select Download to save and edit the file on your computer.
  4. Browse to the location where the .htaccess file was saved.
  5. Double click the file to open it. When prompted for a program to open the file with choose Notepad.
  6. Paste the redirect code above the existing content and save the file.
  7. In Filezilla, bottom left Local Files pane, right click the edited file and upload the modified file. If prompted to overwrite the existing file choose yes.

EDIT THE .htaccess FILE IN ADOBE DREAMWEAVER

Example of Forced HTTPS In WordPress htaccess File

Example of Forced HTTPS In WordPress htaccess File

  1. Open Adobe Dreamweaver.
  2. In the Files pane select the website that needs the .htaccess file modified.
  3. Switch to the Remote Server.
  4. Right click the .htaccess file and select GET to download the file to your computer.
  5. Switch from Remote Server to Local View.
  6. Right click the .htaccess file and select Edit > Duplicate to create a backup copy of the file.
  7. Right click the .htaccess file and select Edit or Double Click to edit the file.
  8. Paste the redirect code above the existing content.
  9. File > Save to save the file.
  10. Right click Put or Site > Put to upload the modified .htaccess file. If prompted to include related files select no.

EDIT THE .htaccess FILE WITH THE cPanel FILE MANAGER AT YOUR WEBHOST

  1. Log in to cPanel.
  2. In the Files section, click on the File Manager icon.
  3. Select the Web Root directory (public_html or www) for the most direct route to your files.
  4. Be sure the Show hidden files(dotfiles) box is checked.
  5. Click the GO button to continue.
  6. Click and highlight the .htaccess file.
  7. Choose the code editor from the top toolbar: Code Edit allows the user to edit a document as code and will give line numbers down the side of the editor.
  8. Click Edit from the pop-up window to open the editor in a new window.
  9. Paste the force https redirect code at the top of your .htaccess file. Important make sure the code is outside of other code like WordPress.
  10. Click Save Changes once you are done editing your document.

ADDITIONAL RESOURCES

Different server environments and different redirect needs means there are additional types of redirects. My article above is based on a Liquid Web hosted server. If the article above doesn’t exactly fit your needs visit the links below.

Cpanel Information:

5/5 (1 Review)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.