If your site still serves some pages over HTTP, browsers will flag it as “Not Secure.” Search engines prefer the HTTPS version. And any form data sent over HTTP — passwords, emails, payment info — travels unencrypted.
Most hosting providers now include free SSL certificates. But having a certificate installed doesn’t mean your site uses HTTPS everywhere. You need to force HTTPS on your WordPress site to make the switch complete.
What Does Forcing HTTPS Actually Involve?
It’s more than just changing your site URL in Settings → General. Properly forcing HTTPS requires four things:
1. Redirect All HTTP Traffic to HTTPS
Every HTTP request should return a 301 permanent redirect to the HTTPS version of the same URL. This tells browsers and search engines that the move is permanent.
2. Secure the Admin and Login Pages
wp-admin and wp-login.php handle passwords and session cookies. These must be served over HTTPS to prevent credential interception.
3. Fix Mixed Content
Mixed content happens when an HTTPS page loads resources (images, scripts, stylesheets) via HTTP. Browsers show warnings or block the resources entirely. Every internal URL needs to use HTTPS.
4. Send HSTS Headers
HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain, even before the first request. Once a browser sees the HSTS header, it won’t even attempt an HTTP connection — it upgrades automatically.
How to Force HTTPS in WordPress
Activate the HTTPS Redirect module in Blaminhor Essentials. The module is disabled by default with a clear warning — because forcing HTTPS on a site without a valid SSL certificate will lock you out.
Once activated, configure:
- Automatic redirect — All HTTP traffic is 301-redirected to HTTPS.
- Admin and login — Force HTTPS on
wp-adminandwp-login.php. - Mixed content fix — Optionally rewrite HTTP URLs in the page output to HTTPS.
- HSTS — Enable the Strict-Transport-Security header with a configurable max-age (e.g., 1 year).
Important: Check Your SSL Certificate First
Before enabling this module, make absolutely sure your SSL certificate is properly installed and working. Visit your site with https:// manually. If you see any certificate errors, do not activate the module — it will make your site unreachable.
Most hosting providers (SiteGround, Cloudways, DigitalOcean, etc.) offer free Let’s Encrypt certificates that auto-renew. If yours is set up correctly, forcing HTTPS is safe and straightforward.
The Result
Every page, every resource, every request — all served over an encrypted connection. Browsers show the padlock icon. Search engines reward you. And your visitors’ data is protected.
Included in Blaminhor Essentials, available free on WordPress.org.
Leave a Reply