How do I force all connections to my website to use SSL?

This page is showing a generic answer.
To see a more detailed answer customized for you, type your domain name here:

If you have an SSL certificate for, and you have a website that requires a username and password to access any pages on the site, you may wish to make sure that all connections to your site always use SSL.

On this page:

How do I force SSL connections for all pages?

Be sure your site has fully working SSL before doing this.

Before you try anything below, verify that your entire site works when you view it in a browser using https:// at the beginning of the URL, like If it doesn’t fully work like that, including showing a padlock icon in the address bar as well as showing all the images and content you expect, it won’t work if you force it using these instructions, either — in fact, following these instructions may make parts of your site not load at all.

See our page explaining how to fix SSL problems if you need it.

If you’re using WordPress, you should first login to the WordPress dashboard, click Settings > General, and change both the “WordPress Address (URL)” and “Site Address (URL)” so that they begin with https:// (that is, add an s after “http” and before the colon). That will make WordPress “prefer” SSL. You can then use either the Really Simple SSL or WP Force SSL plugin to ensure that every visitor sees only SSL pages.

If you’re not using WordPress, or you want to do this without any plugins, you can add a redirect:

  1. Login to the “My Account” control panel (having trouble?)
  2. Click Redirections
  3. Click Add New Redirect
  4. Choose the option to Redirect non-SSL requests to SSL

Doing this also adds a Content-Security-Policy: upgrade-insecure-requests HTTP response header that tells browsers to try to convert non-SSL requests to SSL for all content it loads from the current page. That helps modern web browsers use SSL for all your page resources, avoiding “partially secure” or “mixed content” warnings.

Can I also use “HSTS”?

An Internet standard called “HSTS” (HTTP Strict Transport Security) offers a way to force browsers to use SSL for future requests to the same site after they’ve been redirected once. Most sites don’t need it, but it can avoid some redirects and increase security by making sure browsers never try to request non-SSL pages on a site. The drawback is that if you move your site somewhere that doesn’t support SSL, browsers won’t be able to access it until the HSTS time expires.

The syntax to do this in a .htaccess file is:

<If "%{HTTPS} == 'on'">
 Header set Strict-Transport-Security "max-age=300"

You should start with a small number of seconds (as in the example above), then slowly increase it. The “Deployment Recommendations” section of Google’s HSTS preload page has more tips.

If you’re not comfortable editing .htaccess files, we’ll be glad to add this for you if you contact us.

Should I do anything more if I have a password protected directory?

If you’re trying to force SSL for a password protected directory, you might need to take an extra step. The reason is that if you use a normal redirect, it redirects visitors to the SSL version of the page only after the browser has already asked for the password insecurely.

The recommended way to make this secure is to use these two lines in a .htaccess file inside the password protected directory instead:

ErrorDocument 403

(Be sure to replace “directory” with the actual URL of the protected directory.)

This tip works because the “SSLRequireSSL” command forces the Apache Web server to generate a 403 error instead of requesting a password if the page is accessed without SSL. The second “ErrorDocument 403” line forces the error to be handled as a redirect to the secure “https” URL you specify.

You could limit this to an individual file using FilesMatch, like this:

<FilesMatch wp-login.php>
  ErrorDocument 403