Force HTTPS for your site


Following on the heals of our announcement that SSL certificates are now provisioned by default across all domains hosted with us, I’m sure the next logical question that comes to mind would be “How do I make sure people who access my site over http get sent to the https version?” The easiest way to accomplish this is going to be with the use of an .htaccess file. .htaccess files handle URL rewriting within your account. You may not even realize they’re there, but as an example when you install WordPress it setups an .htaccess file so that you get nice URLs instead of ones ending in .php. Here’s how to use this file to your advantage to make sure all visitors get the HTTPS version of your website.

First, just to doublecheck, make sure your website loads over The last thing you want is to add in rules and get stuck in redirect loops or have things error out so best to check now. If you get errors when trying to load the site over SSL feel free to open a support ticket so we can have a look.

Next login to cPanel and open the File Manager

We want to make sure you can view “hidden” files (see that period in .htaccess? That means it’s a file not normally seen in file browsers). To show hidden files click Settings in the top right and check the box here:

Next we want to navigate to the folder our site is located at. For most folks adjusting their main domain this is going to be public_html but if it’s a subdomain or addon domain it may be in a folder underneath public_html or in the root directory of your account. Select the folder for the install in the sidebar on the left and you’ll see the files for your site. If it’s WordPress or other software there’s a good chance that you already have an .htaccess file here you can edit. If not (for example if you built your site with Dreamweaver) you can create a new .htaccess file here. Either way we want to select the file and click the Code Editor button.

You’ll get a popup asking about encoding, just click Edit to proceed. Here we can start adding the code we need to force our visitors to get the HTTPS version of our website.

Add a new line to the top of the file and add the following code at the very top:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

The click Save Changes in the top right. Once saved this should be effective immediately so try visiting and ideally if everything went right your site should show up as

If you’re running WordPress I’ll also put in a plug for the plugin SSL Insecure Content Fixer which when used in combination with the above .htaccess rules will make sure not only the site loads over https but all images, CSS, and scripts (so you get that nice green icon). If you run into any issues with any of this feel free to leave a comment here or put in a support ticket with us!

Installing Free SSL Certificates
Security help - certificates

Could you explain how to “get that nice green icon” if I am not using Wordpress? I’m using Jekyll.

Ed H


Solved it. I had posts with links to other posts on my site. Those links had to be changed from http to https.

The hint was in the FAQ in the readme.txt file for the plugin you mentioned, which said

Q. "[what if] I get “insecure content” warnings from some of my content?

A. You are probably loading content (such as images) with a URL that starts with "http:


Glad to hear you found a fix! Although the example .htaccess code here includes some WordPress code for most apps it should still be reproduceable. In some cases you might have to add an .htaccess file if one doesn’t exist and then add the three lines to it to force https URLs. But every app is a bit different so glad to hear you were able to get it working.


This is nice, just did it for a DoOO institution setup and it works well. I am also using the plugin SSL Insecure Content Fixer to clean image URLs, etc. Is that the one you recommend?


Yep, that’s a great plugin for a quick fix. Long term if someone is really a masochist at heart they could do a search and replace in the database for and replace it with the https version which should work (I use this tool and like it).


This plugin is lightweight and works a treat Really Simple SSL — WordPress Plugins


So…after doing that edit, or when I go https://(my domain), it takes me to a completely different site. My site’s address ( shows up in the address bar, but it’s not my site at all. What’s going on there?


It looks like the cert hasn’t been installed for your site (it may be that the server hasn’t picked up on the domain yet, the cert installs happen on a daily cron but sometimes rate limits prevent it from grabbing every domain). Can you try installing the certificate by following the guide at Installing Free SSL Certificates and see if that works?


Thanks for trying to help. I tried getting the cert earlier, but tried again just now, and I get an error message saying too many cert are being assign to Reclaim Hosting right now. Do I just need to wait?


I was able to get it working. When the Let’s Encrypt plugin asks whether to include other domains you have to uncheck the URLs (those are development URLs and probably have hit rate limits with Let’s Encrypt’s service). Should be working now at


Ah! Thank you ever so much.


Tim, I must say… you are a master at tutorials!! I followed all the steps exactly as you described, and it was like magic!!! Thanks again! :slight_smile:


In my wordpress blog, I was able to force ssl by simply replacing by in the general settings in the wordpress panel itself. It worked.


Thanks for this tutorial! Worked like a charm.


@timmmmyboy There seems to be a strange conflict between this approach to forcing HTTPS and the installation of Python. After installing Python via the Setup Python App on cPanel, I found that many of my pages no longer work; instead, my browser just displays a cryptic message:

It works!

Python 3.5.3 

Sure looks like a success message coming from a some Python based web server. The problem specifically affects directory links with no index.html file - like a WordPress blog. It also appears when trying to open a non-existent page, rather than a 404 Not Found message.

Looking in my .htaccess file, I found the following bit of code that was evidently placed there by the Python installer:

PassengerAppRoot "/home/marksmat/python"
PassengerBaseURI "/"
PassengerPython "/home/marksmat/virtualenv/python/3.5/bin/python3.5"

Removing the code that was surrounded by the all caps DO NOT REMOVE warnings seems to have fixed the problem. :slight_smile: My webpages, command line Python, and CGI scripts written in Python all seem to work fine but, naturally, I do wonder if there will be a problem later.


If you’re running a WordPress blog at the root of your domain then you’d choose a different location for the Python App. The Passenger stuff gets added wherever the Base URL is specified in the app setup so if you choose the top level of the domain it will effect whatever is running there.


When installing both the blog and the Python App, I was asked where to place them. The python app is in ~/python - completely outside of my public_html directory so I don’t know why the .htaccess file in my ~/public_html file would have been changed. The wordpress blog is in ~/public_html/clopen and there is a separate .htaccess file in there. I did not setup a subdomain for it.



I recommend the Really Simple SSL plugin as well.