Skip to content
Security Terminal Required 9 min read

How to Redirect HTTP to HTTPS

Force HTTPS with Apache .htaccess, NGINX server blocks, cPanel redirects, or Cloudflare SSL settings—and verify with curl.

Serving your site over HTTPS protects credentials, improves SEO signals, and is required for modern browser features. After a valid SSL certificate is installed, redirect all HTTP requests to HTTPS so visitors and search engines always use the secure URL.

Prerequisites

  • A trusted certificate installed for the domain (Let’s Encrypt, commercial CA, or control panel AutoSSL).
  • HTTPS loads without certificate warnings in a browser.
  • WordPress siteurl and home options use https:// (or you are ready to update them after redirect works).

Certificate help: Let's Encrypt getting started.

Apache: .htaccess

On Apache with mod_rewrite enabled, add to the site’s .htaccess in the document root (above WordPress rules if present):

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Official reference: Apache mod_rewrite.

Tip: Use R=301 for permanent redirects so search engines transfer ranking signals to HTTPS URLs.

Apache: VirtualHost

At the vhost level (preferred on dedicated servers):

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

NGINX Redirect

In the port 80 server block:

server {
    listen 80;
    listen [::]:80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

See NGINX rewrite module.

Cloudflare and Proxies

If traffic passes through Cloudflare, enable Always Use HTTPS and consider Automatic HTTPS Rewrites. Avoid double redirects (edge + origin) by testing with curl:

curl -I http://example.com
Warning: Redirect loops occur when HTTP vhosts redirect to HTTPS but HTTPS vhosts redirect again, or when WordPress URL settings conflict with server rules. Fix one layer at a time.

WordPress URLs

Update addresses in Settings → General or via wp-cli:

wp option update home 'https://example.com' --path=/var/www/vhosts/example.com/httpdocs
wp option update siteurl 'https://example.com' --path=/var/www/vhosts/example.com/httpdocs

Database search-replace may be needed for hardcoded http:// links in content—use reputable tools and back up first. See WordPress migration guide.

HSTS (Optional)

After HTTPS is stable for all subdomains you control, consider HTTP Strict Transport Security:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

Only enable HSTS when you are certain HTTPS works everywhere; mistakes are painful to roll back.

Summary

Install SSL first, then enforce HTTPS with Apache RewriteRule or NGINX return 301, align WordPress URLs, and test with curl to avoid loops. SerVee IT servers with AutoSSL or managed certificates can combine panel SSL with origin redirects—support can verify vhost configuration if redirects fail.