How To Force Apache to Use HTTPS (Includes WordPress)

Why Force Apache To Use HTTPS

Just setting up SSL certificates for HTTPS is not enough. All requests must use the https protocol. This includes all web traffic like

  • WordPress and WordPress Admin
  • MediaWiki
  • Bugtrackers like Bugzilla
  • Project Tools like @task and dot project
  • Version Tools like Subversion
  • Database Explorers like PhpMyAdmin
  • Tomcat through Port 8080

To configure Apache to ALWAYS use https – avoid changing the .htaccess file.

Do Not Use .htaccess

This method is outdated because you have to create one in every directory top for all the tools above. It slows down every request because Apache must check for all the .htaccess in every directory. Services now tend not to use directory based files. For example Subversion does not have a “directory” – it serves content dynamically.

So .htaccess will not work for Subversion and many other modern tools.

How to Force Apache To Use HTTPS

Paste the below code into the /etc/apache2/apache2.conf file. Restart Apache with sudo service apache2 restart and job done.


# | ## ################################################# ## |
# | -- ------------------------------------------------- -- |
# | -- Force All HTTP Requests to permanently use HTTPS  -- |
# | -- ------------------------------------------------- -- |
# | ## ################################################# ## |

<VirtualHost *:80>
     ServerName build-business-websites.co.uk
     Redirect permanent / https://www.build-business-websites.co.uk/
</VirtualHost>


HTTPS is Faster than HTTP

Many think that pages are served slower through HTTPS. This is usually not true. HTTP has no compression capability. HTTPS does so wordy pages and stylesheets get compressed with positive effects on network transfer time.

If your content is rich in multi-media then the benefit is less because the media is already compressed.

More SSL and HTTPS Information

Certificate Is Invalid Error

If you don’t have (or haven’t correctly installed) a signed SSL certificate then your users will receive a nasty message telling them not to visit the site. Not good. This is how to go about generating an SSL certificate, understanding the business of certificate authorities and installing an SSL certificate.

WordPress Admin Security Holes

But note that if you are using WordPress admin over http you are asking for trouble. WordPress is severely attacked and all HTTP sessions are pumped for data – your admin password will soon fall into the hands of hackers.

With WordPress Admin used only by you and your inner circle – bite the bullet of the discouraging browsers and use HTTPS anyway until your new signed certificate arrives.

Leave a Reply

Your email address will not be published. Required fields are marked *