WordPress SSL htaccess code – Rewrite SSL, RewriteCond Server Port

[AITpro Admin]

UPDATE: HTTPS/SSL htaccess Rewrite code with step by step Custom Code instructions:  http://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233

Email Question:
I have used it before it’s ok I know what I have to do, but I am not sure if it’s ok for BPS… But the question now is, where can I place this code in the root htaccess file without interrupting the BPS protection functions… ?? At the bottom of the htaccess file. At the top of the htaccess file. Middle of the htaccess file between some lines in htaccess file. Where? BPS is installed and running just fine, the htaccess is locked as well etc… But I need the code above in the root access in order to redirect entire domain to an httpS …

Here is the code that has to be placed in the .htaccess file in the site root:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/wp-login$1 [R,L]

[AITpro Admin]

UPDATE: HTTPS/SSL htaccess Rewrite code with step by step Custom Code instructions:  http://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233

Logically I believe you are going to do either one of these root .htaccess file modifications. Let me know which one works.

Find this code in your root .htaccess file…

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

…and change it to this…

RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/wp-login$1 [R,L]
RewriteRule ^index\.php$ - [L]

…or next try this…

Find this code in your root .htaccess file…

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

…and change it to this…

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/wp-login$1 [R,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Reference:  http://codex.wordpress.org/Administration_Over_SSL

[Amel]

Hi again, I have now tested the first option and it works like a charm ! Find this code in your root .htaccess file…

RewriteEngine On 
RewriteBase / 
RewriteRule ^index\.php$ - [L]

…and change it to this…

RewriteEngine On 
RewriteBase / 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://mysite.com/wp-login$1 [R,L] 
RewriteRule ^index\.php$ - [L]

For those who will force/use httpS for entire Word Press web site, do the following:
1. log on to WP Dashboard and go to “Settings” – “General”
2. locate the “WordPress Address (URL)” and Site Address (URL)
3. and in both of these fields type https://yourwebsite.com
4. than locate the htaccess file in the web site root and make the changes mentioned above
For those who will use httpS for certain pages in Word Press, do the following:
1. leave the default Word Press installation as it is, also verify that You have only http://yuorwebsite.com in WP “Settings – “General”
2. then download, install and activate this plugin: http://wordpress.org/extend/plugins/wordpress-https/screenshots/
3. You’re done, read the plugin instructions for use..
Best regards Amel

[AITpro Admin]

Email Question:

Hi,
on [websiteA domain name removed for privacy] my problem was selfmade, I installed the certificate for [websiteB domain name removed for privacy] by mistake. 🙂

Now on [websiteB domain name removed for privacy] everythign runs fine.
It is a wordpress multisite installed in htdocs/
see screener.

I now have a small other problem, because I have had the folder htdocs/dex/SEVERALSUBFOLDERS
where SEVERALSUBFOLDERS means, they only contain site designs , meaning an index.html with css inside and an image whcih shows our PSD design for a client.
So that they can give me feedback.

The ssl installation made the sites unavailable under [websiteB domain name removed for privacy]/dex/cemay (for example, while the wordpress in [websiteB domain name removed for privacy] reacts on it and shows a 404) but available they are with [websiteB domain name removed for privacy]/dex/cemay
Because mayn people have the links to only http, I would like to add a redirect in a htaccess in the folder(s)…

Do I have to add anything like this :

RewriteEngine on
RewriteCondition %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https: //www.example.com/$1 [R=301,L]

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https: //www.example.com/$1 [R=301,L]

into a htaccess?
Or which would be the best solution? I got it from here: http: //serverfault.com/questions/116206/how-do-i-use-htaccess-to-always-redirect-from-http-to-https

and would I need to only add one htaccess to htdocs/dex “root” folder or to each and any of the folders containing the site designs?
like to htdocs/dex/cemay
htdocs/dex/walther
etc.

Can I add a htaccess only to htdocs/dex ??
Appreciate any hint you got.
Got this htaccess right now before installing BPS pro:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https: //[websiteB domain name removed for privacy]/wp-login$1 [R,L]
RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]

# END WordPress

As far as I can see, this redirects already correctly but NOT leaving out the htdocs/dex…
of course.
But how could I leave the /dex out?

[AITpro Admin]

Yes, you can add an .htaccess file in the dex folder or any other folder and the .htaccess rules in that .htaccess file will be followed in that folder and not the parent .htaccess file rules from the parent folder.  .htaccess files are heirarchical/recursive.

[Andre]

So, recursive in this case means: The sub folders will follow their parent folders’  htaccess AS LONG as the subfolder contains NO own htaccess ? Did I get You right? Andre

[AITpro Admin]

Yes, you are correct.

Example:  You have 3 websites under a Hosting Account.  1 is installed in the website root folder and has an .htaccess file.  1 is installed in a folder called WebsiteA.  1 is installed in a folder called WebsiteB.

The folder structure (and URL structure) is this.

/
/WebsiteA
/WebsiteB

WebsiteB has a problem with a security rule in the .htaccess file in the root folder and something is not working correctly on that site.  WebsiteA works fine with all the security rules in the website root folder (parent folder).

To solve this problem you add an .htaccess file in the /WebsiteB folder that has security rules modified so that everything works correctly on that site.  The root website and WebsiteA are following the security rules in the root website folder and WebsiteB is following its own .htaccess file security rules in its own folder.

Now with that said, the best practice is for each website to have its own .htaccess file.  So WebsiteA should also have its own .htaccess file even if it is a duplicate of the website root folder .htaccess file.

[AITpro Admin]

Email Question:

I would like to secure the uploads folder and recursively all folders beneath over SSL.

I just need a place to save images under SSL for creating a paypal site for the client.
They recommend to host the logo for the paypal page on SSl, thats my intention. Not really making anything more secure.

the StartSSL free cert is already installed and with the plugin WordPress https running for admin panel and ONE page only.
We only need it to run on the page where a form is, where people also can upload anything.

Dont want to cover the whole website, thats why I wondered if I can only SSL inside folder uploads and recursive

[AITpro Admin]

UPDATE: HTTPS/SSL htaccess Rewrite code with step by step Custom Code instructions:  http://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233

From the .htaccess master himself jdMorgan…
Source:  http://www.webmasterworld.com/apache/3516509.htm

This is the original AskApache code below (that was being discussed on the webmasterworld.com site) from the AskApache website without any modifications…
Source:  http://www.askapache.com/htaccess/http-https-rewriterule-redirect.html

RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^(.*)$ - [env=askapache:%2]

# redirect urls with index.html to folder
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+/)*index.html HTTP/
RewriteRule ^(([^/]+/)*)index.html$ http%{ENV:askapache}://%{HTTP_HOST}/$1 [R=301,L]

# change // to /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)//(.*) HTTP/ [NC]
RewriteRule ^.*$ http%{ENV:askapache}://%{HTTP_HOST}/%1/%2 [R=301,L]

So using the code to build from I would need to know what folders, files and URL’s would be involved in order to give you the exact code that you are looking for.

[Andre]

Hi,
sorry for late reply. For my instance I would need the standard uploads folder.

Cheers. And thanks in advance.
andre

[AITpro Admin]

I think the better approach structure-wise and design-wise is to contain all files that are going to need SSL in the same directory/folder.  I can see many different problems will occur if you do not take that approach.  From a website design/development standpoint it is the correct/appropriate and smart way to do this.

So if it were me I would create a WordPress custom template and then add image files directly to that custom template.  Inside your theme folder you would create a new image folder.  Example:  /images-ssl.

And what I believe will happen is that you will not need to do anything to the images-ssl folder, but I could be wrong.  Logically if you embed URLS using img tags in your custom template with an HTTPS prefix pointing to the image files then maybe you would not have to do anything else to that folder.

[Andre]

Interesting.

Could become very complicated cause we use vastly comprehensive theme framework.
I found on a short research this lik: http: //www.sslpic.com/
Came to my mind, that there might be free hosting for such a purpose of having a paypal custom image secure.

EDIT: Or even better cuase it most probably wont be taken down is dropbox. It is explained here: http: //clicknathan.com/2012/04/11/how-to-host-secure-https-images-for-your-paypal-custom-page-styles/

Sorry, that a research like this hadnt come to my mind earlier.

[Andre]

BTW, a simple question:

When I have my site running with www. subdomain, then I should use this code

RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://mysite.com/wp-login$1 [R,L]
RewriteRule ^index\.php$ - [L]

accordingly like this:

RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/wp-login$1 [R,L]
RewriteRule ^index\.php$ - [L]

correct?

[AITpro Admin]

Yes, you would add the URL that you want to rewrite too.  If you want to rewrite to non-www then add a non-www URL.  If you want to rewrite to www than add a www URL.

[AITpro Admin]

If you have a valid SSL Certificate and you want to make your entire website SSL/HTTPS and have all (old or new) http URL’s redirect to https.  SSL adds additional protection for your website and SSL will significantly improve website performance.

WordPress General Settings:
WordPress Address (URL)    https://www.your-domain-name.com
Site Address (URL)                https://www.your-domain-name.com

Important Note:  If you have BPS Pro installed then you will need to request a new BPS Pro Activation Key for your website after you have changed your WordPress General Settings.  The BPS Pro Activation page is located under the BPS Pro > Setup Menu > Activation Submenu.

1. Copy whichever .htaccess SSL/HTTPS code below (there are 3 different variations depending on what you would like to do)  that you want to use to this BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START.
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

Note:  If your WordPress installation is in a subfolder then add the correct RewriteBase for your particular website/WordPress installation folder name. If your WordPress installation is in a folder named “my-site”:  example.com/my-site/  Your RewriteBase would be:  RewriteBase /my-site/
If you are not sure what your RewriteBase code is then look at your existing BPS Root htaccess file code on the htaccess File Editor page > Your Current Root htaccess File tab.

Note:  This new htaccess code was created/added in WordPress 5.6: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]. This new htaccess code is supposed to prevent problems with Basic Auth when using the WP REST API.

Important Note for Network|Multisite site types only: If you have a Network|Multisite site type then you should copy all of the additional lines of htaccess code under the # WP REWRITE LOOP START section of code in your Root htaccess file and then edit that code and add the HTTPS/SSL lines of htaccess code shown in the examples below. There are several different variations of the default Network|Multisite htaccess code. You can find general examples here, but do not use the htaccess code on the wordpress.org site and use your actual htaccess code in your Root htaccess file: https://codex.wordpress.org/Multisite_Network_Administration#.htaccess_and_Mod_Rewrite

Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL)

# WP REWRITE LOOP START
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL) & www to non-www
Important Note: Use the Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL) code above first before trying to use this code. Logically if you have changed your WordPress General settings then the Rewrite from www to non-www should happen automatically. Only use this code if the code above is not working.

# WP REWRITE LOOP START
# Rewrite|Redirect http to https|SSL & www to non-www
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteCond %{HTTP_HOST} ^www\.domainname\.com$ [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

or

# WP REWRITE LOOP START
# Rewrite|Redirect http to https|SSL & www to non-www
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://example.com%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL) & non-www to www
Important Note: Use the Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL) code above first before trying to use this code. Logically if you have changed your WordPress General settings then the Rewrite from non-www to www should happen automatically. Only use this code if the code above is not working.

# WP REWRITE LOOP START
# Rewrite|Redirect http to https|SSL & non-www to www
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteCond %{HTTP_HOST} ^domainname\.com$ [NC]
RewriteRule (.*) https://www.domainname.com%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

or

# WP REWRITE LOOP START
# Rewrite|Redirect http to https|SSL & non-www to www
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://www.domainname.com%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

Subdomain site on Go Daddy older Web Classic hosting (not the new cPanel hosting)(and maybe other web hosts too) Rewrite/Redirect HTTP (non-SSL) to HTTPS (SSL)
We recently made this forum site HTTPS/SSL and ran into a problem with how this particular Request URI code: %{REQUEST_URI} was being interpreted by Go Daddy during the Rewrite process from http to https. For a full detailed explanation of this code see this forum topic: https://forum.ait-pro.com/forums/topic/htaccess-redirect-code-where-do-i-add-redirect-htaccess-code/#back-reference-plus-sign

Subdomain site (this forum site): https://forum.ait-pro.com/
Folder where this forum site is installed in our hosting root account folder: /forum/
Base URL for BuddyPress/bbPress: /forums
Important Note:  You would change this code: /forum/forums+ to whatever your actual subdomain folder name and Base URL are.

# WP REWRITE LOOP START
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteCond %{REQUEST_URI} ^(/forum/forums+)/.*$
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{HTTPS} !=on
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteRule ^index\.php$ - [L]

IMPORTANT NOTES:
All of your website URL’s/URI’s/links in your Source Code MUST be https and NOT http or else the http to https redirect will NOT work correctly and you will see infinite redirect loop errors. If you are seeing errors or problems then right mouse click on your website page(s), click the View Source menu command (or similar name in other Browsers) to view the Source Code of your website page(s). Look for any URL/URI’s/link Schemes (http|https) that are still http and NOT https.  You will need to correct/fix any URL’s/URI’s/links that are still http and NOT https. Example:  If you have an https page and the image file links are http then you will see infinite redirect errors (and probably other errors – 404 etc) and pages will NOT redirect correctly.  When you change your WordPress General Settings to https, all images that have been added to Posts or Pages using the Add Media button will automatically have https links, unless the image links are hard coded.  If you have hard coded an http link in a Post or Page then those are the links you will need to manually change to https.

If you are using a caching plugin clear/flush/delete all of your cache.

Google Webmaster Tools and Sitemaps
If you have a Google Webmaster Tools account and you change your site from http to https you will need to add a new property for the https site in Google Webmaster Tools.  You will have 2 properties:  1 for the http Scheme and 1 for the https Scheme.
If you are redirecting your entire site to https then your sitemap URI|URL will be an https URI|URL.  The sitemap URL for your http site will still be an http URL, but it will redirect to your new https sitemap URL.  For your new https property for your https site you will submit the https URL to your sitemap file.  Example:  https://www.example.com/sitemap.xml.  So both your http and https property sitemap URL’s will go to the same https URL for your sitemap.

You may see these error messages below in Google Webmaster Tools when submitting your new https sitemap and also checking your old http sitemap URL.  These error messages could be caused by DNS Propagation not being fully propagated yet (very unlikely).  Most likely the cause of these errors is due to a redirect problem for your sitemap.xml file.  See the solution below.

Network unreachable: robots.txt unreachable. We were unable to crawl your Sitemap because we found a robots.txt file at the root of your site but were unable to download it. Please ensure that it is accessible or remove it completely.

You have a robots.txt file that we are currently unable to fetch. In such cases we stop crawling your site until we get hold of a robots.txt, or fall back to the last known good robots.txt file.

Solution:
Add an htaccess redirect rule for your sitemap file in BPS Custom Code.

# root domain redirect
RedirectMatch 301 ^/sitemap.xml$ https://example.com/sitemap.xml
# subdomain redirect
RedirectMatch 301 ^/subdomain/sitemap.xml$ https://subdomain.example.com/sitemap.xml
# subdomain redirect for Go Daddy or other hosts that require the subdomain in the RedirectMatch matching rule
RedirectMatch 301 ^/subdomain/uri/sitemap.xml$ https://subdomain.example.com/sitemap.xml

Recommendation:
If you have BPS Pro installed: Go to P-Security > ini_set Options > Turn On|Off Session Cookie Secure: Choose Session Cookie Secure On setting.
Description CAUTION: This should ONLY be turned to On if your website is 100% HTTPS/SSL. Turning this to On may interfere with other things on your website that are using SESSION. session.cookie_secure specifies whether cookies should only be sent over secure connections. Protects against Session Hijacking AKA Cookie Hijacking.

If you have BPS Pro installed: Go to P-Security > ini_set Options > Turn On|Off HttpOnly: Choose HttpOnly On setting.
Description: session.cookie_httponly marks the cookie as accessible only through the HTTP protocol. This means that the cookie won’t be accessible by scripting languages, such as JavaScript. This setting can effectively help to reduce identity theft through XSS attacks (As of 2011, 99% of browsers and most web application frameworks do support HttpOnly).

Additional Stuff Checklist:

Your Sitemap may need to be updated: You can and use your Sitemap to find http URLs that need to be changed to https. If you have hard links in your pages or posts still pointing to http URLs you can use your sitemap file to find and go to those pages and then edit them and change any hard links to https.  You can also edit http links by using phpMyAdmin to access your WP Database and edit links directly in the wp_links and wp_posts DB tables.

Image File Links:  Some Image file links may need to be updated from http to https links.

WP Sidebar:  Sidebar links may need to be updated from http to https links.

WP Theme:  Custom Theme Templates may have http links and need to be updated from http to https links.

htaccess Redirect code/rules: Change any htaccess code Redirect rules from http to https links.
RedirectMatch 301 ^/somewhere/$ https://www.example.com/

[Author]

Posts