WordPress SSL htaccess code – Rewrite SSL, RewriteCond Server Port

[AITpro Admin]

The HTTPS/SSL htaccess code definitely works and is used on 1,000’s of websites.  So if it is not working on your site then you need to look at things like DNS settings in your web host control panel to see if you have incorrect forwarding or redirecting settings somewhere.

http://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233

Also you need to make sure that this problem below is not occurring on your website or the redirects will not work until you fix that problem on your website.

IMPORTANT NOTES:
All of your website URL’s/URI’s/links MUST be https and NOT http or else the http to https redirect will NOT work correctly and you will see infinite redirect loop errors. If you are seeing errors or problems then right mouse click on your website page(s), click the View Source menu command (or similar name in other Browsers) to view the Source Code of your website page(s). Look for any URL/URI’s/link Schemes (http|https) that are still http and NOT https.  You will need to correct/fix any URL’s/URI’s/links that are still http and NOT https. Example:  If you have an https page and the image file links are http then you will see infinite redirect errors (and probably other errors) and pages will NOT redirect correctly.  When you change your WordPress General Settings to https, all images that have been added to Posts or Pages using the Add Media button will automatically have https links.  If you have hard coded an http link in a Post or Page then those are the links you will need to manually change to https.

[dtyler1]

For some reason the custom code to redirect everything to https: is not working. I’ve deleted and reinstalled the code and the result is the same. What do you recommend?

[AITpro Admin]

See my previous reply.  The cause of the problem is probably 1 of the 2 problems that I listed in my previous reply.

[dtyler1]

I uninstalled BPS Pro and added redirect to the .htaccess and then reinstalled BPS Pro. That was the only thing that worked.

[AITpro Admin]

hmm you should never have to uninstall BPS Pro for any reason to fix a problem.  BPS Pro is designed to allow you to turn each feature on or off and to correct any issues/problems in each feature.  You are using BPS Custom Code to add/create your own custom htaccess code and not adding it directly into the root htaccess file correct? Most WordPress plugins are designed very simply and only allow you to deactivate or delete a plugin for troubleshooting.  BPS Pro on the other hand is very advanced and has built-in troubleshooting capability:  http://forum.ait-pro.com/forums/topic/read-me-first-pro/#bps-pro-general-troubleshooting

[Max]

thought I’d share (works well for me w/ 100% HTTPS Networks =) – ymmv…

### BEGIN Port 80 Control
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
### END Port 80 Control

### Begin X-Forwarded Control
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
### END X-Forwarded Control

### BEGIN HTTPS Catch-All
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
### END HTTPS Catch-All

(drawn from codex: http://codex.wordpress.org/Administration_Over_SSL, askapache, rcbowen – and good ‘ol trial & error )

[Max]

Alternatively, instead of

RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

try

### BEGIN HTTPS Catch-All
# first line optional, from https://codex.wordpress.org/Administration_Over_SSL
# An important idea in this block is using THE_REQUEST, which ensures only actual http 
# requests are rewritten and not local direct file requests, like an include or fopen
#RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
# note use of NC and QSA - QSA can be esp important, generally better than using QUERY_STRING
# also, unless specified otherwise an R is treated as R=302
# finally, note in RewriteRule that we are only matching against the void preceding new line which avoids
# expensive pattern matching and value capture (specifically, '^' instead of '^/?(.*)' or similar)
### END HTTPS Catch-All

Also, only once you really know for sure that everything is working as expected you might look at using HSTS, like

# BEGIN HSTS Control
# good for initial testing, raise max-age value when confident...
#Header set Strict-Transport-Security "max-age=300; includeSubDomains" env=HTTPS
# END HSTS Control

# BEGIN HSTS Control, with preload
# Uncomment line below only when well researched
#Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload" env=HTTPS
# END HSTS Control

Once you’re sure its all working (and you’ve done some googling to learn more about this) then you might try using the preload option which may address issue with delay in redirect from http to https even for new visitors as their browsers will, in theory, already know better…

Love the improved Query String Removal code from AITpro admin – thanks for that =)

Cheers, Max

[AITpro Admin]

@ Max – see the Important Note before using the Query String removal code:  http://forum.ait-pro.com/forums/topic/remove-query-strings-from-static-resources/#post-29602.  Personally I would only use that code on a website that is not critical.  ie a site that is a set and forget site and not a site that is being logged into regularly by users.

[Jose]

Hi,

Just for clarify if this code should be correct for keeping https (SSL) all wp-admin area (wp-login), and remaining http the rest of the site.

RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/wp-login$1 [R,L]
RewriteRule ^index\.php$ - [L]

Thanks.

[AITpro Admin]

@ Jose – Nope, that htaccess code would not work.  Assuming that you already have a valid SSL Certificate see this WordPress Codex page on adding SSL for the Login page/wp-admin area:  https://codex.wordpress.org/Administration_Over_SSL Assuming that you already have a valid SSL Certificate, why do you only want the wp-admin area to use SSL and not the entire site?

[Jose]

Because I don’t use services as paypal or similar transactions. Do you think is better using it for all entire site? Would this fact affect the speed performance? I read that improves the SEO position, but I’m not sure. I have many doubts about it.

[AITpro Admin]

@ Jose – I have heard that SSL causes a slight performance decrease for websites, but the last time I looked at that was a long time ago so I don’t know if that is true anymore.  I have also heard that SSL is better for SEO, but I do not know if that is true or not or just SEO marketers pitching that.  So the reason to use SSL sitewide would be to avoid complications/problems and keep things very simple, but if you want to only use SSL in the wp-admin area then see the WordPress Codex link I posted above for how to do that.  Off the top of my head this code below should work in theory, but it is not tested so you can try it and see what happens.  Be prepared to FTP to your website and delete your root htaccess file if you run into problems. This code may cause problems for any wp-admin URI’s in the wp-admin area with Query Strings: wp-admin/?example=query-string. If that happens then the QSA flag and different htaccess code would be needed to handle Query Strings.

1. Copy the .htaccess SSL/HTTPS code below to this BPS Root Custom Code text box: CUSTOM CODE WP REWRITE LOOP START
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} ^.*(/wp-admin/|wp-login\.php).*$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteRule ^index\.php$ - [L]

[Jose]

Ok.

With Firefox addon Noscript (advanced settings) is possible redirecting Https any website with SSL certificate, writing down in the advanced settings box (HTTPS section): *.mywebsite.com

This is the less bad solution for me to access the admin area.

Nevertheless, I’ve deleted today HTTPS, a wordpress plugin which I consider obsolete (4.6 version is coming soon and is_ssl() will be now located in wp-includes/load.php instead of funtions.php). The most recent changelog of the plugin (partial) is from six months ago, and hasn’t been published on https://wordpress.org/plugins/wordpress-https/, but on https://github.com/Mvied/wordpress-https.

This plugin allowed me to redirect all external trafic to http (search engines included) and thanks to Noscript, force the Https with the Firefox browser for admin tasks: (checking the boxes ‘Force SSL Administration’ and ‘Force SSL Exclusively’). If I had needed any other page or post to be shown in https (selling form, etc…), there was an specific box for that in every single editor page.

The question now is that it seems very difficult to keep what this plugin did, because now you can see all my website both in http and https in any browser. I will check the wordpress codex.

[Jose]

I see I can access SSL to the admin area with and without

define('FORCE_SSL_ADMIN', true);

wordpress codex solution. The question to resolve in my case is if it would be possible forcing via .htaccess all my website to http except admin area (SSL). I will be mulling over it for a while.

[Jose]

I’ve found a very small plugin that seems to make what I need, but looking at its code I see it makes calls to ‘is_ssl()’.
https://wordpress.org/plugins/verve-ssl/

[Author]

Posts