Home › Forums › BulletProof Security Pro › WordPress SSL htaccess code – Rewrite SSL, RewriteCond Server Port
Tagged: htaccess SSL, HTTPS, Rewrite SSL, RewriteCond, SSL, SSL Vhost, WordPress SSL, WordPress SSL htaccess code
- This topic has 123 replies, 22 voices, and was last updated 1 year, 3 months ago by nehakakar kakar.
-
AuthorPosts
-
AITpro AdminKeymaster
@ carsafety – Maybe there is a problem with using the www to non-www rewrite code since it looks like you were not using the www subdomain previously. Try this code instead. Also the code your host and simple ssl is using is pretty much the exact same code.
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{SERVER_PORT} ^80 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteRule ^index\.php$ - [L]
carsafetyParticipantThanks! I’ve learned not to mess with even the tiniest differences in rewrite scripts. I’m not a coder and I’ve gotten myself stuck into loops before lol.
The redirects are working correctly now, but that still didn’t solve the issue with certain pages not redirecting their internal URL and image URL links to https. The vast majority worked as expected. For some reason, the Really Simple SSL plugin resolved this issue. I’m stumped as to why, as the links look exactly like they do on any other working page. For now I’ll suffer with the overhead the extra plugin causes, and perhaps look into it further in the future. I know this isn’t likely an issue with BPS Pro but if you’ve got mixed content images or scripts the Really Simple plugin goes a step beyond just changing your URL settings and adding the necessary rewrite code.
AITpro AdminKeymaster@ carsafety – Yep, we had to do a lot of additional things on this forum site when we switched from http to https. That is a standard thing when switching a site that was previously http to https. See the IMPORTANT NOTES, Recommendation and Additional Stuff Checklist help sections in this link for other things that may need to be changed: https://forum.ait-pro.com/forums/topic/wordpress-ssl-htaccess-code-rewrite-ssl-rewritecond-server_port/#post-7233 If you prefer to have the Really Simple SSL plugin handle any issues/problems dynamically instead of permanently fixing/correcting those issues/problems then that is fine too. 😉
protectionParticipantThis is excellent documentation. The only other thing I’d add is to be mindful of any files/scripts that are external to WordPress. For example, I have a folder on my root called ‘external’ which had some hardcoded URLs containing http. I renamed them to https and all was well.
AWParticipantHi Bps,
I migrated from http to https.
By the way,
The website is :
https://pinnaclefc.comI did as follow:
STEP ONECopy below to CUSTOM CODE WP REWRITE LOOP START
# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{SERVER_PORT} ^80 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteRule ^index\.php$ - [L]
I am running WP Fastest Cache, the previous CODE as below
# BEGIN WpFastestCache <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTP_HOST} ^www.pinnaclefc.com [NC] RewriteRule ^(.*)$ http\:\/\/pinnaclefc\.com\/$1 [R=301,L] # Start WPFC Exclude # End WPFC Exclude RewriteCond %{HTTP_HOST} ^pinnaclefc.com RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot) RewriteCond %{REQUEST_METHOD} !POST RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} !(\/){2}$ RewriteCond %{REQUEST_URI} \/$ RewriteCond %{QUERY_STRING} !.+ RewriteCond %{HTTP:Cookie} !comment_author_ RewriteCond %{HTTP:Cookie} !wp_woocommerce_session RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC] RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or] RewriteCond /home/sabaubew/pinnaclefc.com/wp-content/cache/all/$1/index.html -f RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L] </IfModule> <FilesMatch "index\.(html|htm)$"> AddDefaultCharset UTF-8 <ifModule mod_headers.c> FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT" </ifModule> </FilesMatch> # END WpFastestCache # BEGIN GzipWpFastestCache <IfModule mod_deflate.c> AddType x-font/woff .woff AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf </IfModule> # END GzipWpFastestCache # BEGIN LBCWpFastestCache <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$"> <IfModule mod_expires.c> AddType application/font-woff2 .woff2 ExpiresActive On ExpiresDefault A0 ExpiresByType image/webp A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType image/svg+xml A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/font-woff2 A2592000 </IfModule> <IfModule mod_headers.c> Header set Expires "max-age=2592000, public" Header unset ETag Header set Connection keep-alive FileETag None </IfModule> </FilesMatch> # END LBCWpFastestCache
I just updated the WP Fastest Cache settings and it is as below :
# BEGIN WpFastestCache <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTPS} =on RewriteCond %{HTTP_HOST} ^pinnaclefc.com # Start WPFC Exclude # End WPFC Exclude RewriteCond %{HTTP_HOST} ^pinnaclefc.com RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot) RewriteCond %{REQUEST_METHOD} !POST RewriteCond %{REQUEST_URI} !(\/){2}$ RewriteCond %{REQUEST_URI} \/$ RewriteCond %{QUERY_STRING} !.+ RewriteCond %{HTTP:Cookie} !comment_author_ RewriteCond %{HTTP:Cookie} !wp_woocommerce_session RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC] RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or] RewriteCond /home/sabaubew/pinnaclefc.com/wp-content/cache/all/$1/index.html -f RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L] </IfModule> <FilesMatch "index\.(html|htm)$"> AddDefaultCharset UTF-8 <ifModule mod_headers.c> FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT" </ifModule> </FilesMatch> # END WpFastestCache # BEGIN GzipWpFastestCache <IfModule mod_deflate.c> AddType x-font/woff .woff AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf </IfModule> # END GzipWpFastestCache
# BULLETPROOF PRO 12.7 SECURE .HTACCESS # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE # BEGIN LBCWpFastestCache <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$"> <IfModule mod_expires.c> AddType application/font-woff2 .woff2 ExpiresActive On ExpiresDefault A0 ExpiresByType image/webp A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType image/svg+xml A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/font-woff2 A2592000 </IfModule> <IfModule mod_headers.c> Header set Expires "max-age=2592000, public" Header unset ETag Header set Connection keep-alive FileETag None </IfModule> </FilesMatch> # END LBCWpFastestCache
ISSUE, I try to update the Updated Wp Fastes Cache on the Custom Code > Custom Code Top PHP with below updated cache:
# BEGIN WpFastestCache <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTPS} =on RewriteCond %{HTTP_HOST} ^pinnaclefc.com # Start WPFC Exclude # End WPFC Exclude RewriteCond %{HTTP_HOST} ^pinnaclefc.com RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot) RewriteCond %{REQUEST_METHOD} !POST RewriteCond %{REQUEST_URI} !(\/){2}$ RewriteCond %{REQUEST_URI} \/$ RewriteCond %{QUERY_STRING} !.+ RewriteCond %{HTTP:Cookie} !comment_author_ RewriteCond %{HTTP:Cookie} !wp_woocommerce_session RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC] RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or] RewriteCond /home/sabaubew/pinnaclefc.com/wp-content/cache/all/$1/index.html -f RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L] </IfModule> <FilesMatch "index\.(html|htm)$"> AddDefaultCharset UTF-8 <ifModule mod_headers.c> FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT" </ifModule> </FilesMatch> # END WpFastestCache # BEGIN GzipWpFastestCache <IfModule mod_deflate.c> AddType x-font/woff .woff AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf </IfModule> # END GzipWpFastestCache
# BULLETPROOF PRO 12.7 SECURE .HTACCESS # CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE # BEGIN LBCWpFastestCache <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$"> <IfModule mod_expires.c> AddType application/font-woff2 .woff2 ExpiresActive On ExpiresDefault A0 ExpiresByType image/webp A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType image/svg+xml A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/font-woff2 A2592000 </IfModule> <IfModule mod_headers.c> Header set Expires "max-age=2592000, public" Header unset ETag Header set Connection keep-alive FileETag None </IfModule> </FilesMatch> # END LBCWpFastestCache
However, when i click save, it shows not allow and error 403.
Please advise.
Regards,
AlexAITpro AdminKeymasterAW – The mistake you are making is trying to combine redundant code together which will most likely cause unecessary problems or worse. Either cancel out what you orginally intended to do and instead only combine relevant code together. You can of course combine your additional code into the existing BPS Speed Boost cache code or you can pick the base code that you want to use and then use parts of any other code that you want to use. Note: The 403 error on Custom Code save was caused by invalid custom htaccess code.
Example:
# BEGIN WEBSITE SPEED BOOST # Time cheat sheet in seconds # A86400 = 1 day # A172800 = 2 days # A2419200 = 1 month # A4838400 = 2 months # A29030400 = 1 year # Test which ETag setting works best on your Host/Server/Website # with Firefox Firebug, Firephp and Yslow benchmark tests. # Create the ETag (entity tag) response header field # This is probably not the optimum choice to use. #FileETag MTime Size # Remove the ETag (entity tag) response header field # This is most likely the optimum choice to use. Header unset ETag FileETag none <IfModule mod_expires.c> ExpiresActive on # ExpiresByType overrides the ExpiresDefault... # cache expiration time of 2 days|A172800. ExpiresDefault A172800 ExpiresByType image/jpg A4838400 ExpiresByType image/jpeg A4838400 ExpiresByType image/gif A4838400 ExpiresByType image/png A4838400 ExpiresByType image/bmp A4838400 ExpiresByType image/x-icon A4838400 ExpiresByType image/svg+xml A4838400 ExpiresByType text/javascript A4838400 ExpiresByType text/x-javascript A4838400 ExpiresByType text/css A4838400 ExpiresByType text/html A4838400 ExpiresByType application/x-font-ttf A4838400 ExpiresByType application/x-font-woff A4838400 ExpiresByType font/opentype A4838400 ExpiresByType application/x-shockwave-flash A4838400 ExpiresByType application/x-javascript A4838400 ExpiresByType application/javascript A4838400 ExpiresByType video/mp4 A4838400 ExpiresByType video/ogg A4838400 ExpiresByType video/webm A4838400 </IfModule> <IfModule mod_headers.c> <FilesMatch "\.(js|css|flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|gif|jpg|jpeg|png|swf|webm)$"> Header append Cache-Control "public" </FilesMatch> <FilesMatch "\.(txt|html)$"> Header append Cache-Control "proxy-revalidate" </FilesMatch> <FilesMatch "\.(php|cgi|pl|htm|xml)$"> Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform" Header set Pragma "no-cache"
AITpro AdminKeymasterEmail Question:
Hello,
I recently added a UCC SSL certificate to enable HTTPS on 5 GoDaddy Managed WordPress websites. Each site has several 301 redirects added to the very bottom of the .htaccess file (bottom CUSTOM CODE box). When I’m logged into the WP backend and try to visit one of the redirects, the 443 port gets inserted into the redirected URL. As an example, here is one of my redirects: Redirect 301 /test1 /links
So, when I go
http://example.com/test1 or https://example.com/test1
, I get redirected tohttp://example.com:443/links
and see the following error message(s):With Cloudflare enabled: 400 Bad Request — The plain HTTP request was sent to HTTPS port
With Cloudflare disabled: This page isn’t working — a-course-in-miracles.org didn’t send any data. — ERR_EMPTY_RESPONSE
In the “CUSTOM CODE WP REWRITE LOOP START” .htaccess box, I have the standard code to redirect HTTP to HTTPS:RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{SERVER_PORT} ^80 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteRule ^index\.php$ - [L]
I’m not sure why the issue only occurs when logged in. I’ve found a couple posts about this, but no solutions:
https://stackoverflow.com/a/35900318 (the suggested solution did not work for me)
https://stackoverflow.com/q/42403534Do you have idea how to handle this?
Answered and resolved by Go Daddy Managed WordPress hosting technical support:
Hello,A quick follow-up. The following .htaccess code from GoDaddy has seemed to resolve (or bypass) the issue. I’ve replaced the standard HTTP > HTTPS redirect code (in the “CUSTOM CODE WP REWRITE LOOP START” box) with this new code.
RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_USER_AGENT} ^(.+)$ RewriteCond %{SERVER_NAME} ^a\-course\-in\-miracles\.org$ RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] Header add Strict-Transport-Security "max-age=300"
ThomasParticipantBefore coming across this help file I edited the .htaccess file through a file manager to add a rewrite, but BPS quarantined the file. So I found this thread and I pasted the following code under “Custom Code > Root Access Custom Code > CUSTOM CODE WP REWRITE LOOP START:”
At first I copied the entire text from # WP REWRITE LOOP START to # WP REWRITE LOOP END and edited it as that’s what it says to do in the box next to it.
I got the following error:403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: xxxxxxxxxx
So I just placed this:
# WP REWRITE LOOP START # Rewrite|Redirect http to https|SSL & non-www to www RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{SERVER_PORT} ^80 RewriteCond %{HTTP_HOST} ^domain\.com\.au$ [NC] RewriteRule (.*) https://www.domain.com.au%{REQUEST_URI} [R=301,L] RewriteRule ^index\.php$ - [L]
(with my domain in place of “domain”)
and get the same error:
403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: xxxxxxxxxx
My hosting provider help files says to use:
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
I tried this too, but I still get the same error.
I am not sure that this has something to do with the quarantine that I caused at the start or what it is.
My WordPress Settings > General Settings > WordPress Address (URL) & Site Address (URL) are both set to https://domain.com.au as I already had the SSL installed before installing WordPress.
I clicked on “unlock htaccess file”, refreshed the page, and tried pasting in the code again but still no joy.
I tried it without
RewriteCond %{SERVER_PORT} ^80
like this:
# WP REWRITE LOOP START # Rewrite|Redirect http to https|SSL & non-www to www RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^domain\.com\.au$ [NC] RewriteRule (.*) https://www.domain.com.au%{REQUEST_URI} [R=301,L] RewriteRule ^index\.php$ - [L]
But I still get the same error.
403 Forbidden Error Page
If you arrived here due to a search or clicking on a link click your Browser’s back button to return to the previous page. Thank you.
IP Address: xxxxxxxxxx
Any ideas what I am doing wrong?
AITpro AdminKeymaster@ Thomas – The 403 Forbidden errors are being caused by Mod Security in your web host control panel. See this forum topic for how to proceed > https://forum.ait-pro.com/forums/topic/mod-security-common-known-problems/
ThomasParticipantThank you @keymaster.
My hosting provider was able to find the modsec rule and temporarily unset it for me to update the .htaccess file via BPS Pro.
ThomasParticipantMy site is still not automatically loading https:// at the root directory unless I have already visited the site. A browser’s first visit still shows the warning that the site has no security.
The B-Core ~ Htaccess Core Security tab shows me that the secure.htaccess file starts with
RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteCond %{HTTP_HOST} ^domain\.com\.au$ [NC] RewriteRule (.*) https://www.domain.com.au%{REQUEST_URI} [R=301,L] RewriteRule ^index\.php$ - [L]
Shouldn’t the tab with “Your Current Root htaccess File” have this code?
AITpro AdminKeymaster@ Thomas – That sounds like a caching problem. Are you using a caching plugin and/or CDN and/or Cloudflare or server-side caching?
ThomasParticipantI am using Jetpack by WordPress’ CDN to serve images.
AITpro AdminKeymasterEDIT|UPDATE: The problem was caused by missing a step in BPS Custom Code steps and Thomas has confirmed that the problem is now resolved.
@ Thomas – I just noticed this statement you made in your previous forum Reply > “The B-Core ~ Htaccess Core Security tab shows me that the secure.htaccess file starts with”. It sounds like the problem may be that you have added/saved the HTTPS/SSL htaccess code in the wrong place in BPS Custom Code or the BPS Pro htaccess File Editor. The HTTPS/SSL rewrite code needs to be saved in this BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START. If you hvae 2 htaccess Rewrite sections of code in your Root htaccess file then that would explain why your website is rewriting URL’s twice.
1. Copy whichever .htaccess SSL/HTTPS code below (there are 3 different variations depending on what you would like to do) that you want to use to this BPS Root Custom Code text box: 8. CUSTOM CODE WP REWRITE LOOP START
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.PaulParticipantATI, Currently i have my
http://www.
site redirected in htaccess to myhttps://www.
site
Is there a way to do this plus redirecthttp://
andhttps://
(the non www. versions all to myhttps://www.
site? -
AuthorPosts
- You must be logged in to reply to this topic.