Secure Your Website: How to Force HTTPS using .htaccess in cPanel (WordPress & All Sites)

In today’s digital landscape, website security is paramount. Visitors expect a secure browsing experience, and search engines prioritize websites that use HTTPS. If your website is still loading with an insecure “http” URL, it’s crucial to make the switch to “https.” This guide provides a simple, step-by-step process to force HTTPS using your .htaccess file in cPanel, ensuring a secure connection for all visitors, regardless of your website platform (WordPress, Joomla, Drupal, etc.).

Why Force HTTPS?

HTTPS (Hypertext Transfer Protocol Secure) encrypts communication between your website and your visitors’ browsers. This encryption protects sensitive data, like login credentials and payment information, from being intercepted by malicious actors.

Benefits of HTTPS:

• Improved Security: Protects user data and builds trust.
• SEO Benefits: Search engines favor HTTPS websites, giving them a ranking advantage.
• Enhanced Credibility: Displays a security padlock in the browser address bar, reassuring visitors that your site is safe.
• Compliance: Essential for meeting PCI DSS compliance if you process online payments.

Accessing Your .htaccess File via cPanel

Before you can force HTTPS, you need to access your .htaccess file. This file allows you to control how your web server handles various aspects of your website. Here’s how to find it in cPanel:

1. Log in to cPanel: Access your web hosting control panel.
2. Open File Manager: Navigate to the “Files” category and click on “File Manager.”
3. Configure File Manager Settings: Click the “Settings” tab in the top right corner.
4. Show Hidden Files: Select the document root for your domain and make sure the “Show Hidden Files” checkbox is checked. Click “Save.”
5. Locate .htaccess: Find the .htaccess file in the file list (it might be hidden, so make sure you’ve enabled “Show Hidden Files”).
6. Edit .htaccess: Right-click on the .htaccess file and choose the “Edit” option. This will open the file in a text editor within your browser.

Forcing HTTPS with .htaccess Code

Now, paste the following code into your .htaccess file to redirect all HTTP requests to HTTPS:

RewriteEngine On 
RewriteCond %{HTTPS} off 
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]  

Explanation of the Code:

• RewriteEngine On: This line activates the rewrite engine in your web server (Apache), which allows the .htaccess file to redirect traffic.
• RewriteCond %{HTTPS} off: This condition checks if the incoming request is using HTTP (not HTTPS).
• RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]: This rule redirects any HTTP requests to the HTTPS version of the same URL. The [L,R=301] flags indicate that this is the last rule to be processed (L) and that it’s a permanent redirect (R=301), which is important for SEO.

Important Considerations

• SSL Certificate: Make sure you have an SSL certificate installed on your website. Most hosting providers offer free SSL certificates through Let’s Encrypt.
• RewriteEngine: Ensure that your hosting plan supports the RewriteEngine. Most do, but it’s worth confirming with your hosting provider.
• Managed WordPress Hosting: If you’re looking for a hassle-free experience, consider managed WordPress hosting. Providers like MyGlobalHost offer managed plans with all the necessary features, including SSL certificates and support for .htaccess modifications.

Saving and Testing

Once you’ve added the code to your .htaccess file, save the changes. Now, visit your website using the HTTP version of your URL (e.g., http://www.example.com). You should be automatically redirected to the HTTPS version (e.g., https://www.example.com). By following these steps, you can easily force HTTPS for your website, improving security, SEO, and user trust.