Word – Forcing HTTPS with .htaccess on site with WordPress in subfolder

.htaccessapache-http-serverhttpsWordpress

I can't get my .htaccess file to work to force HTTPS traffic

Site structure that I see if I ftp to my hosting provider:

/
  domains
    mydomainname.com
      public_html
        blog
  • The files for my site start in public_html (index.html etc)
  • I have a WordPress installation in blog
  • WordPress settings have been set to https: (General settings mention https://www.mydomainname.com/blog as the WordPress URL).
  • SSL certificate is working fine if I go to the domain
  • Initially there was only a .htaccess in blog, containing:

# BEGIN WordPress

RewriteEngine On
RewriteBase /blog/
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]

# END WordPress

All kinds of tutorials I see mention that I should add this to the start of .htaccess:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mydomainname.com/$1 [R,L]

.. and that I should place this file 'in the root of my site'.

If I have no (other) .htaccess file:

  • I can browse go to https://www.mydomainname.com, follow links into the WP blog and browse around there, all https:
  • If I go to http://www.mydomainname.com, follow links into the WP blog, these will turn into https:

If I place a modified htaccess in several locations I get issues like (depending on what .htaccess contents/locations I'm trying):

  • If I go to www.mydomainname.com it redirects to https://www.mydomainname.com and I get "Server not found"; or:
  • No forcing from http: to https:

Questions:

  • Should the .htaccess be placed in mydomainname.com or public_html (i.e. which folder is that famous 'root of my site')? I have tried both.
  • Must it also be placed in blog? If so, do they need to be identical?
  • What are the proper contents of the .htaccess file(s)?

I have tried all kinds of variations, but can't get it to work – obviously not the right variation yet.

FWIW: I assume my hosting provider uses Apache. I have no control over its configuration.

Best Answer

I would argue you should put your new .htaccess file in public_html folder.

Try the following with mod_rewrite in your .htaccess file

RewriteEngine On
# This will enable the Rewrite capabilities
RewriteCond %{HTTPS} !=on
# This checks to make sure the connection is not already HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf or .htaccess context

These three lines also have to be added to the .htaccess file in the blog folder, modifying the RewriteRule to reflect that subfolder:

RewriteRule ^/?(.*) https://%{SERVER_NAME}/blog/$1 [R,L]

It might be also useful to apply mod_ssl to force SSL with the SSLRequireSSL Directive:

This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL. Keep in mind that this will not do a redirect to https by itself.

Related Question