Enabling HTTPS on your website using .htaccess

More and more websites are installing an SSL certificate and converting to HTTPS (secure http). Traditionally e-commerce websites enforce HTTPS on their logged in and checkout pages, however there is a movement supported by big firms like Google, Microsoft, Mozilla to encourage webmasters to convert their websites to HTTPS only. With this in mind, Spiral Hosting are making it easier than ever to secure your website with HTTPS. We have introduced a new AutoSSL feature on all our shared hosting, enterprise hosting and reseller hosting plans. The AutoSSL feature is enabled by default so our hosting clients can enforce HTTPS on their websites.

Whether you use the 90-day AutoSSL provided with your web hosting or you use one of the big brand certificates we sell from Comodo, GeoTrust or GlobalSign, you can use the following code to enforce HTTPS mode across your website.

Step 1 - Is the website running WordPress software?

Almost 30% of the Internet runs on WordPress software!
If you have a WordPress site, please instead follow this guide: https://secure.spiralhosting.com/knowledgebase.php?action=displayarticle&id=165 

Otherwise proceed to step 2!

Step 2 - Check that an SSL certificate is installed on your website

Please type your website address into https://sslanalyzer.comodoca.com/

In most cases you'll see a 1 year certificate from one of our SSL partners, the issuer will say "Comodo", "GeoTrust" or "GlobalSign", or the 90-day AutoSSL certificate issued by "cPanel Inc".

If the SSL certificate has been issued by "Cloudflare Inc" you'll need to activate SSL via your Cloudflare dashboard. Login via your cPanel control panel or cloudflare.com, then find the SSL option, and change it from Off/Flexible to "Full SSL".

Step 3 - Use an .htaccess file to force redirect all HTTP requests to HTTPS. 

Forcing visitors to use SSL can be accomplished through your .htaccess file using mod_rewrite. Simply add the following 3 lines to your .htaccess file:

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.exampledomain.com/$1 [R,L]

If you do not have an .htaccess file, simply create one in the main directory of your website (public_html).

Don't forget to replace exampledomain.com with your actual domain name!

Step 4 - Check your website for any non HTTPS content

Your website should now be running on 100% HTTPS, but if any part of your website theme or plugins use non-HTTPS images, stylesheets or other content, it will cause a warning on most web browsers. We recommend typing your website address into the site scanner at https://www.whynopadlock.com/

If the site scanner finds any "mixed content" on your website, you may need to manually go through the images/content and update the relevant code to use HTTPS instead of HTTP. 

If the site scanner continues to give warnings, we recommend discussing the issue with your website developer.