Once AutoSSL has issued a certificate for your domain, the site works on both HTTP and HTTPS. To get the SEO and security benefits of HTTPS, you need to force every visitor to the HTTPS version. This article covers the three ways to do that.
Why force HTTPS
- SEO. Google has used HTTPS as a ranking signal since 2014. Mixed HTTP/HTTPS hurts ranking; consistent HTTPS helps.
- Browser warnings. Chrome flags HTTP sites as "Not Secure" in the address bar.
- Modern browser features. Service workers, geolocation, payment APIs, push notifications — all require HTTPS.
- Security. HTTP traffic is readable by anyone on the network path.
Method 1: cPanel's built-in HTTPS Redirect
The simplest option:
- cPanel → Domains.
- Find your domain in the list.
- Toggle the Force HTTPS Redirect switch to ON.
cPanel adds the redirect rule to your .htaccess automatically. Done.
Method 2: .htaccess directly
If you want explicit control, edit your .htaccess file in public_html and add at the top:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
This redirects every HTTP request to its HTTPS equivalent with a 301 (permanent) status.
Excluding the AutoSSL validation path
If you've previously had AutoSSL fail because your .htaccess redirect was blocking the validation token, exclude that path:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
Forcing HTTPS for one specific subdomain
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^secure.yourdomain.com$ [NC]
RewriteRule ^(.*)$ https://secure.yourdomain.com/$1 [R=301,L]
Method 3: WordPress: do it through WordPress too
If you're running WordPress, also update WordPress's site URL to HTTPS. Otherwise WordPress generates HTTP links inside pages, which redirects work around but sloppily.
- Log in to wp-admin.
- Settings → General.
- Change WordPress Address and Site Address from
http://yourdomain.comtohttps://yourdomain.com. - Save.
Fix mixed-content warnings
After switching to HTTPS, you may see "mixed content" warnings — HTTPS pages loading HTTP assets. Run a database search-and-replace to update old image URLs and links:
- Install the free plugin Better Search Replace.
- Run a dry-run searching for
http://yourdomain.comand replacing withhttps://yourdomain.com. - Review the count, then run for real.
Most mixed-content issues come from hard-coded image URLs in old posts.
HSTS: tell browsers to remember
Once you're confident HTTPS works on every URL, add an HTTP Strict Transport Security (HSTS) header. This tells browsers "always use HTTPS for this domain, even if the user types http:// or clicks an old http link." Add to .htaccess:
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>
The max-age=31536000 is one year. Browsers that have visited your site once will refuse to connect over HTTP for the next year, even if your redirect is removed.
Caution: HSTS is sticky. If you ever need to revert to HTTP (don't), the browser-cached HSTS policy means visitors can't connect until their cache expires. Be sure HTTPS works completely before turning HSTS on.
Testing
From a terminal:
$ curl -I http://yourdomain.com HTTP/1.1 301 Moved Permanently Location: https://yourdomain.com $ curl -I https://yourdomain.com HTTP/1.1 200 OK Strict-Transport-Security: max-age=31536000; includeSubDomains
From a browser, also check ssllabs.com/ssltest for a complete grade. Aim for A or A+.
Common pitfalls
- Redirect loop. Cloudflare's SSL mode is set to Flexible while your origin redirects HTTP to HTTPS. Set Cloudflare to Full or Full (strict).
- "Mixed content" warnings persist after the WordPress search-replace. Some plugins store URLs in serialized PHP data, which simple search-replace breaks. Use Better Search Replace with the "Run as dry run" option turned off — it handles serialized data correctly.
- Email clients fail to connect. Make sure your mail clients use the SSL ports (993 IMAP, 465 SMTP) not the legacy plaintext ports.
- External services break. If anything posts data to your site (webhooks, payment IPNs), update those services' configs to use the HTTPS URL. They may not auto-follow redirects.
