Force HTTPS (SSL Redirect & Fix Insecure Content)


Redirects all HTTP requests to the HTTPS version and fixes all insecure static resources without altering the database (also works with CloudFlare).

Our related OSS projects:

The Long Version

The only Force SSL (HTTPS) plugin that correctly follows Google Chrome team’s advice to avoid protocol-relative hyperlinks and resources. Here are more of the current features:

  • redirects all HTTP requests to HTTPS (domain/protocol 301 redirects)
  • filters all internal resources to become secure (e.g. src=”https://…”)
  • filters all internal hyperlinks to be become secure (e.g. href=”https://…”)
  • filters all external resources to become secure (src, srcset, embeds, and objects)
  • skips any external hyperlinks
  • works with image srcsets too (Version 1.0.2+)
  • no need for additional plugins to fix insecure resources
  • avoids “protocol relative” URLs as recommended by top security experts
  • zero database queries or settings pages
  • huge SEO and security benefits

WARNING: You must have an SSL certificate installed on your server before activating this plugin. If you website becomes inaccessible after activation, login via SFTP and delete this plugin from /wp-content/plugins/ and clear your browser cache.


This plugin has been designed for use on LEMP (Nginx) web servers with PHP 7.0 and MySQL 5.7 to achieve best performance. All of our plugins are meant for single site WordPress installations only; for both performance and security reasons, we highly recommend against using WordPress Multisite for the vast majority of projects.

Plugin Features

  • Settings Page: No
  • Premium Version Available: Yes (SEO Genius)
  • Includes Media (Images, Icons, Etc): No
  • Includes CSS: No
  • Database Storage: Yes
    • Transients: No
    • Options: Yes
    • Creates New Tables: No
  • Database Queries: Backend Only (Options API)
  • Must-Use Support: Yes (Use With Autoloader)
  • Multisite Support: No
  • Uninstalls Data: Yes

Nag Notices

This plugin generates multiple Admin Notices in the WP Admin dashboard. The first is a notice that fires during plugin activation which recommends several related free plugins that we believe will enhance this plugin’s features; this notice will re-appear approximately once every 6 months as our code and recommendations evolve. The second is a notice that fires a few days after plugin activation which asks for a 5-star rating of this plugin on its profile page. This notice will re-appear approximately once every 9 months. These notices can be dismissed by clicking the (x) symbol in the upper right of the notice box. These notices may annoy or confuse certain users, but are appreciated by the majority of our userbase, who understand that these notices support our free contributions to the WordPress community while providing valuable (free) recommendations for optimizing their website.

If you feel that these notices are too annoying, than we encourage you to consider one or more of our upcoming premium plugins that combine several free plugin features into a single control panel, or even consider developing your own plugins for WordPress, if supporting free plugin authors is too frustrating for you. A final alternative would be to place the defined constant mentioned below inside of your wp-config.php file to manually hide this plugin’s nag notices:

define('DISABLE_NAG_NOTICES', true);

Note: This defined constant will only affect the notices mentioned above, and will not affect any other notices generated by this plugin or other plugins, such as one-time notices that communicate with admin-level users.


Free Plugins

Premium Plugins

Special Thanks


We released this plugin in response to our managed hosting clients asking for better access to their server, and our primary goal will remain supporting that purpose. Although we are 100% open to fielding requests from the WordPress community, we kindly ask that you keep the above-mentioned goals in mind… thanks!


  • Terms: ssl, https, hsts, enable, generate, force, setup, configure, enforce, 301, redirect, headers, secure, insecure, incoming, requests, browser, htaccess, apache, nginx, server, replace, filter, scan, auto, automatic, dynamic, dynamically, images, files, resources, css, js, files, static, always, encrypt, free, seo, remove, relative, internal, external, sources, sitewide, site-wide

  • Phrases: 301 redirect, strict transport security, force https, force ssl, enable ssl, enable tls, http to https, fix ssl, fix https, ssl certificate, ssl redirect, http redirect, https redirect, redirect http, redirect https, automatic redirect, auto redirect, fix mixed content, fix insecure content, secure resources, mixed content errors, mixed content warnings, insecure content warnings, mixed content fixer, ssl on all pages, https on all pages, ssl htaccess, https htaccess, media library https, redirect loop, infinite loop, infinite redirect loops, static files, static resources, flexible ssl, one click, single click, http headers, browser warnings, browser errors, htaccess rules, htaccess redirect, site url, home url, lets encrypt, free ssl, duplicate content, relative urls, relative protocol, protocol relative, remove protocol, sitewide ssl, site-wide ssl

  • Plugins: really simple ssl, easy https redirection, ssl insecure content fixer, one click ssl, cloudflare ssl, cloudflare flexible ssl, wp force ssl, wordpress force https, wp force https, wp ssl redirect, wp encrypt, wp ssl https enforcer, force ssl, https domain alias, remove http, http https remover, force ssl everywhere


  1. Upload to /wp-content/plugins/force-https-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by loading a non-HTTPS version of any page


Installation Instructions
  1. Upload to /wp-content/plugins/force-https-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working by loading a non-HTTPS version of any page
Does this plugin install SSL for my site?

No. You will first need to order/setup SSL on your server (web host) before activating this plugin.

After installing this plugin, my site is inaccessible?

You probably do not have SSL installed yet on your server (web host) which is a prerequisite.

Are there any potential drawbacks/errors with this plugin?

The only potential error is a 404 error for external resources that do not already support HTTPS.

Does this plugin affect my website’s speed or performance?

No, it should not. It’s very lightweight and should be cached in PHP Opcache and DNS/browser (301s).

My developer installed this for me, is he taking shortcuts?

Mostly likely your developer wants you to be extra protected from insecure resources. This plugin can be (should be) installed as an additional layer of protection/stability even if you already redirect to HTTPS elsewhere (server, CloudFlare, etc). It does not hurt anything to force SSL in multiple places, and in fact provides better redundancy for your security. That said, installing this plugin is not a cure-all and your server (etc) should still be re-configured for SSL too when possible.

What HTTP header codes does this plugin send to browsers?

It generates 301 codes for any http version of any page and redirects to https version of that page.

Does this plugin work with CloudFlare SSL?

Yes, it can be used with CloudFlare’s “flexible” or “full” SSL to avoid “too many redirects” spinning errors.

How can I change this plugin’s settings?

Currenly no settings page exists, but we may add one in future versions.

I have a question or comment, how can I let you know?

Please avoid leaving negative reviews in order to get a feature implemented. Stalking or harassing our team members is also not okay; we will expose those who attempt to extort or threaten us. Instead, you may post on the public forums if you like and other members may be able to help you. Since this is a free plugin, we do not offer support for it; we are also no longer involved at the forums. We recommend joining our Facebook group instead:


guys Install this with closed eyes

First of all i want to say thank you to all the developers behind making this savior plugin. This is the only plugin that works perfectly after enabling SSL(doesn’t matter where you got the certificate from or if it is free hosting). I was having many problem including mixed content and it was annoying to find out and replace http to https. This plugin takes care of everything to enable SSL flawlessly

Fantastic Plugin

I love this plugin and really wish this functionality was enabled within WP natively. Thanks for working on something to help improve security across the web.

Read all 144 reviews

Contributors & Developers

“Force HTTPS (SSL Redirect & Fix Insecure Content)” is open source software. The following people have contributed to this plugin.




  • updated recommended plugins


  • updated plugin meta


  • updated plugin meta
  • updated recommended plugins


  • versioning correction (major changes in 1.0.6)
  • (no code changes)


  • changed filters to force HTTPS for external resources (but not external hyperlinks) including src, srcset, embed, and object
  • (if an external resource does not exist in HTTPS version, it may generate a 404 error)
  • (philosophy = “green padlock” more important than a resource 404 error)
  • added warning for Multisite installations
  • updated recommended plugins
  • updated plugin meta


  • better support for DISABLE_NAG_NOTICES


  • partial support for DISABLE_NAG_NOTICES
  • updated plugin meta


  • tested with WP 4.9
  • updated recommended plugins
  • updated plugin meta


  • filter to “skip” external hyperlinks
  • better HTTPS filters for internal links, internal sources, and image srcsets
  • optimized plugin code
  • added rating request notice
  • updated recommended plugins


  • added recommended plugins notice


  • initial release
  • tested with PHP 7.0