Force HTTPS (SSL Redirect & Fix Insecure Content)

Description

Redirects all HTTP requests to the HTTPS version and fixes insecure links and resources without altering the database (also works with CloudFlare).

Current Features

WARNING: You must have an SSL certificate installed on your server before activating this plugin. If you website becomes inaccessible after activation, simply login via SFTP and delete this plugin from /wp-content/plugins/ and clear your browser cache, then refresh the page.

  • the only Force SSL (HTTPS) plugin that correctly avoids protocol-relative hyperlinks and resources as recommended by the Google Chrome team and top internet security experts!
  • 301 redirects all HTTP requests to the HTTPS version
  • filters all internal resources to become secure (e.g. src=”https://…”)
  • filters all internal hyperlinks to be become secure (e.g. href=”https://…”)
  • filters all external resources to become secure (src, srcset, embeds, and objects)
  • skips any external hyperlinks
  • works with image srcsets too (Version 1.0.2+)
  • no need for additional plugins to fix insecure resources
  • avoids “protocol relative” URLs as recommended by top security experts 1, 2
  • zero database queries or settings pages
  • huge SEO and security benefits

Compatibility

This plugin has been designed for use on SlickStack web servers with PHP 7.2 and MySQL 5.7 to achieve best performance. All of our plugins are meant for single site WordPress installations only; for both performance and usability reasons, we highly recommend avoiding WordPress Multisite for the vast majority of projects.

Any of our WordPress plugins may also be loaded as “Must-Use” plugins by using our free Autoloader script in the mu-plugins directory.

Defined Constants

/* Plugin Meta */
define('DISABLE_NAG_NOTICES', true);

Technical Details

  • Prefix: FHTTPS
  • Parent Plugin: N/A
  • Disable Nag Notices: Yes
  • Settings Page: No
  • PHP Namespaces: No
  • Object-Oriented Code: No
  • Includes Media (images, icons, etc): No
  • Includes CSS: No
  • Database Storage: Yes
    • Transients: No
    • WP Options Table: Yes
    • Other Tables: No
    • Creates New Tables: No
    • Creates New WP Cron Jobs: No
  • Database Queries: Backend Only (Options API)
  • Must-Use Support: Yes
  • Multisite Support: No
  • Uninstalls Data: Yes

Special Thanks

Alex Georgiou, Automattic, Brad Touesnard, Daniel Auener, Delicious Brains, Greg Rickaby, Matt Mullenweg, Mika Epstein, Mike Garrett, Samuel Wood, Scott Reilly, Jan Dembowski, Jeff Starr, Jeff Chandler, Jeff Matson, Jeremy Wagner, John James Jacoby, Leland Fiegel, Luke Cavanagh, Mike Jolley, Pau Iglesias, Paul Irish, Rahul Bansal, Roots, rtCamp, Ryan Hellyer, WP Chat, WP Tavern

Disclaimer

We released this plugin in response to our managed hosting clients asking for better access to their server, and our primary goal will remain supporting that purpose. Although we are 100% open to fielding requests from the WordPress community, we kindly ask that you keep these conditions in mind, and refrain from slandering, threatening, or harassing our team members in order to get a feature added, or to otherwise get “free” support. The only place you should be contacting us is in our free Facebook group which has been setup for this purpose, or via GitHub if you are an experienced developer. Thank you!

Our Philosophy

“Decisions, not options.” — WordPress.org

“Everything should be made as simple as possible, but not simpler.” — Albert Einstein, et al

“Write programs that do one thing and do it well… write programs to work together.” — Doug McIlroy

“The innovation that this industry talks about so much is bullshit. Anybody can innovate… 99% of it is ‘Get the work done.’ The real work is in the details.” — Linus Torvalds

Installation

  1. Upload to /wp-content/plugins/force-https-littlebizzy
  2. Activate via WP Admin > Plugins
  3. Test plugin is working:

Load a non-HTTPS version of any page, and it should be automatically redirected to the HTTPS version. In addition, most if not all insecure links and resources should now be loaded over HTTPS, regardless of original code.

FAQ

Does this plugin install SSL for my site?

No. You will first need to order/setup SSL on your server (web host) before activating this plugin.

After installing this plugin, my site is inaccessible?

You probably do not have SSL installed yet on your server (web host) which is a prerequisite.

Are there any potential drawbacks/errors with this plugin?

The only potential error is a 404 error for external resources that do not already support HTTPS.

Does this plugin affect my website’s speed or performance?

No, it should not. It’s very lightweight and should be cached in PHP Opcache and DNS/browser (301s).

My developer installed this for me, is he taking shortcuts?

Mostly likely your developer wants you to be extra protected from insecure resources. This plugin can be (should be) installed as an additional layer of protection/stability even if you already redirect to HTTPS elsewhere (server, CloudFlare, etc). It does not hurt anything to force SSL in multiple places, and in fact provides better redundancy for your security. That said, installing this plugin is not a cure-all and your server (etc) should still be re-configured for SSL too when possible.

What HTTP header codes does this plugin send to browsers?

It generates 301 codes for any http version of any page and redirects to https version of that page.

Does this plugin work with CloudFlare SSL?

Yes, it can be used with CloudFlare’s “flexible” or “full” SSL to avoid “too many redirects” spinning errors.

How can I change this plugin’s settings?

Currenly no settings page exists, but we may add one in future versions.

I have a question or comment, how can I let you know?

Please avoid leaving negative reviews in order to get a feature implemented. Stalking or harassing our team members is also not okay; we will expose those who attempt to extort or threaten us. Instead, you may post on the public WordPress.org forums if you like and other members may be able to help you. Since this is a free plugin, we do not offer support for it; we are also no longer involved at the WordPress.org forums. We recommend joining our Facebook group instead:

https://www.facebook.com/groups/littlebizzy/

Reviews

Works Like a Charm

Instant Results! As soon as I installed and activated this plugin, Chrome stopped reporting my site as “insecure.”

Excellent/easy/robust.

Installed this and it just worked. Note that it took a day or so to fully make everything HTTPS and for the lock to appear. Don’t know why, but suggest waiting 24 hours to see if the lock appears. Propagation delays?

I used the CPanel/Let’s Encrypt to make the cert and it was easily installed.
Recommended.

Read all 168 reviews

Contributors & Developers

“Force HTTPS (SSL Redirect & Fix Insecure Content)” is open source software. The following people have contributed to this plugin.

Contributors

Changelog

1.2.0

  • tested with WP 5.0

1.1.4

  • updated plugin meta

1.1.3

  • updated recommended plugins

1.1.2

  • updated plugin meta

1.1.1

  • updated plugin meta
  • updated recommended plugins

1.1.0

  • versioning correction (major changes in 1.0.6)
  • (no code changes)

1.0.6

  • changed filters to force HTTPS for external resources (but not external hyperlinks) including src, srcset, embed, and object
  • (if an external resource does not exist in HTTPS version, it may generate a 404 error)
  • (philosophy = “green padlock” more important than a resource 404 error)
  • added warning for Multisite installations
  • updated recommended plugins
  • updated plugin meta

1.0.5

  • better support for DISABLE_NAG_NOTICES

1.0.4

  • partial support for DISABLE_NAG_NOTICES
  • updated plugin meta

1.0.3

  • tested with WP 4.9
  • updated recommended plugins
  • updated plugin meta

1.0.2

  • filter to “skip” external hyperlinks
  • better HTTPS filters for internal links, internal sources, and image srcsets
  • optimized plugin code
  • added rating request notice
  • updated recommended plugins

1.0.1

  • added recommended plugins notice

1.0.0

  • initial release