HTTPS enforcement for WordPress
Force HTTPS enforces secure HTTPS URLs throughout WordPress after HTTPS has been configured on the server.
The plugin redirects normal non-SSL web requests to the HTTPS version of the requested WordPress URL and enables SSL handling for the WordPress admin area. Redirects are skipped for WP-CLI, WP-Cron, AJAX requests, already-sent headers, and requests where REQUEST_URI is unavailable.
Force HTTPS also upgrades WordPress-generated URLs and rendered output across core URL helpers, permalinks, feeds, admin, login and logout URLs, media, uploads, image srcsets, resource hints, enqueued scripts and styles, theme URLs, content, widgets, comments, navigation, oEmbed and custom logo HTML, REST response data, and supported WooCommerce URL and content filters. This helps prevent old HTTP URLs and mixed-content warnings after moving a site to HTTPS.
For core home and siteurl values, the plugin supports both SlickStack and non-SlickStack servers. When WP_HOME or WP_SITEURL are defined in wp-config.php, early pre_option_home and pre_option_siteurl filtering is used only when those values already resolve to HTTPS or can be safely upgraded from HTTP. Otherwise, WordPress retrieves the normal database-backed values before option_home and option_siteurl filters upgrade them at runtime. No database records are changed. Core URL option filtering and HTTP redirects bypass WP-CLI and WP-Cron to avoid interfering with command-line tasks or internal scheduled jobs.
The plugin does not install an SSL certificate, modify web server configuration, or detect HTTPS by trusting proxy, CDN, or load balancer request headers such as X-Forwarded-Proto, X-Forwarded-SSL, or Cloudflare-specific headers. Those headers are only safe when a trusted server or proxy strips incoming values and overwrites them, which a WordPress plugin cannot verify. Sites behind Cloudflare, another CDN, a load balancer, or a reverse proxy should configure HTTPS detection at the server, hosting, CDN, or wp-config.php level.
Force HTTPS does not add HSTS headers. HSTS is best managed at the server or CDN level because it can affect the entire domain and its subdomains beyond WordPress.
- expanded rendered content HTTPS handling for
srcset,poster,data-src, anddata-srcsetattributes - improved rendered content attribute handling so multiple
http://URLs inside supported attribute values are upgraded
- added HTTPS filtering for direct
home_urlandsite_urloutput - added late HTTPS filtering for WordPress redirect destinations via
wp_redirect
- enabled WordPress admin SSL enforcement at runtime with
force_ssl_admin( true )without defining or redefining constants
- improved core
homeandsiteurlHTTPS handling for both SlickStack and non-SlickStack servers - added safe
WP_HOMEandWP_SITEURLsupport in earlypre_option_homeandpre_option_siteurlfilters without assuming those constants exist - tightened early core URL option validation so constants and existing pre-option values only short-circuit when they resolve to
https://URLs - added
option_homeandoption_siteurlfallback filters for database-backed installs without hardcoded constants - kept WP-CLI and WP-Cron bypasses for core URL option filtering
- added REST response object HTTPS filtering via
rest_post_dispatchwhile keeping final REST output filtering as a safety net
- hardened resource hint, image srcset, and upload directory HTTPS filtering with stricter URL checks
- added HTTPS filtering for author, archive, attachment, custom post type, feed, search, shortlink, and logout URLs
- fixed stale WordPress and WooCommerce filter registrations by using current hook names
- added HTTPS filtering for enqueued script and stylesheet asset URLs
- added HTTPS filtering for theme root, theme directory, and theme file URLs
- removed redundant WooCommerce REST prepare filters now covered by global REST response HTTPS filtering
- fixed oEmbed and custom logo HTTPS filtering by using the HTML output callback for HTML-returning hooks
- improved REST response HTTPS filtering for nested string values inside arrays
- registered WooCommerce filters on
plugins_loadedso HTTPS support is not missed due to plugin load order
- fixed nav menu link HTTPS filtering by using a dedicated callback for the attributes array passed by
nav_menu_link_attributes
- hardened HTTPS redirects by replacing
wp_redirectwithwp_safe_redirect - sanitized the request URI before building the HTTPS redirect URL
- updated
Tested up toheader for WordPress 7.0
- improved WP-CLI and WP-Cron compatibility by bypassing home/siteurl HTTPS filtering during command-line and scheduled tasks
- added
Tested up to,Update URI, andText Domainplugin headers - improved HTTPS redirects to skip WP-CLI, WP-Cron, and AJAX requests
- added early home/siteurl HTTPS filtering with
pre_option_homeandpre_option_siteurl - expanded HTTPS enforcement across WordPress URL, content, media, resource hint, and upload directory filters
- improved content parsing for HTML elements, including
<script>and<style>blocks - added WooCommerce URL/content filter support when WooCommerce is active
- cleaned up plugin structure, syntax, and compatibility
- added
Requires PHPplugin header
- improved
gu_override_dot_orgsnippet
- fixed
gu_override_dot_orgsnippet
- completely refactored code to WordPress standards
- no more defined constants or options (hardcoded to enforce HTTPS on all internal/external links and resources)
- much more extensive
add_filterrules and HTML enforcement of HTTPS - supports PHP 7.0 to 8.3
- supports Multisite
- fixed undefined variable error (new default $modified = false)
- improved composer.json
- updated metadata
- tested with WP 5.1
- updated metadata
- tweaked
composer.json
- PBP v1.2.0
- removed
FORCE_SSLconstant references - added support to force HTTPS on
sourceelements (previously unsupported) ... this fixes GitHub Issue #7 - late support for new FORCE_HTTPS defined constant
- define('FORCE_HTTPS', true);
- define('FORCE_HTTPS_EXTERNAL_LINKS', false);
- define('FORCE_HTTPS_EXTERNAL_RESOURCES', true);
- define('FORCE_HTTPS_INTERNAL_LINKS', true);
- define('FORCE_HTTPS_INTERNAL_RESOURCES', true);
- PBP v1.1.0
- tested with PHP 7.0, 7.1, 7.2
- tested with PHP 5.6 (no fatal errors only, tweaked code style and several corrections)
- better support for WP-CLI (fixes GitHub Issue #6/#2)
- simplified plugin class organization
- late support for FORCE_SSL constant aborting the plugin functionality in the last minute if false
- tested with WP 5.0
- updated metadata
- updated recommended plugins
- updated metadata
- updated metadata
- updated recommended plugins
- versioning correction (major changes in 1.0.6)
- (no code changes)
- changed filters to force HTTPS for external resources (but not hyperlinks) including
src,srcset,embed, andobject - (if an external resource does not exist in HTTPS version, it may generate a 404 error)
- (philosophy = "green padlock" more important than a resource 404 error)
- added warning for Multisite installations
- updated recommended plugins
- better support for
DISABLE_NAG_NOTICES
- partial support for
DISABLE_NAG_NOTICES - updated metadata
- tested with WP 4.9
- updated recommended plugins
- updated metadata
- filter to "skip" external hyperlinks
- better HTTPS filters for internal links, internal sources, and image
srcset - optimized plugin code
- added rating request notice
- updated recommended plugins
- added recommended plugins notice
- initial release