Sometimes after having enabled Cloudflare SSL encryption for your website, it can be that despite having enabled Automatic HTTPS Rewrites in your Cloudflare crypto settings, your http:// continues to be accessible and show up in your webstats or Google Webmaster Search Console.

This can easily be solved by forcing SSL with an .htaccess 301 mod_rewrite rule. After implementing this your website will only be served from https:// anymore and search engines will also gradually update the URLs shown in their search index.

How to Force HTTPS with mod_rewrite .htaccess Rule

Important: We recommend everybody to first backup their database – and also WordPress files – before proceeding.

With your FTP client, or in cPanel’s file manager, navigate to your domain’s home folder1 and find your .htaccess file and open it in a code editor. Depending on the FTP client used, and operating system, you may have to set your OS to display hidden files.

Be sure to make a backup of the original .htaccess file before proceeding. Some server configurations may cause issues and throw an Internal Server Error2 after this.

Paste the following code at the top of your .htaccess file file, above the WordPress rewrite rules, and save the file.

RewriteEngine On 
RewriteCond %{HTTP_HOST} ^your domain\.com [NC]
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R,L]

Make sure to replace yourdomain.com with your actual domain. Also make sure to have the same URL as configured for your site in WordPress under Settings -> General3.

Reload your site and check if everything works well. When visiting your site from a URL with http:// you should now be redirected to the encrypted https:// URL.


  1. This is usually the public_html folder. 
  2. Internal Server Error HTTP 500 error
  3. With or without www