This is a short tutorial on how to force users to HTTPS instead of HTTP when visiting a WordPress site. This tutorial assumes that you have some sort of SSL certificate installed on your site. I personally use Let’s Encrypt, but there are other ways of getting a verified certificate for encryption.
Step 1: Set the website’s URLs in the settings panel.
This step ensures that the URL pointers used by WordPress always use a secure URL.
Step 2: Add the following three lines to the end of your existing .htaccess file
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI}
[L,R=301]
These lines force Apache to redirect any regular connection to SSL. Once you do this anyone coming to your site on an insecure line is rerouted to an SSL connection.
Step 3: Secure your admin area
Simply add the following to the wp-config.php file in order to force users of your admin pages into SSL.
define('FORCE_SSL_ADMIN', true);
Congratulations!!
You have successfully forced all users of your website into SSL when they visit. If you are using this method to secure your website on an existing site, you may still encounter mixed-content errors in your browser. These come from the fact that URL pointers in your posts and pages start with http:// instead of https://.
You will have to use a plugin or scrub your database for these links and update them. There are some tutorials out there that explain how to do this. But this tutorial was aimed primarily at a new WordPress installation.