Make a WordPress site work on both HTTP & HTTPS

Since Google started including sites which server under HTTPS in their ranking, and CloudFlare came out with their Universal SSL service, I was thinking to add a native SSL support to my WP blog.

But it seems like WP dose not support working in HTTP&HTTPS at the same time. At first I created a new VirtualHost(Apache)/server(Nginx) config for my blog too work with SSL, but when I tried to access it with https the browser block the loading of the site and complain about mix content.

And so after some googling, I came out with this hack I wrote to have my WordPress blog to be accessible via HTTP & HTTPS.

Add HTTPS & HTTP links to the wp-config.php file

Add the following line to the `wp-config.php` file, it basically hard-coding the site name based on the connection type.

function isSecure() {
    (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
    || $_SERVER['SERVER_PORT'] == 443;

$web_site     = '';
$schema       = isSecure() ? 'https://' : 'http://';
$web_site_url = $schema . $web_site;

define('WP_HOME',    $web_site_url);
define('WP_SITEURL', $web_site_url);

 Force SSL (optional)

If you like you can force SSL for the Admin pages and for login.

define( 'FORCE_SSL_LOGIN', true );
define( 'FORCE_SSL_ADMIN', true );


While enabling SSL on my blog, I start having problems with WP plugin called W3 Total Cache, so for now i had to disable it until I have the time to check out what exactly is the problem.




You may also like...

24 Responses

  1. Leo says:

    it seems to work fine for me on wp 4.1.1.

    I noticed simply changing

    $web_site_url = '' 


    $web_site_url = $_SERVER['HTTP_HOST'];

    seems to make your snipped work without hard coding the site name. is there anything wrong with this approach?

    thank you.

    • Rabin says:

      Thank you, I’m aware of this option, and yes it dose make the code more generic. But the $_SERVER[‘HTTP_HOST’] variable is based on the request from the client, and so can be unexpected, this is why i hard coded the site name.

  2. Till says:

    Any news on the Cache plugin?

  3. Tamil says:

    it’s good thanks. and, to fixing the image src I will use plugin, allright?

    thanks for feedback.

  4. Stephen Oluwatomisin Gbolagade says:

    I am having trouble on my Blog here.
    Whenever users want to visit the blog with “http”, it won’t load (Error 403 message) but, when they use “https”, it will load without any problem.
    What should I do?

  5. rich andrews says:

    I made my move to https in 3 easy steps.

    1 – since i have a squid reverse proxy, I got cert for it and configure it to take https requests, translate to http and pass them to the webserver

    2 – I add a module to apache to add a header.
    Header add Content-Security-Policy “upgrade-insecure-requests;”
    by simply adding that header statement, all of my mixed content statements went away.

    The third step was to get a cert from for all of the sites I wanted to convert to https. That way one cert covers everything.

    • Rabin says:

      yes, using a reverse proxy will work as well. I have simile setup for another site, but using nginx as my ssl terminator and varnish as my reverse proxy.

      +-------------+         +----------------+
      |             |         |    server2     |
      |   server1   +---------+                |
      |   site:80   |         |    varnish:80  +-->
      |             |         |         ^      |
      +-------------+         |         |      |
                              |         +      |
                              |    nginx:443   +-->
  6. baptx says:

    I think we can directly use WordPress is_ssl() function instead of the custom isSecure() function.

  7. baptx says:

    I just noticed that WordPress support using HTTP and HTTPS at the same time without this trick. We just have to set the WordPress site URL with HTTP instead of HTTPS.
    Then we can add `define(‘FORCE_SSL_ADMIN’, true);` in wp-config.php if we want to force logging in using HTTPS (should be placed before `require_once(ABSPATH . ‘wp-settings.php’);`).

    • Rabin says:

      I’m not sure, truth to be told, I haven’t check if WP solved this problem in the past 3 years. the main problem is that WP will use ABSOLUTE paths for the site and its internal url’s and media files. So at that time I had to use this trick, now days, I mostly force/redirect http->https, and not bother with this hack.

  8. I solved the problem with W3 total cache and cloud flare with this extended condition.

    define('FORCE_SSL_ADMIN', true);
    if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)
  9. volkan says:

    well, my all http traffic was redirected to https. actually i would like to use just https but after a while i recognized that some phones browsers having trouble to reach my site. (certificate error.) , so i had to use both http and https , i erased the redirect on virtual host and added this to wordpress config, working well , thank you.

    • Rabin says:

      you may want to try and use older crypto (e.g SSLv3/TLS1) to allow older browsers/devices/os to access your site over secure connection.

  10. Satish says:

    Hi Robin,
    Is there any way to force single page to http instead https. For header enrichment I need to force user Sign in page to http ever user is using https website.

  11. Hey Rabin,

    I was directing my traffic to https using a plugin. However, I decided to enable both http and https versions a few days ago. Therefore, I removed the redirects I had in place. All is working fine except sometimes, I see that pages look broken in pagespeed or on mobile. I was looking for a solution that helps me keep both versions working perfectly. Will this code work? I was ready to copy it when I thought, I must ask you.

    • Rabin says:

      I worked with this quick hack for some time, and didn’t have any problems.
      but you should reconsider, (as am I) and use only https and redirect all http traffic to https, as you can use free cert now from let’s encrept

  12. Abhijeet Pratap says:

    It’s actually a different factor that made me reconsider. I have got a valid ssl cert from comodo. take a look at this site – It is a reputed one but uses both versions. My reasons are similar.

  13. Abhijeet Pratap says:

    However, I found out. A plugin was causing the issue. Changing the settings fixed it.

  14. Hana says:

    hi Rabin, my website want use http and https and www. Can you help me.

    • Rabin says:

      Hi @Hana,

      HTTTP/HTTPS is communication protocol the `www` part is a sub domain.
      Personally I don’t recommend investing in this, as browsers now days will force you to use HTTPS if available.
      Just use HTTPS and you can issue Free Certificates using Let’s Encrypt to automate the process and never think about this ever again.

Leave a Reply

Your email address will not be published. Required fields are marked *