Make WordPress use HTTPS & WWW & block XMLRPC (.htaccess)

A while back I posted some “.htaccess” code to add HTTPS (SSL) and also “www”, in front of the domain name.

I think it’s a mess to work this stuff and too many people on forums and such tend to disagree about the best way to do things, so I can only assume it’s a common problem. Not to mention the different kind of servers and server configs that can screw things up further.

This is the “.htaccess” code that I currently use on WordPress sites

# Force www
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Force SSL
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Disallow all WordPress xmlrpc.php requests to this domain
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

As you can see, it’s checking if the URL contains “www”, if not it will add it. Same thing with HTTPS.

Add HTTPS and WWW to WordPress

Last time I posted, I had a “302” redirect on the SSL stuff which was a mistake because “302” is the code for a temporary redirect.

Since Google decided a few years back to pretty much force people over to HTTPS (Ranking factors..) which really is a good idea, but was a pain in the *ss at the time to make the switch if you got plenty of sites.

Anyway, hopefully you’ve got SSL certificates for your domains by now and therefor we’re telling mighty Google that we’ve permanently moved over to HTTPS. So we should change that temporary “302” redirect to a permanent one “301”.

After that comes the regular WordPress “.htaccess” content.

And last but not least. I decided to block all traffic to xmlrpc.php.
Because it seems to be used by spammers and hackers to bruteforce your passwords.

However, if you use a standalone application to post to your WordPress blogs, like Windows Live Writer for example. You might need to remove that last part of the “.htaccess” code, or why not let your IP in only.

There’s also some plugins that can help you keep the bad guys out if you prefer that approach.

That’s it for now. I’m not 100% this is the best way to do it. Please, leave a comment if you can improve anything in the “.htaccess” code.