Redirect rules SSL certificate

Avoid landing page redirects, redirecting www to non www or vice versa

Google encourages to “avoid landing page redirects”. But in case of SSL, this recommendation may conflict with SSL best practices. At the same time, 1 or 2 redirects, as long as they are 301 permanent, are not harmfull at all. Let me explain.

Why is there a double redirect in my site?

WordPress internally redirects your site to the primary domain, which is entered in settings/general. For example, when your site url is http://www.domain.com, and you type in http://domain.com, WordPress redirects to the www domain.

Really Simple SSL adds another redirect: from http to https. To follow best practices, the redirect is by default to the https variant of the request url. So if you type in http://domain.com, Really Simple SSL will redirect to https://domain.com. WordPress will then redirect to the www domain. Google will give a notice about this to “avoid landing page redirects”. Consequently, some think that this is bad for SEO and site speed, I don’t agree: two redirects on your site will not cause any SEO issues, and as for sitespeed: such redirects are only active when users request an “old” url, and furthermore, are very fast when implemented in the .htaccess.

Don’t avoid landing page redirects when using HSTS

HSTS is an important reason not to bypass redirects: the HSTS preload list requires your site to redirect to https first, then to www or non www. If you want to preload your site on the preload list, don’t try to avoid this one extra landing page redirect.

Why is this important? HSTS headers should only be sent when the connection is https. As a result, if you would redirect http://domain.com directly to https://www.domain.com in one redirect, the non-www domain does not set the HSTS header. This would enable a man in the middle to show a malicious non https site to an unsuspecting visitor. HSTS is not set on the non-www domain, so the browser can show the fake website where the hacker can request personal data from the user, who is thinking he is on your website.

Please note that these redirects are only activated when the url is requested over the non-primary domain. As all redirects are done with 301 redirects, search results will only show the primary domain, and your users will never experience a redirect. Only old links on the web can cause a redirect.

Another issue with redirects: no SSL on www, or on non-www

You might also have SSL only for the www domain, or only for the non-www domain. If that is the case, you’ll find that your non SSL domain won’t function anymore if you move to ssl. To counter this, you could redirect all  requests coming in on the non www domain to the www domain.

How to bypass these redirects

You can also edit the .htaccess manually, by adding these lines:

#redirect non-www to www
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

These rules in human language:

When rewrite condition “all domains that not start with www” is met
Redirect to the www domain.

If you want www redirecting to non www, add this to your .htaccess:

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]

RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

The end result in your .htaccess should look something like this, where the new redirect is added separately above the redirect inserted by Really Simple SSL:

#redirect all www requests to non-www.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
</IfModule>

#redirect all non https requests to SSL
# BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
<IfModule mod_rewrite.c> RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL

Related Articles

  • My website does a double redirect to https, or not 301 redirect

    Some users ask for a fix for a double redirect. But Really Simple SSL does not do a double redirect! The plugin uses two ways to redirect: in the .htaccess...
  • Redirect rules in Nginx

    Use the following to redirect to https on nginx. server { listen 80; server_name my-domain.com; return 301 https://$server_name$request_uri; }
  • err_SSL_VERSION_OR_CIPHER_MISMATCH

    err_SSL_VERSION_OR_CIPHER_MISMATCH This error means that the server and client (browser) are unable to establish a secure connection between them. To establish a secure connection between the server and client they...
  • Redirect to https not working

    After you enable Really Simple SSL, by default a PHP redirect is activated, which is called wp 301 redirect in the plugin. If you notice your site can still be...

20 Comments

  • Jorge Martinez

    Hi Rogier,

    Is there a specific place in the .htaccess where we should put this code to make it work correctly? I want to make sure that is anyone types http://www.certificacione.com or http://www.certificacione.com it gets redirected automatically to https://certificacione.com as my SSL doesn’t work with the www (gives a security warning in the browser). I try inserting your code as follows but I dont see the redirection from www to non www happening. Let me know if I place it in the wrong place or with the wrong format.

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.3.14]

    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

  • Rogier Lankhorst

    Could you try the following:
    Add it to the top, and add “rewrite engine on” before, see example below. Let me know if that helps!

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.3.14]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    # END rlrssslReallySimpleSSL
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

  • Anton

    Hello!
    Sorry to disturbe you, but I have problems with redirect from www to non www.

    http://mysite.com > https://… works great
    But http://www.mysite.com and https://www.mysite.com do not works to redirect to https://mysite.com

    Sorry for my bad english. Code from my htaccess is here:

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.4.3]

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

  • Rogier Lankhorst

    You can add the code from this article to the top of your .htaccess to redirect from www to non-www.

  • Anton

    I’ve some as you showed in article but that doesn’t work

  • Rogier Lankhorst

    An alternative you could try is this:

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
    RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

  • giorgos stavropoulos

    hallo i have a problem!
    i have managed to put
    #redirect all www requests to non-www.

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    and everything is ok with https look but when i add the rest code i camnnot enter the site! can you help?

    #redirect all non https requests to SSL
    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    i place it right after the first code

    thanks for your time

    • Mark Wolters

      Hi Giorgos,

      it would be easier to enable the ‘htaccess redirect’ option in the Really Simple SSL options because that will choose the best solution for you automatically and you don’t have to worry about editing the file yourself :). If that didn’t work and you need to edit the .htaccess and now your site is not working anymore, could you explain what error message you are getting exactly?

      Mark

  • Rogier Lankhorst

    You can follow the steps in this article, or you can use Really Simple SSL pro, which handles this as well if you enable .htaccess redirect.

  • Dan

    Hello,
    I’m using your example on my blog. It FIXED the landing page error, but it screwes some photos that are not displayed.

    Please let me know where is the error if you can spot it.

    # DO NOT REMOVE THE FOLLOWING LINE
    AddType application/x-httpd-php55 php

    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*) https://www.%{SERVER_NAME}/$1 [L,R=301]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ – [F,NC]

    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    ExpiresActive On
    ExpiresByType text/html “access plus 1 month 1 days”
    ExpiresByType image/gif “access plus 1 month 1 days”
    ExpiresByType image/jpeg “access plus 1 month 1 days”
    ExpiresByType image/png “access plus 1 month 1 days”
    ExpiresByType text/css “access plus 1 month 1 days”
    ExpiresByType text/javascript “access plus 1 month 1 week”
    ExpiresByType application/x-javascript “access plus 1 month 1 days”
    ExpiresByType text/xml “access plus 1 seconds”
    ExpiresDefault “access plus 2 days”

    # END WordPress

    • Mark Wolters

      Hi Dan,

      on what domain do you experience these issues? I’ve taken a look at computerblog.ro but don’t see anything wrong at first sight. If you can give me an example of a page or other domain where you experience these issues we can take a look.

      Mark

      • Dan

        I took out the line with /jpg/ and its all fine. Don’t know if its good or bad.

        Thanks

  • rats on

    Hello,
    I am using this
    #redirect all www requests to non-www.

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    #redirect all non https requests to SSL
    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL

    But the following code doesn’t work for my domain https://banglatribunes.com

    • Mark Wolters

      Hi,

      can you try to place the following code, including at the top of your .htaccess file?

      RewriteEngine On
      RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
      RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

      #redirect all non https requests to SSL
      # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
      RewriteEngine on
      RewriteCond %{HTTPS} !=on [NC]
      RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

      # END rlrssslReallySimpleSSL

Leave a Comment