Redirect rules SSL certificate

Avoid landing page redirects, redirecting www to non www or vice versa

Google encourages to “avoid landing page redirects”. But in case of SSL, this recommendation may conflict with SSL best practices. At the same time, 1 or 2 redirects, as long as they are 301 permanent, are not harmfull at all. Let me explain.

Why is there a double redirect in my site?

WordPress internally redirects your site to the primary domain, which is entered in settings/general. For example, when your site url is http://www.domain.com, and you type in http://domain.com, WordPress redirects to the www domain.

Really Simple SSL adds another redirect: from http to https. To follow best practices, the redirect is by default to the https variant of the request url. So if you type in http://domain.com, Really Simple SSL will redirect to https://domain.com. WordPress will then redirect to the www domain. Google will give a notice about this to “avoid landing page redirects”. Consequently, some think that this is bad for SEO and site speed, I don’t agree: two redirects on your site will not cause any SEO issues, and as for sitespeed: such redirects are only active when users request an “old” url, and furthermore, are very fast when implemented in the .htaccess.

Don’t avoid landing page redirects when using HSTS

HSTS is an important reason not to bypass redirects: the HSTS preload list requires your site to redirect to https first, then to www or non www. If you want to preload your site on the preload list, don’t try to avoid this one extra landing page redirect.

Why is this important? HSTS headers should only be sent when the connection is https. As a result, if you would redirect http://domain.com directly to https://www.domain.com in one redirect, the non-www domain does not set the HSTS header. This would enable a man in the middle to show a malicious non https site to an unsuspecting visitor. HSTS is not set on the non-www domain, so the browser can show the fake website where the hacker can request personal data from the user, who is thinking he is on your website.

Please note that these redirects are only activated when the url is requested over the non-primary domain. As all redirects are done with 301 redirects, search results will only show the primary domain, and your users will never experience a redirect. Only old links on the web can cause a redirect.

Another issue with redirects: no SSL on www, or on non-www

You might also have SSL only for the www domain, or only for the non-www domain. If that is the case, you’ll find that your non SSL domain won’t function anymore if you move to ssl. To counter this, you could redirect all  requests coming in on the non www domain to the www domain.

How to bypass these redirects

You can also edit the .htaccess (edit the .htaccess file that’s in your web root, where the wp-config.php is) manually, by adding these lines (please note: add these lines outside the WordPress and Really Simple SSL comments)

#redirect non-www to www
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

These rules in human language:

When rewrite condition “all domains that not start with www” is met
Redirect to the www domain.

If you want www redirecting to non www, add this to your .htaccess:

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]

RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

The end result in your .htaccess should look something like this, where the new redirect is added separately above the redirect inserted by Really Simple SSL:

#redirect all www requests to non-www.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
</IfModule>

#redirect all non https requests to SSL
# BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
<IfModule mod_rewrite.c> RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL

Related Articles

47 Comments

  • Jorge Martinez

    Hi Rogier,

    Is there a specific place in the .htaccess where we should put this code to make it work correctly? I want to make sure that is anyone types http://www.certificacione.com or http://www.certificacione.com it gets redirected automatically to https://certificacione.com as my SSL doesn’t work with the www (gives a security warning in the browser). I try inserting your code as follows but I dont see the redirection from www to non www happening. Let me know if I place it in the wrong place or with the wrong format.

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.3.14]

    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

  • Rogier Lankhorst

    Could you try the following:
    Add it to the top, and add “rewrite engine on” before, see example below. Let me know if that helps!

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.3.14]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    # END rlrssslReallySimpleSSL
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    • JackW

      Hi Rogier,

      Thank you for this info. I too, have an issue with this code. HTTP has moved to HTTPS on a site I manage. 301 to 200. I’m receiving “remove redirect chain” in pingdom. The code
      #redirect non-www to www
      RewriteCond %{HTTP_HOST} !^www\.
      RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

      is the only one that seems to work without crashing the site, but it doesn’t solve the redirect. Sort of confused how to solve the rest of it. Help would be much appreciated!

      • Mark Wolters

        Hi,

        on what domain are you experiencing issues? Having a redirect chain from example http:// -> https:// -> https://www isn’t an issue. Can you check if the site address in WordPress also includes www?

        Mark

          • Mark Wolters

            Does visiting the site on the front-end also result in a redirect loop?

            The redirect you have provided seems to fine, it only does one redirect from http:// to https://www. Having at least one redirect is normal when your site is on https://. When a user types in http://yourdomain.com they will be redirect to https://www.yourdomain.com in your case. The only way to visit the site without redirects is visiting the https://www.yourdomain.com domain directly.

  • Anton

    Hello!
    Sorry to disturbe you, but I have problems with redirect from www to non www.

    http://mysite.com > https://… works great
    But http://www.mysite.com and https://www.mysite.com do not works to redirect to https://mysite.com

    Sorry for my bad english. Code from my htaccess is here:

    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.4.3]

    RewriteEngine on
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

  • Rogier Lankhorst

    You can add the code from this article to the top of your .htaccess to redirect from www to non-www.

  • Anton

    I’ve some as you showed in article but that doesn’t work

  • Rogier Lankhorst

    An alternative you could try is this:

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
    RewriteRule ^(.*)$ https://example.com/$1 [L,R=301]

  • giorgos stavropoulos

    hallo i have a problem!
    i have managed to put
    #redirect all www requests to non-www.

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    and everything is ok with https look but when i add the rest code i camnnot enter the site! can you help?

    #redirect all non https requests to SSL
    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    i place it right after the first code

    thanks for your time

    • Mark Wolters

      Hi Giorgos,

      it would be easier to enable the ‘htaccess redirect’ option in the Really Simple SSL options because that will choose the best solution for you automatically and you don’t have to worry about editing the file yourself :). If that didn’t work and you need to edit the .htaccess and now your site is not working anymore, could you explain what error message you are getting exactly?

      Mark

  • Rogier Lankhorst

    You can follow the steps in this article, or you can use Really Simple SSL pro, which handles this as well if you enable .htaccess redirect.

  • Dan

    Hello,
    I’m using your example on my blog. It FIXED the landing page error, but it screwes some photos that are not displayed.

    Please let me know where is the error if you can spot it.

    # DO NOT REMOVE THE FOLLOWING LINE
    AddType application/x-httpd-php55 php

    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*) https://www.%{SERVER_NAME}/$1 [L,R=301]
    RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ – [F,NC]

    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    ExpiresActive On
    ExpiresByType text/html “access plus 1 month 1 days”
    ExpiresByType image/gif “access plus 1 month 1 days”
    ExpiresByType image/jpeg “access plus 1 month 1 days”
    ExpiresByType image/png “access plus 1 month 1 days”
    ExpiresByType text/css “access plus 1 month 1 days”
    ExpiresByType text/javascript “access plus 1 month 1 week”
    ExpiresByType application/x-javascript “access plus 1 month 1 days”
    ExpiresByType text/xml “access plus 1 seconds”
    ExpiresDefault “access plus 2 days”

    # END WordPress

    • Mark Wolters

      Hi Dan,

      on what domain do you experience these issues? I’ve taken a look at computerblog.ro but don’t see anything wrong at first sight. If you can give me an example of a page or other domain where you experience these issues we can take a look.

      Mark

      • Dan

        I took out the line with /jpg/ and its all fine. Don’t know if its good or bad.

        Thanks

  • rats on

    Hello,
    I am using this
    #redirect all www requests to non-www.

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    #redirect all non https requests to SSL
    # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # END rlrssslReallySimpleSSL

    But the following code doesn’t work for my domain https://banglatribunes.com

    • Mark Wolters

      Hi,

      can you try to place the following code, including at the top of your .htaccess file?

      RewriteEngine On
      RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
      RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

      #redirect all non https requests to SSL
      # BEGIN rlrssslReallySimpleSSL rsssl_version[2.5.11]
      RewriteEngine on
      RewriteCond %{HTTPS} !=on [NC]
      RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

      # END rlrssslReallySimpleSSL

      • The Noob Who Trys

        Thanks so much,

        So if someone wants to redirect from non-www to www, would the following code be correct?

        #redirect all non-www requests to www.

        RewriteEngine On
        RewriteCond %{HTTP_HOST} ^non-www\.(.*)$ [NC]
        RewriteRule ^(.*)$ https://www%1/$1 [R=301,L]

        • Mark Wolters

          There is one line not entirely correct (the ^non-www/ one). The correct code to redirect from non-www to www is:

          RewriteEngine On
          RewriteCond %{HTTP_HOST} !^www\.
          RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

  • notacoder

    Hi
    Thanks for this article. I must be missing something as I cannot get pingdom to stop telling me:
    Remove the following redirect chain if possible:

    http://mydomain.com/
    https://mydomaincom/
    https://www.mydomain.com/

    No matter what code I use from this page – and I’ve litterally spent over an hour reposting my htaccess file with variations from this site — nothing stops the pingdom advice? I did the smae yesterday from stackexchange. Surely it shouldn;t be this diffcult, so why is there so much conflicting advice?

    I have a simple WordPress site with ssl. Why is this so difficult as nothing apopears to make the slightest difference?

    Thanks for any insights,

    Beyond frustrated…

    • Rogier Lankhorst

      The point of this article is that Pingdom is wrong about these redirects where it concerns SSL: you should leave these redirects as they are. Pingdom treats SSL redirects just as any other redirect, which is not the correct approach. Nevertheless, the .htaccess snippets posted here are tested and working examples of how you could do this if you don’t want to use best practices on your site.

      • notacoder

        Thank you Rogier,

        Is it not the case that if someone types in mydomain.com that it is having to be redirected to https://mydomain and then again onto https://www.mydomain, isn’t that causing a second or two delay in showing my page?

        What resource would you recommend to see why a site is slow? The webhost says “the network connection time measure was within the reasonable 300 ms. The time to first byte depends on the CMS.”

        I can visit my website here in Herts. UK and my webhost is 20 miles up the road in Berks. and it can still take 5+ seconds for the site to fully load and that’s with cloudflare, the webhost optimising the WPSupercache plugin settings and any plugins not used deactivated, plus the database has been optimised.

        Periodically my site can take 10 seconds to update a save when I am editing a page or post. It’s been going on a long time but no-one (cloudflare, my host or web developers) can explain why – it’s not a big site either with heavy graphics, just a blog.

        Any ideas gratefully appreciated as it’s getting to the point now where I am thinking of pulling the site? (I have most of my first page organic google rankings – due to going onto the “wonderful cloud” and having a clash with my hosts rotating cloud IP’s and Cloudflare black listing some of the IP’s and this causing a site defacement of my css, hence google demoting me).|

        Cheers
        Ian

        • Rogier Lankhorst

          Hi Ian,

          Two redirects might cause a slight delay, but this certainly is not the cause of your response issue: a redirection only applies to users who request your site over http://. As Really Simple SSL adds a 301 redirect and Google will list sites only with https after the switch, this only applies to direct visits to the http:// URL on the first visit.

          As you yourself have this issue, this cannot be caused by the redirect. Usually, if a site is slow, this is caused by third party scripts delaying the loading of the site. I would recommend to use WP Rocket or Fastest Cache for caching, which in my opinion are the best caching plugins. If this doesn’t help, I would try deactivating plugins and switching to a default WP theme to test if this helps.

          As testing tool I would recommend tools.pingdom.com

  • rgreve

    I’ve don it at the way said here (and in the comments):

    Above the htacces I put:
    #redirect non-www to www
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^www\.
    RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
    #end redirect non-www to www

    but still when I go to http://ptera.nl it give a false.

    What is my solution?

    • Rogier Lankhorst

      I have just tested your redirect, it is redirecting in one step from http:// to https://www, which, although not recommended, seems to be what you intend.

  • Harvis Miguel González Bona

    Hi i have a simple a question and excuse me if im a big noob, my hosting company added the script by itself to hatccess and its working perfectly for http://www.alahas.com.do, do i have to leave unchecked the options wordpress redirect 301, htacces and javascript in the really simple plugin settings??
    this is the script that my hosting company inserted

    # BEGIN WordPress

    RewriteEngine On
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    I mean its not necesary to have checked this options? Obviously simple plugin will tell me that i have a
    warning Enable a .htaccess redirect or WordPress redirect in the settings to create a 301 redirect. But without it is working excelent. Can i dismiss that warning ?

    • Rogier Lankhorst

      I would recommend to move the redirect script outside the WordPress comments, otherwise you risk it being overwritten when WordPress rewrites the redirect.

      It is not necessary to enable the .htaccess redirect now. This will insert the same redirect. You can leave the wp redirect enabled.

      • Harvis Miguel González Bona

        Rogier thank you so much i have 2 more questions.
        1-U told me just enable the wp redirect? But it wont have 2 same actions for the same thing? The script is not already doing the redirect, then why enable the wp redirect also?

        2- Before installing wp rocket i was having the redirect chain perfectly. But today i a saw a comment that is not good to have for example
        Alahas.com.do redirects directly to
        https://www.alahas.com.do

        Its ok in the way it is?

          • Rogier Lankhorst

            I would recommend to leave the redirect chain as it is, in two steps. There are no SEO benefits from removing this one redirect.

      • Harvis Miguel González Bona

        Rogier whats the correct way to split this
        # BEGIN WordPress

        RewriteEngine On
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        RewriteBase /
        RewriteRule ^index\.php$ – [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]

        # END WordPress

          • Mark Wolters

            Hi,

            yes, you will be okay by leaving the redirect chain as it is.

            Mark

          • Harvis Miguel González Bona

            Thank you so much Rogier and Mark. God bless you for all the help given to me.

            Rogier told me to split the script in my htacces the one for worspress and for ny redirect. Do you know how to split it?

  • Laura

    Hi guys i will really appreaciate an advice from you, i was diving in the internet searching about why its so slow when redirecting from non www to www and i found someone edited his really simple redirect htaccess and walah then when typing the url without anything just example.com was loading as fast as https://www.example.com.
    Please are there any future problem or its no recommended using the scrip whitch the guy edited, becuase its load really fast and i would like to use it, but i need you advise it will mess something or even SEO?

    Here is the really simple redirect as default
    # BEGIN rlrssslReallySimpleSSL rsssl_version[3.0.5]

    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

    # END rlrssslReallySimpleSSL

    and here is how the guy edited the script
    # BEGIN rlrssslReallySimpleSSL rsssl_version[3.0.5]

    RewriteEngine on
    RewriteCond %{HTTPS} !=on [NC]
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    RewriteRule ^(.*)$ https://www.alahas.com/$1 [R=301,L]

    # END rlrssslReallySimpleSSL

    • Rogier Lankhorst

      Hi Laura,
      It is not recommended to use a bypass for this redirect. This has to do with security considerations: if you bypass the non www domain, security headers won’t get set on the non www domain.

      If you use a 301 redirect, the redirect will only execute once for each user, and only for users which type in your domain directly in the browser. So only a small percentage of your requests will use this redirect.

      • Laura

        Thank you so much, i agree with you the only persons that will use are the ones that will write it manually as example.com. And theres nothing to do to make the redirect load a bit faster? in case no, i really thank you for you advice!!!
        Thank you so much for fast response algo <3

Leave a Comment