How to force HTTPS using Plesk

 Need some help? We’re available to help clients and non-clients alike solve their website woes. See how we can help fix your website.

1. Install and activate an SSL certificate

We enable HTTPS by default, and you may have even already had a Let’s Encrypt certificate installed for you. It’s best to check this before proceeding. The simplest and cheapest (free!) option for this is using Let’s Encrypt. You may alternatively purchase and install a commercial certificate.

2. Update your web app

If you’re using a web application like WordPress or Magento, make sure you change any option within its settings to enable HTTPS first. Here’s how to do that:

  1. Within Plesk, click 1-click web apps (or Installatron)
  2. Click the wrench icon beside the web app installed to the domain you changed. You might then see a warning about exactly this issue — that Installatron can’t find your web app
  3. Choose the Files & Tables tab
  4. Look for the editable field that has your domain name in it and change it to the new domain.
  5. Press the button at the bottom of the page to save your changes.

If you don’t see your app in 1-click web apps (Installatron), here’s how to import it. When imported successfully, proceed through the steps above.

Pick an option below: option 1 is preferred.

3. How to force HTTPS

 Be sure to only pick ONE of the options below, otherwise you will end up with a redirect loop that results in Internal Server Errors. Option 1 is strongly recommended.

Option 1: Use Plesk Onyx to force HTTPS

Plesk Onyx now comes with an option to force enable HTTPS simply by checking a box. All of our shared servers are now using Onyx, so you can make use of this functionality! Simply:

  • Log in to Plesk
  • Select “Hosting Settings” under the domain for which you wish to enable HTTPS
  • Look under the “Security” header and check the box that says: Permanent SEO-safe 301 redirect from HTTP to HTTPS.

Option 2: Use PHP to force HTTPS

At the start of your PHP file (more than likely in index.php) enter this:

if($_SERVER["HTTPS"] != "on"){
header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

Option 3: Use Apache to force HTTPS

If you’re not using nginx/php-fpm performance mode, then you can simply use an .htaccess file to force https. Create a file called .htaccess (if it doesn’t already exist) within your web root, then enter the following within it:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Option 4: Use Nginx to force HTTPS (VPS only)

If you have admin access to your web server (ie: if you have a dedicated server or virtual server) you can make this change using a custom nginx configuration. Here’s how:

  1. Login to Plesk using your root or admin account
  2. Navigate to the domain’s settings and choose the “Apache & nginx Settings” button
  3. Under the “Additional nginx directives” box (only visible when logged in with admin privileges) enter this:

if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;

Save your settings and you should find all requests now redirect to https.



If, after completing the above steps, you still don’t see the green lock/bar in your browser when visiting the site, the best next thing to do is clear your website cache (ie: WP Super Cache, WP Rocket, W3 Total Cache, etc), then clear your browser cache.

WordPress Content

If you’re using WordPress, read here to learn how to manually adjust your content to use https URLs or install a plugin to help replace those URLs automatically.

Web Inspector

If after clearing all caches you still don’t get a green lock/bar, the best way to find out what files seem to be causing problems is to use your browser’s web inspector tool. In some cases this tool will be available immediately, in others (like Safari) you need to enable Developer mode.

You can access the web inspector by right clicking on the web page, then choosing “Inspect” or “Inspect Element”. Once you have access to the web inspector, check its console (typically a tab of the web inspector) and look for errors and/or warnings like this:

[Warning] The page at https://your_url/ was allowed to display insecure content from http://your_url/wp-content/uploads/2015/12/web-design.jpg. (your_url, line 857)

These indicate which files are not being loaded via HTTPS. You can use this info to find where they’re being loaded in the back-end and change to them relative or protocol agnostic URLs (as indicated in the examples found in the second paragraph above).

Fix up each resource which shows as a warning in the console and you’ll be all set! This is done by finding where each of those resources is linked in the code and swapping its http reference for https (ex: on a page? In the theme settings? In the plugin settings?).

Did you find this guide helpful? Want more great WordPress help and general website assistance? Check out our Blog, or try out our shared hosting and Canadian VPS hosting plans!

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.


  1. Kris on October 6, 2018 at 6:00 am

    Well the PHP solution is a bit goofy for WordPress, so I found a plugin (there are several):

    • Jordan Schelew on October 8, 2018 at 8:45 pm

      Hey Kris,

      For performance reasons it’s always best to do this within your web server config as described in any of the Plesk, Apache or Nginx instructions. But failing that the PHP solution or any WordPress plugin that accomplishes the same thing is a great alternative! Thanks for the comment 🙂