Having an SSL certificate is only half the job — you also need to make sure every visitor lands on the secure https:// version, not the old insecure http:// one. Forcing HTTPS site-wide closes that gap and is good for both security and SEO. Here’s how to do it in cPanel.
Why forcing HTTPS matters
Even with a valid certificate installed, someone typing your address without https can still reach the insecure version of your site, where traffic isn’t encrypted and the padlock is missing. Forcing HTTPS means any request to the http version is automatically redirected to the secure one. Google also treats HTTPS as a ranking signal, so consistent HTTPS helps your SEO.
First, confirm your SSL is active
Before forcing HTTPS, make sure the certificate is actually issued — otherwise you’ll redirect visitors to a broken secure page. In cPanel, open SSL/TLS Status and confirm your domain shows a green padlock. If it doesn’t, run AutoSSL first and wait for the certificate to issue.
The built-in toggle (easiest)
Many cPanel versions include a simple Force HTTPS Redirect toggle right in the Domains section. Find your domain in the list and switch the Force HTTPS Redirect option on. That’s it — cPanel handles the redirect for you, no code required. Check here first, as it’s the cleanest method.
The .htaccess method
If your panel doesn’t have the toggle, add a redirect rule to your .htaccess file. Open it in File Manager (with hidden files shown) and add this at the very top:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This sends every insecure request to its secure equivalent with a permanent 301 redirect, which also preserves SEO value.
Avoid redirect loops
A common pitfall: if you add this rule and a plugin or the built-in toggle is also forcing HTTPS, the two can conflict and create a redirect loop. Pick one method. If you turn on the cPanel toggle, don’t also add the .htaccess rule, and vice versa.
Update WordPress if you use it
For a WordPress site, also make sure both URLs under Settings → General use https://, and clear up any mixed-content warnings so the whole page loads securely. Our SSL guide covers the mixed-content fix.
Test all the variations
After setting it up, type each version of your address into the browser — with and without www, with http and https — and confirm they all land on the secure version. If every combination ends up at https://, your redirect is airtight.
It’s a quick change that makes your whole site consistently secure. If .htaccess edits make you nervous or you hit a redirect loop, send us a ticket and we’ll set it up cleanly.