WP Force SSL Documentation

Main Settings

WP Force SSL comes with numerous settings you can use to tailor the plugin to your needs. Here’s the entire list of settings you can turn on/off, depending on what you want to do:

Fix mixed content in the frontend

If you are loading a page over a secured protocol (HTTPS) but still have other resources that are not secure (HTTP without the last letter “S”), Google Chrome and other browsers will flag the page with a warning. Although your page is secured, the other resources (like external images, videos, scripts, etc.) are making it vulnerable.

By turning on this option, WP Force SSL will scan the entire frontend of your site, and fix the problem for you by replacing HTTP with HTTPS automatically. Note that files and databases are not changed or affected by this.

Fix mixed content in the backend

Similar to the afore-mentioned option, this one will scan & fix mixed content in the backend (pages not visible to your visitors). Although not accessible by your visitors & clients, these pages still need to be secure. Note that files and databases are not changed or affected by this.

Enable HSTS

Sometimes, a website may allow HTTP (non-secure) connections and only redirect users to the secure one. While redirecting HTTP to HTTPS sounds ok, the problem is that it allows a so-called “man-in-the-middle” attack where a hacker or a script can jump in between, and redirect a user to a 3rd party (malicious) location.

By enabling HSTS (HTTP Strict Transport Security), you can instruct the browser not to load the HTTP version at all, and force it to load the secure version of the site immediately.

You can learn more about HSTS here.

Force Secure Cookies

Cookies can store sensitive information that you do not want others to read. This option allows you to make them more secure and less prone to attacks.

301 Redirect HTTP to HTTPS requests via htaccess

If your server allows you to use the .htaccess file, turn on this option to improve the speed of the redirect.

When turned on, WP Force SSL will redirect all http:// requests to https:// via .htaccess as soon as the request is received. This is slightly faster than PHP redirect. If your server doesn’t allow the usage of the .htaccess file, you can use the PHP redirect option.

301 Redirect HTTP to HTTPS requests via PHP

If your server does not use .htaccess and you still want to redirect all http:// requests to https://, turn on this option.

Cross-site scripting (X-XSS) protection

Protects your site from cross-site scripting attacks. If a cross-site scripting attack is detected, the browser will automatically block these requests.

X Content-Type Options

This header prevents MIME-sniffing, which is used to disguise the content type of malicious files being uploaded to the website.


To prevent data leakage, only send referrer information when navigating to the same protocol (HTTPS->HTTPS) and not when downgrading (HTTPS->HTTP).

Expect CT

Enables the Expect-CT header, requesting that the browser check that any certificate for that site appears in public CT logs.

X Frame Options

This header prevents your site from being loaded in an iFrame on other domains. This is used to prevent clickjacking attacks.

Permissions Policy

The Permissions Policy allows you to specify which browser resources to allow on your site (i.e. microphone, webcam, etc.).

Show WP Force SSL menu to administrators in the admin bar

Pretty much self-explanatory. Turn on to see the menu while working on your WordPress site or turn it off if you want to access the settings through the main menu only (Settings -> WP Force SSL)