cPanel: Securing your site with HTTPS

cPanel: Securing your CrossWinds hosted site with HTTPS

via force https redirection | .htaccess | wordpress plugin | mixed content lock icon ( Not for sale or redistribution

Your crosswinds hosted site automatically comes with a security certificate. But this does not mean that your site is automatically secure. You must enable HTTPS redirection.

In 2014, the search engine giant, Google, “working to make the Internet safer”, decreed that having HTTPS would help websites to get higher ranks in their search results. They called for “HTTPS everywhere” on the web.

To prevent your website visitors from seeing dreaded messages such as “Warning: Potential Security Risk Ahead” or “Your Connection to this site is not secure” instead of your innocuous content, make the switch to using a Secure Socket Layer (SSL).

It’s relatively easy to do, particularly with the help of cPanel. However, with older sites, there may be a few extras involved. But let’s start with the easy fix:

cPanel | Force https redirection

One of the most common support requests for both hosting providers and end-users is: once an SSL certificate is installed for your website, how do you redirect traffic to the “secure,” or HTTPS version of the URL?
(excerpt from

Use the search box to quickly find things in CPanel.

  1. After logging into CPanel, type “Domains” in the field at the top to easily find the application. Select the link to Domains. Find cPanel features
  2. On the page that appears, there will be a list of your domain(s) and subdomain(s). To enforce HTTPS, toggle the switch from “off” to “on”. It’s that simple.
    cPanel Domains Force HTTPS A message will pop up to confirm the change you have made.


WordPress makes things very easy for you. Even if there is mixed content on your WP site (more about that further down), there are WordPress plugins to force HTTPS redirect, including “Really Simple SSL”, “One Click SSL”, and “Easy HTTPS Redirection (SSL)” that will deal with those problems. When in your wordpress admin area, go to plugins and search “SSL”. For whichever plugin you choose, make sure that it has been tested with your version of WP (which, of course, should always be kept updated to the latest stable release).

Go from insecure to secure lock


To prevent the little padlock from appearing to be open or to eliminate the dreaded gold warning triangle, check that each .htaccess file is calling up HTTPS rather than HTTP. This is particularly true if, in the past, you have added coding to prevent hotlinking.

Go to the file manager in cPanel to view the .htaccess files that are your folders. (You may have to check the “show hidden files” box before accessing file manager.)

The following is an example of how to encode a hotlinking section of your .htaccess file:

In an .htaccess file, any line beginning with a hash-tag (#) is a comment that is ignored by Apache when it is reading the file. The hash-tag must be at the beginning of the line. Putting a hash-tag in the middle of a line can cause errors.

# ensure that site is calling HTTPS
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://([-a-zA-Z0-9_]+\.)?*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://([-a-zA-Z0-9_]+\.)?*$ [NC]
RewriteRule \.(jpe?g|gif|bmp|png|ico)$ images/no_hotlinking.gif [L,NC]

Mixed Content

Your website consists of HTML, images, JavaScript and CSS files. When your site is loaded in the browser, the HTML that is loaded will contain links to the images, JavaScripts and CSS files: the resources of your website. If your HTML is loaded over https, and your resources load (partly) over http, the content is “mixed”: you have mixed content. There can also be other causes: for example, an image that loads over https, but gets redirected to http. Finding these insecure resources in the browser is usually not so difficult. Finding which plugin or which file in your theme uses the image is often the hard part.
– Really Simple SSL | How to track down mixed content or insecure content

Use cPanel’s file manager to

  • Look for HTTP links in .css, .js, .html, .shtml, and .php files
    • Some of these files contain HTTP links. Unless they are changed to HTTPS, they will cause mixed content warnings.
  • If you an image from another domain is embedded in your file(s), and that domain does not have an SSL certificate, the image will be blocked by the browser.
  • Any HTTP links within your site to images, JavaScript files or stylesheets in your domain or from other domains must be changed to HTTPS.

If you are uncertain why you still see that the padlock is open on your https site, try going to Why No Padlock, a free service provided by LexiConn Internet Services, Inc.

More Resources:

+ + + + + lock icon ( Not for sale or redistribution The lock icon appearing here and at the top of the page has been provided by, with the stipulation that it is free for personal and commercial use, but is “NOT for sale or redistribution