Correctly force SSL on wordpress via wp-config.php

Question

If I edit the wp-config.php I am supposed to add:

define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); 

However, my website has .htaccess rules to force https and www across the entire website:

Options +FollowSymlinks RewriteEngine On RewriteCond %{SERVER_PORT} 80 [OR] RewriteCond %{HTTP_HOST} ^website.com RewriteRule ^(.*)$ https://www.website.com/$1 [L,R=301] 

I know there are other rewriterules available, but again not sure which one is correct.

Which of the following 3 should I be using in wp-config.php

1 - Without isset(), with curly brackets, with server_port

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {     $_SERVER['HTTPS'] = 'on';     $_SERVER['SERVER_PORT'] = 443; } 

2 - Without curly brackets & without server_port?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')     $_SERVER['HTTPS'] = 'on'; 

3 - Are curly brackets needed/better or "more correct" & is server_port required?

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {     $_SERVER['HTTPS'] = 'on';     $_SERVER['SERVER_PORT'] = 443; } 

I've found a few other slightly different variations of this all over the internet regarding wordpress SSL but I can't figure out what one is the correct/main one...

Answer 1

PHP code doesn't have to deal with SSL at all in such case. Here applies classical SoC principle: if you code doesn't explicitly work with connection (in WP it does not), you should leave protocol checking to web server.

You should also avoid defining port in your rewrite rules. In case you're not using multisite WP setup, you could try:

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]