Overview
Elliot SSL Enforcer is a free WordPress plugin by Elliot Software designed to help site owners properly enforce HTTPS and eliminate insecure internal links after an SSL certificate has already been installed.
Many websites technically have SSL but still:
- Load over
http:// - Contain old internal links that trigger mixed-content warnings
- Rely on fragile or misconfigured redirect rules
- Experience redirect loops due to proxies or server setups (common with CDNs)
This plugin solves those problems safely, with clear controls, dry-run previews, and reversible redirect enforcement.
What This Plugin Does (and Does Not Do)
What Elliot SSL Enforcer does
- Forces visitors from
http://tohttps:// - Optionally enforces a canonical www hostname
- Detects and fixes internal
http://links stored in the database - Supports subdomains (example:
docs.yoursite.com) - Prevents common redirect loops (including Cloudflare / proxy setups)
- Provides previews before making changes
- Keeps all changes user-initiated and transparent
What Elliot SSL Enforcer does not do
- It does not issue or install SSL certificates
- It does not modify server configuration without your permission
- It does not force HTTPS if your server/host does not support it
- It does not alter third-party or external links
- It does not run silently in the background
Important: You must already have a valid SSL certificate installed on your server, host, or CDN before using this plugin.
Before You Start
Requirements
- WordPress 5.5 or newer
- PHP 7.4 or newer
- A valid SSL certificate already installed
- Administrator access to WordPress
Strongly recommended
- A recent backup of your site (database + files)
Getting Started
Step 1: Install the plugin
- Upload and activate Elliot SSL Enforcer.
- After activation, you’ll be redirected to the plugin’s admin page.
Plugin Sections Explained
Overview tab
The Overview tab is written for non-technical users and explains:
- Why “having SSL” is not the same as “forcing HTTPS”
- What the plugin can do automatically vs. what requires your confirmation
- Common mistakes that lead to mixed content or redirect loops
Diagnostics tab
The Diagnostics tab helps confirm your site is truly secure by checking:
- Whether WordPress is configured for HTTPS
- Whether your redirects are behaving correctly
- Whether a proxy/CDN (like Cloudflare) is detected
- Common causes of “Too many redirects” and related issues
Link Fixer tab
The Link Fixer tab helps you identify and repair internal links in your database that still use http:// (including subdomains), which can cause mixed-content warnings.
HTTPS Redirect Enforcement
What it does
This feature ensures that anyone visiting your site using http:// is redirected to https://.
How it works
- Uses safe WordPress / Apache-compatible rewrite rules when enabled
- Detects proxy headers to avoid Cloudflare/CDN redirect loops
- Does not overwrite the WordPress core section of
.htaccess
Important note for Cloudflare / proxies
If your site uses Cloudflare or another reverse proxy, your server may not see HTTPS the way you expect. This plugin accounts for that by respecting proxy HTTPS headers to prevent loops.
Keeping your site safe from redirect loops
- Use only one redirect source (plugin OR host panel OR Cloudflare rule OR manual
.htaccess) - If using Cloudflare, use Full (Strict) SSL mode whenever possible
- Choose one canonical hostname (www or non-www) and stick with it everywhere
Internal Link Fixer
The problem
Even after enabling HTTPS, your site may still contain stored links like:
http://yoursite.com/page
These can live inside:
- Post and page content
- Widgets
- Theme/builder settings
- Options and plugin data
- Serialized or JSON-encoded settings
They can cause:
- Mixed-content warnings
- Insecure lock icon or browser warnings
- Broken resources (images/scripts/css)
Dry Run (Preview Mode)
What it is
A safe preview that scans your database and shows:
- How many internal
http://links were found - Samples of what would be updated
- A summary you can review before changing anything
What it does not do
- Does not modify anything
- Does not write to the database
- Does not affect your site
Fix Everything (Batch Runner)
What happens when you run it
- Internal
http://links are upgraded tohttps:// - Links that belong to your site (including subdomains) are eligible
- External domains are ignored
- Serialized/encoded data is handled safely (best-effort)
- The process runs in batches to reduce timeouts on large sites
Confirmation and safety
Before any database changes occur, you must confirm that you understand the plugin will modify stored content and that you have (or can create) a backup.
Sensitive exclusions
To remain safe and WordPress.org-friendly, the plugin avoids modifying sensitive runtime options such as cron and rewrite rules.
Deactivation & Removal
Do I need to keep the plugin activated?
- Redirect enforcement: yes (if you rely on plugin-based enforcement)
- Link fixes: no (once your links are corrected, those changes remain)
What changes remain after uninstall?
- Content changes (upgraded internal links) remain because they are permanent improvements to your stored content.
- Redirect rules added by the plugin should be removed if cleanup is enabled (always review
.htaccessif you used server rules).
Privacy & Transparency
- No tracking
- No telemetry
- No “phone home” requests
- No data is transmitted to Elliot Software or third parties
- No ads, upsells, or licensing system
Support & Resources
- Elliot Software: https://elliotsoftware.com
- Support: https://elliotsoftware.com/support
- Documentation: https://docs.elliotsoftware.com
- Plugin documentation: https://docs.elliotsoftware.com/wp/plugins/elliot-ssl-enforcer
Changelog
Version 1.0
- HTTPS redirect enforcement
- www canonical support
- Cloudflare / proxy detection safeguards
- Internal HTTP link scanner
- Dry run preview mode
- Batch link fixer
- Subdomain support
- Serialized data handling (best-effort)
- Diagnostics panel
- WordPress.org-compliant architecture and safety controls