So I am working on making a custom theme and set of plugins for a WordPress blog. I had the need to make sure that users that were logged in were using HTTPS and not just HTTP. I came up with a quick little function that will do just that. I added this block of code to the top of the themes header.php file within php tags and it gave me the desired effect:

 // This forces logged in users to use HTTPS
if (is_user_logged_in() && ($_SERVER['SERVER_PORT'] !== '443')){
    wp_redirect("https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
}

You may need to adjust the code a little depending on what web server you are running and what headers get set, but this is working great for me running on an nginx web server with PHP 5.3. Basically it just checks to see if the user is logged in and they are on a port other than 443 (443 is the port number used by HTTPS). If both of those are true then it redirects them to the HTTPS version of the page.

Granted you will need to have HTTPS working properly before you can use this, so you need certificates and a proper web server configuration.

Let me know if you have a better way of doing this. And no… the WordPress HTTPS plugin does not count. It is far too heavy for this requirement of just ensuring that all logged in users are on HTTPS at all times. If I needed more fine-tuned control then sure I would go for it 😉