Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Secure and Unsecure Base URLs

Each website in a Magento installation has a base URL that is assigned to the storefront and to the Admin. If you have a security certificate for your domain, you can configure either, or both base URLs to operate over a securely encrypted SSL channel. Unsecure base URLs begin with “http,” and secure base URLs begin with “https.”

  • Unsecure Base URL

    Secure Base URL

    URL with IP address

If Magento was installed before you registered a domain, the base URL might include the IP address of the server. If you don’t yet have security certificate, the store will not be able to switch to secure URLs (https) for transactions that normally take place over the secure socket layer (SSL). These configuration settings can be updated later to reflect the values you need before the store “goes live.”

Important! Do not change the Admin URL from the default in the Base URL configuration. To change the Admin URL or path, see: Using a Custom Admin URL.


If after following the configuration instructions, some pages continue to be served with the unsecure URL (http://), do the following:

  • Change the (unsecure) base URL to the secure (https://) URL.
  • On the server, edit the .htaccess file (or load balancer) so the unsecure URL is redirected to the secure URL.