Check HTTP to HTTPS Redirect in WordPress Before Launch

Check whether your WordPress site redirects HTTP visitors to the HTTPS version automatically. A missing or incomplete redirect can leave insecure URLs accessible, create duplicate versions of the same site, and weaken the final delivery setup.

This page explains how to test HTTP to HTTPS redirect behavior, what a correct setup looks like, and how PreFlight checks it as part of a wider WordPress pre-launch checklist. Before reviewing redirects, you should also confirm that HTTPS is active on the site.

Run PreFlight Back to checklist

Why this matters

Having HTTPS enabled is not always enough. A WordPress site can load securely on HTTPS and still leave the HTTP version publicly accessible. Before launch, the expected setup is that HTTP requests are redirected automatically to the secure HTTPS version.

If the redirect is missing or inconsistent, the site can expose duplicate HTTP and HTTPS URLs, create weak indexing signals, and make the final setup look unfinished. This becomes especially risky when canonicals, sitemap URLs, internal links or meta robots settings do not consistently point to the secure version.

What to review

Before handing over a WordPress site, review these HTTP to HTTPS redirect points:

Test the HTTP homepage

Open the HTTP version of the homepage, for example http://example.com, and confirm that it redirects automatically to the HTTPS version.

Confirm the redirect is permanent

The redirect should behave as a permanent move to HTTPS, not as a temporary workaround or partial environment fix.

Avoid redirect chains

The HTTP URL should reach the final HTTPS destination as cleanly as possible, without unnecessary intermediate hops.

Check www and non-www versions

Check both www and non-www variants so the site does not leave one HTTP version accessible while another redirects correctly.

Keep secure signals consistent

Canonical tags, sitemap URLs and internal links should consistently use HTTPS once the secure version is the public destination.

How to check HTTP to HTTPS redirect in WordPress

The quickest manual check is to type the HTTP version of the site into the browser, for example http://example.com, and confirm that it redirects automatically to the HTTPS version. The final URL should start with https:// and should not leave the insecure HTTP version available.

You should also test common variants such as http://www.example.com and http://example.com, because one version can redirect correctly while another remains misconfigured. PreFlight automates this check from the outside and helps confirm whether the public site is consolidated around HTTPS before client delivery.

How PreFlight checks this check

PreFlight requests the HTTP version of the site and verifies whether the final resolved URL uses HTTPS. It checks the redirect outcome from the outside, the same way a visitor, crawler or client would reach the public site.

This does not replace a full server audit, but it catches a common delivery issue: HTTPS may exist, while the HTTP version is still not properly forced to the secure destination.

PASS / WARN / FAIL

PASS

The HTTP version redirects automatically to the HTTPS version, and the secure URL is the clear public destination.

WARN

A redirect exists, but it may rely on extra hops, inconsistent variants, or a final destination that should be cleaned up before launch.

FAIL

The HTTP version does not redirect to HTTPS correctly, remains accessible, or fails to consolidate the site around the secure version.

Run PreFlight Open checklist

Common mistakes

Installing an SSL certificate but forgetting to force HTTP traffic to HTTPS.

Redirecting only the homepage while inner URLs still respond on HTTP.

Creating redirect chains such as HTTP → HTTPS → www → final URL.

Fixing the non-www version but leaving the www version inconsistent, or the other way around.

Updating canonicals and sitemap URLs to HTTPS while the public HTTP version still remains accessible.

FAQ

How do I check if my WordPress site redirects HTTP to HTTPS?

Open the HTTP version of the site in a browser, for example http://example.com, and check whether it redirects automatically to the HTTPS version. You should also test www and non-www variants because one version can work while another remains exposed.

Is HTTPS enough without an HTTP to HTTPS redirect?

No. HTTPS can be active while the HTTP version still remains available. A correct launch setup should force visitors and crawlers from HTTP to the secure HTTPS destination.

Can HTTP and HTTPS both being accessible affect SEO?

Yes. If both versions are accessible, search engines may receive weaker signals about which URL should be indexed and treated as canonical. It can also create duplicate versions of the same page before launch.