PreFlight technical check before delivery, WordPress
Pre-launch checklist

HTTPS active

HTTPS active means the secure version of the site is available and working correctly as the public version of the website. This check helps confirm that WordPress is serving the site over HTTPS and that the secure protocol is not only configured in theory, but actually active from the outside.

This page explains what HTTPS active means, why it matters, and how PreFlight evaluates the result before launch.

Run PreFlight Back to checklist

Why it matters

A WordPress site should not only have an SSL certificate installed, it should also expose the HTTPS version correctly as the real public version of the site. If HTTPS is not active in practice, the launch setup is incomplete and the site may still depend on insecure access patterns.

This matters for security, trust, and search consistency. Google treats HTTP to HTTPS as a site move, and the preferred secure version should be reinforced consistently through signals such as canonical URLs, sitemaps, and internal linking.

What to review

Before marking this check as correct, review the following points:

The homepage should load correctly over HTTPS.

The browser should not show obvious security warnings on the public version.

HTTPS should behave as the intended live version of the site.

The secure version should not break key assets or basic page rendering.

Canonical, sitemap, and internal links should support the HTTPS version consistently.

How PreFlight checks this check

PreFlight requests the secure version of the site and verifies whether the homepage is available over HTTPS as expected. The goal is to confirm that the secure protocol is active on the live site and not just partially configured.

This check helps surface incomplete SSL or HTTPS setups before delivery. It does not replace a full browser-level security audit, but it is a strong external signal that the secure version is actually live and usable.

PASS / WARN / FAIL

PASS

The site loads correctly over HTTPS, the secure version is active as the public version, and there are no obvious signs of a broken or incomplete secure setup.

WARN

HTTPS is available, but something may still need review, such as inconsistent signals, weak implementation, or issues that suggest the secure setup is not fully clean yet.

FAIL

The site does not load correctly over HTTPS, the secure version is not properly active, or the public setup still depends on an insecure configuration.

Run PreFlight Open checklist

Common mistakes

Installing an SSL certificate but not activating HTTPS properly on the public site.

Assuming HTTPS is fully working just because the padlock appears on one page.

Leaving canonical, sitemap, or internal links on HTTP.

Activating HTTPS but leaving the redirect from HTTP unresolved.

Ignoring mixed content issues that weaken the secure setup.

FAQ

Is having an SSL certificate enough?

No. A certificate may exist, but the site still needs to load correctly over HTTPS as its real public version.

How is this different from the HTTP to HTTPS redirect check?

This page checks whether HTTPS itself is active and usable. The redirect check focuses on whether HTTP traffic is forced to the secure version consistently.

Can HTTPS be active and still be poorly configured?

Yes. A site may technically load over HTTPS and still have mixed signals or mixed content issues that should be fixed before launch.

Check your WordPress site before delivery

Reduce rework, catch last-minute issues and review critical points before launch.

Run analysis