Redirect to HTTPS not working in WordPress

This is not an obvious problem, because for some pages the redirect to HTTPS works, but for some it does not. I ran into this problem on WordPress quite by accident. Therefore, if you are a webmaster with WordPress sites, then I would recommend that you check your sites too.

Redirecting from HTTP to HTTPS is quite simple, you need to add the following lines to the .htaccess file:

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}

This is how I redirect to HTTPS on most of my sites.

To test the redirect to HTTPS, it is advisable to look at the HTTP response headers, since web browsers tend to open the site over HTTPS even if you explicitly specified the HTTP protocol in the URL, at least I noticed this with pages already opened over HTTPS.

In Linux, the response HTTP headers can be viewed with a command of the form (it will show both the headers and the response body):

curl -v 'URL'

And this command will show only headers:

curl -I 'URL'

If you run Windows, then you can use an online service to display HTTP headers.

We enter the site address http://site.ru/

Received HTTP redirect code:

HTTP/1.1 302 Found

We were redirected to the HTTPS version:

Location: https://site.ru/

Is everything working as it should?

We continue to check. We enter the site address http://site.ru/page-on-site

And… we get the code 200, that is, the page would be shown to us at the specified address, without redirecting to HTTPS.

This behavior can be observed on sites with beautiful (sometimes referred to as SEO) page URLs. In WordPress, this can be selected in Control Panel → Settings → Permalinks. Examples:

 Day and name	https://suay.site/2021/05/21/sample-post/
 Month and name	https://suay.site/2021/05/sample-post/
 Numeric	https://suay.site/archives/123
 Post name	https://suay.site/sample-post/

The point is that in order for any of these options to work, WordPress adds the following lines to the .htaccess file:

# BEGIN WordPress
# Директивы (строки) между `BEGIN WordPress` и `END WordPress`
# созданы автоматически и подлежат изменению только через фильтры WordPress.
# Сделанные вручную изменения между этими маркерами будут перезаписаны.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

These lines contain conditions and a rule for mod_rewrite with the [L] flag, which means that the check should be aborted according to the mod_rewrite rules. As a result, the HTTP to HTTPS redirect rule does not reach the queue.

That is, the redirect lines must be placed before the fragment that is generated by WordPress. Let's try:

Found
The document has moved here.

Additionally, a 302 Found error was encountered while trying to use an ErrorDocument to handle the request.

The situation has changed but has not improved.

It is necessary to add the [L] flag to the rewrite rule, and place these rules in the .htaccess file before the fragment from WordPress:

RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteCond %{REQUEST_URI} !^/.well-known/
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L]

# BEGIN WordPress
# Директивы (строки) между `BEGIN WordPress` и `END WordPress`
# созданы автоматически и подлежат изменению только через фильтры WordPress.
# Сделанные вручную изменения между этими маркерами будут перезаписаны.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

After that, everything will work exactly as you expect. All URLs, both the Front Page and other posts, starting with http:// will be redirected to https://

By default, the code will be “302 Moved Temporarily”. If you wish, you can select the code “301 Moved Permanently”:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]