Security fix guide
HIGH

HTTP to HTTPS Redirect Missing

Visitors who type your address without 'https://' load the site over plain HTTP. Learn how to force every visitor onto the encrypted version.

What is this?

Your site is reachable on both http://yourdomain.com and https://yourdomain.com. Visitors who type the address into their browser without 'https://' — which is most visitors — land on the plain HTTP version. Unless your server actively redirects them to HTTPS, they stay there for the whole session. Their login form, their admin cookies, and any data they submit travel unencrypted across every network between them and your server.

Why does it matter?

Anyone on the same Wi-Fi, anyone on the same ISP, anyone running a router between your visitor and your server can read or modify plain-HTTP traffic. That includes session cookies, which are as good as a password — an attacker who captures a logged-in admin's session cookie can log straight into wp-admin without needing the password at all. A 301 redirect combined with the HSTS header fixes this permanently: the browser remembers that your site is HTTPS-only and refuses to connect over plain HTTP even if the visitor types http:// explicitly.

How to fix it

These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.

1

Confirm you have a valid SSL certificate installed (cPanel → SSL/TLS → Manage SSL Sites). Most shared hosts install a free Let's Encrypt certificate automatically — if yours is missing, install one before continuing.

2

Open your site's .htaccess file in File Manager.

3

Add this block at the very top of the file, before any WordPress rules:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
4

Save the file and open http://yourdomain.com in a browser (not https://). It should redirect to the https:// version automatically.

Note: Also update the Site URL and Home URL in WordPress (Settings → General) to use https:// so internal links don't cause mixed-content warnings.

For developers / SSH access
1

Nginx: add a dedicated server block that listens on port 80 and redirects everything:

server {
  listen 80;
  server_name yourdomain.com www.yourdomain.com;
  return 301 https://yourdomain.com$request_uri;
}
2

Reload nginx:

sudo nginx -t && sudo systemctl reload nginx
3

Apache (server-wide): add a redirect in your HTTP VirtualHost config:

<VirtualHost *:80>
  ServerName yourdomain.com
  Redirect permanent / https://yourdomain.com/
</VirtualHost>

Note: Once the redirect is in place, add the Strict-Transport-Security header (see the security-headers guide) so browsers remember to use HTTPS on future visits.

How to verify the fix

Open an incognito window and type http://yourdomain.com (no 's'). The browser should immediately show https:// in the address bar. You can also run 'curl -I http://yourdomain.com' from a terminal — the response should be 301 with a Location header pointing to the https:// version.

Re-run your scan to confirm this is resolved →

Related issues

Missing HTTP Security Headers

Your server isn't sending the HTTP headers that tell browsers how to protect your visitors. Learn which headers to add and how.

Cookies Missing Security Flags

Cookies without Secure, HttpOnly, or SameSite flags can be stolen over plain HTTP, read by JavaScript, or used in CSRF attacks. Learn how to set them correctly.

← View full security checklist

Prefer to have this handled for you? Get this fixed — Simple ($49)