Redirect - anything to be concerned about?

Discussion in 'Wordpress Support' started by Davek0974, Jul 26, 2019.

  1. Davek0974

    Davek0974 UKBF Ace Free Member

    2,472 308
    In my dashboard i see a warning from the SSL tab:-

    WordPress 301 redirect enabled. We recommend to enable the 301 .htaccess redirect option on your specific setup. Enable ordismiss?​


    Should i enable?

    Do I have a 301 redirect? I thought a 301 was a permanent redirect but can't recall ever setting one up??

    Any thoughts?


    Edit.
    Its the SSL plugin thats doing a redirect to https
    I guess just dismiss the warning?
    On a further tab there are warnings about redirection loops and lost access so maybe best to leave alone?
     
    Last edited: Jul 26, 2019
    Posted: Jul 26, 2019 By: Davek0974 Member since: Mar 7, 2008
    #1
  2. Mike Hayes

    Mike Hayes UKBF Enthusiast Free Member

    1,050 271
    You have a 301 redirect from HTTP to HTTPS in place, which is good.

    However, right now WordPress is handling this redirect meaning each plain HTTP request hits PHP and WordPress before being redirected to HTTPS. The recommendation to move this to your .htaccess file would mean Apache handles the redirection which is more efficient, reducing resource consumption caused by those unnecessary HTTP PHP requests.

    A more pragmatic view would be that while using .htaccess is considered best practise, the change is irrelevant unless you're sustaining a reasonable amount of traffic. You are therefore fine to just dismiss the warning if you feel safer doing this.

    If you did want to use .htaccess to enforce HTTPS, you can do this yourself by adding the following lines to your .htaccess file:

    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    It's not usually necessary to have an SSL plugin installed.

    You can even avoid the server hit altogether (and improve security) by enabling HSTS, which tells web browsers to *always* use HTTPS when someone accesses your domain, i.e. perform the HTTP to HTTPS redirection on the client side. Again, this can be done through your .htaccess file although it's a slightly more advanced setting.

    Code:
    Header set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
    
    The max-age is how long browsers should remember this setting for (365 days here but defined in seconds). Fine providing you're always going to be serving the website over HTTPS in future (which you should be).
     
    Posted: Jul 26, 2019 By: Mike Hayes Member since: Jan 7, 2016
    #2
  3. Davek0974

    Davek0974 UKBF Ace Free Member

    2,472 308
    Hmm, seems ok to leave it then as my traffic is minimal :(

    I'll dismiss it I think.

    Don't want to risk a lockout ;)
     
    Posted: Jul 26, 2019 By: Davek0974 Member since: Mar 7, 2008
    #3