Wordpress will sometimes automatically redirect from HTTP to HTTPS, such automatic redirection is generally bad, as it tends to cause confusion — luckily it is usually easy to fix.
The problem often happens after moving a Wordpress website to a domain hosted locally — especially when moving a website manually. The reasons that the problem occurs may include one or more of the below scenarios:
- There is a redirect configured in .htaccess, or more rarely in the Apache VHOST files.
- The siteurl and home options can be configured incorrectly after moving.
- A plugin, such as really simple ssl is causing a redirect from HTTP to HTTPS.
The redirect is usually unwanted on local test-servers, since there is rarely need to use HTTPS locally.
Prevent Wordpress from redirecting to HTTPS
How to remove the redirect will depend on what is causing the problem.
1. Be sure to check your .htaccess file and remove any redirects that are not supposed to be there.
2. Check that the siteurl and home options are configured correctly.
To update the siteurl and home options manually, the following queries can be used:
UPDATE wp_options SET option_value='http://local-test.beta' WHERE option_name = 'siteurl'; UPDATE wp_options SET option_value='http://local-test.beta' WHERE option_name = 'home';
Be sure to check what the name of your wp_options table is, as the database tables can have their own unique prefixes depending on the installation and/or hosting company.
3. If you got a plugin like really simple ssl installed, you can simply delete it from the plugin folder to get rid of it. In Linux, this can be done from a terminal or a file manager:
rm -R /var/www/local-test/wp-content/plugins/really-simple-ssl/
Once everything is done, be sure to close your browser and open an incognito window to prevent it from caching the redirect response.
How to correctly redirect from HTTP to HTTPS
Ideally you should not redirect traffic on HTTP to HTTPS since it creates a security risk.
When first enabling HTTPS on a website that was previously HTTP-only, having a redirect in place (a temporary 301 redirect) might help search engines update their links; but it should generally be disabled again as quickly as possible.
This is because, if users access the HTTP version, either from an outdated link or by typing "http" in the browsers address-bar directly, a man-in-the-middle attack is made possible, and an attacker could potentially steal users credentials or serve as a proxy between the real site and a malicious site controlled by the hacker. This could enable the hacker to view, intercept, and modify everything the user does on the real site.
If you still need to use a redirect, I recommend you do it from the Apache VHOST configuration files; if that is not possible, use .htaccess or a plugin as last-resorts.
It also depends on how your host has installed the SSL certificates. Generally, a plugin should not be required, since SSL is configured on the server-level.