This post might seem a little backwards but there is way less information for this topic than the other way around! I am regularly faced with the need to force http rather than forcing httpS.
Disabling SSL and its inherent encryption is generally not something you want to do in ideal circumstances, but I suspect nobody is here under ideal circumstances.
It can be incredibly annoying when you don’t know why the site is still redirecting to HTTPS, and almost impossible to troubleshoot due to lack of information on the topic.
I’m here to fix that problem!
I’ve seen numerous topics where this question is asked, and snooty book-smart developers all respond in perfect mindless harmony, “you should never choose HTTP over HTTPS! I can’t comprehend a situation in which it may be necessary therefor it doesn’t exist!”
There are plenty of times where this comes up for me personally. Most notably, I am often migrating sites that usually utilize HTTPS encryption and an SSL certificate, but due to constraints of my hosting setup, a new certificate cannot be issued until the site is live on the new server. Additionally, the server does not even support HTTPS protocol at all unless there’s an SSL. In order to test the site in the local environment, I need to disable HTTPS. It’s frustrating, but it’s the only way around it.
So without further ado, here is a full checklist of all the ways I’ve seen websites redirect to HTTP. Checking for (and removing) these should force the site to use just regular HTTP. Make sure to read #6 which goes over browser caching. Even if you fix the problem, you might still be getting redirected!
1. WordPress plugins
This is one of the most common ways for a WordPress site to utilize the SSL certificate. Many users will opt for a plugin like Really Simple SSL to handle all of the hard work for them. And I recommend it for that purpose as it’s very easy, and also easy to disable.
Some may also use a plugin like Redirection to add a custom redirect in. This is much less common but it would, in theory, work.
2. Site URL in the database/WordPress backend
The first thing mostly people do when activating SSL on their WordPress site is to change the site URL in the Settings -> General page of the backend. Generally the “WordPress Address (URL)” and “Site Address (URL)” should be the same, and both should be set to your preference.
- Changing from HTTPS to HTTP or vice-versa will typically log you out
- Don’t change these unless you know what you’re doing
- Generally changing these values along is not enough to change anything – not sure why but it isn’t
If this area is grey-out, scroll down to “Site URL defined in wp-config.php”.
Alternatively, if you don’t have WordPress backend access at the moment, you can also find these values right in the database. Just open up phpMyAdmin and navigate to the wp_options table. Change the values of “siteurl” and “home” as needed. “home” may be on the second page!
Just don’t do this if you don’t know what you’re doing. This is the database itself and it’s easy to mess things up.
3. .htaccess file
On Linux servers (which is most of them), there is usually a file called .htaccess in the site root that can be used to redirect a website to whichever protocol you like. This is a common way hosts redirect HTTP to HTTPS. You’ll need to remove or comment out the lines that are giving you trouble.
You might find lines like this:
1 2 3 |
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://www.example.com/$1 [R,L] |
Removing that should disable the redirects.
Conversely, if you wanted HTTPS to redirect to HTTP, you could add these lines:
1 2 3 |
# Redirect HTTPS traffic to HTTP - https://pagecrafter.com RewriteCond %{HTTP:X-Forwarded-Proto} =https RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] |
Generally these would need to be found before the WordPress-delineated section of the file for them to have any effect.
4. Theme options or custom theme functions
Sometimes your theme will have built-in functionality to enable SSL on the site. Take a look around the theme options and see if you can find it. If there’s a “security” section, that’s your best bet.
Other times some custom themes or child themes will have custom functions that redirect the site. I would check the theme’s functions.php file for any mention of this. Usually the functions will be labeled and you’ll be able to figure it out.
On a site I worked on recently, lengthy searching discovered this code in functions.php:
1 2 3 4 5 6 7 8 9 10 |
//Force SSL function check_https() { if ($_SERVER['HTTPS'] != 'on') { $redirect = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; wp_redirect($redirect); } } add_action('admin_init', 'check_https'); add_action('template_redirect', 'check_https'); |
That’s where the redirect was coming from! Removing this code finally allowed me to work on the site without HTTPS.
5. Site URL defined in wp-config.php
If the option to change the WordPress address and Site address were greyed-out in #2, most likely the same values are being hard-coded in via the wp-config.php file, found in your site’s root.
Open the file and search for these lines:
1 2 |
define( 'WP_HOME', 'https://example.com' ); define( 'WP_SITEURL', 'https://example.com' ); |
You could alter the values to replace “https” with “http” if you wanted, or you could remove the lines altogether and modify this value directly in the WordPress backend.
6. Browser caching
Browser caching can be extremely frustrating. Any time you get redirected, Chrome or any other browser typically caches this redirect and remembers it. Even if the initial reason for the redirect is removed, you will likely still be redirected!
The easiest solution is to use Chrome’s developer tools and selecting “Disable cache”, which stays active as long as the developer tools are open for that tab.
Clearing all history and browsing data should work, too, but is obviously more work.
I’ve found that using incognito windows doesn’t always work; I’m not sure why. It will still sometimes cache redirects.
Using slightly different URLs will also make sure the browser checks for the real redirect and not the cache. Adding a question mark with random characters at the end of any URL should work! So instead of example.com, use example.com?1234abcd
Conclusion
While some might not understand why this information is needed, you know better! As somebody who arrived here and bothered to read it, you obviously had need of it. I’ve been so frustrated over the years trying to figure some of this out, but my pain is your gain.
Enjoy!