If I have SSL, should someone be able to get to the http version?

Hi, If we go to https://   techgardensdotcom,  we see the lock. A test of the ssl cert shows it's installed correctly. But I can still get to http://   techgardensdotcom.

Am I missing something, maybe an entry in the htacess file? Thanks.
Melody ScottAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You need to enforce redirect.  
https://sg.godaddy.com/help/redirect-http-to-https-automatically-8828

Do consider following code in your .htaccess file.
It automatically redirects visitors to the HTTPS version of your site:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RoninCommented:
http - port 80 TCP
https - port 443 TCP

In order to prevent, which is recommended, from your users to connect over http, the above btan's recommendation should be performed.

On a different web servers this is performed in a different manner.
In some cases, if can performed on the perimeter device, depends how smart it is.
Melody ScottAuthor Commented:
I'm going to upload my current htaccess file, maybe you can help me get it right? Thanks.
.htaccess.txt
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Refer to btan's comment.

You posted your .htaccess file + normally SSL is forced in the Apache config file. Something similar to what btan provided.

Unless you so a 301 from http -> https, both protocols will work.

This will have a negative effect on SEO, as use to Google treated http + https as same site. Now they're treated differently.

The effect is a duplicate content penalty for each page on a site, which means 100% pages with a penalty... which then promotes to a site wide duplicate penalty.

Very bad.... if you're SEOing your site.
Melody ScottAuthor Commented:
Sorry, Btan said: Do consider following code in your .htaccess file.

I was asking for help in doing that, which is why I uploaded it.
btanExec ConsultantCommented:
If you have an existing .htaccess file:

Do not duplicate RewriteEngine On.
Make sure the lines beginning RewriteCond and RewriteRule immediately follow the already-existing RewriteEngine On.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
There's no HTTP -> HTTPS redirection in your .htaccess file.

Here's a copy of the general code I use as a template for setting up client sites I host...

<VirtualHost *:80>
   ServerName  www.WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
   RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [NC,L,R=301]
   Include logging.conf
</VirtualHost>

<VirtualHost *:80>
   ServerName  WEBSITE
   ServerAdmin support@WEBSITE
   RewriteEngine on
   RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [NC,L,R=301]
   Include logging.conf
</VirtualHost>

<IfModule mod_ssl.c>

   <VirtualHost *:443>

      ServerName  www.WEBSITE
      ServerAdmin support@WEBSITE

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
      RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [L,R=301]

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

   <VirtualHost *:443>

      ServerName  WEBSITE
      ServerAdmin support@WEBSITE

      DocumentRoot /sites/OWNER/WEBSITE/TYPE

      <Directory /sites/OWNER/WEBSITE/TYPE>
          Options +Indexes +FollowSymLinks
          AllowOverride All 
          Require all granted
      </Directory>

      Include logging.conf

      SSLEngine on
      SSLUseStapling on

      SSLCertificateFile    /etc/letsencrypt/live/WEBSITE/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITE/privkey.pem

      # Enable HTTP Strict Transport Security with a 2 year duration
      Header always set Strict-Transport-Security "max-age=63072000; preload"

   </VirtualHost>

</IfModule>

Open in new window

Melody ScottAuthor Commented:
found this, and have rewritten the htaccess file: https://wpcolt.com/force-ssl-htaccess-stop-wordpress-modifying/

Thanks for your help, but I would say it was a bit more technical than I needed. I needed more basic help actually rewriting the htaccess file, because I don't understand the code. Anyway, done now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.