Avoid landing page redirects, redirecting www to non-www and vice versa

Google encourages to “avoid landing page redirects”. But in case of SSL, this recommendation conflicts with SSL best practices. At the same time, 1 or 2 redirects, as long as they are 301 permanent, are not harmful at all. Let me explain.

Why is there a double redirect in my site?

WordPress internally redirects your site to the primary domain, which is entered in settings/general. For example, when your site url is http://www.domain.com, and you type in http://domain.com, WordPress redirects to the www domain.

Really Simple SSL adds another redirect: from http to https. To follow best practices, the redirect is by default to the https variant of the request url. So if you type in http://domain.com, Really Simple SSL will redirect to https://domain.com. WordPress will then redirect to the www domain. Google will give a notice about this to “avoid landing page redirects”. Consequently, some people think that this is bad for SEO and site speed, this is not correct: two redirects on your site will not cause any SEO issues, and as for site speed: such redirects are only active when users request an “old” url, and furthermore, are very fast when implemented in the .htaccess.

To summarize: this landing page redirect does not have a negative impact on SEO, and no negative impact on sitespeed. Removing them does have a negative impact on security. What do you choose?

Don’t avoid landing page redirects when using HSTS!

HSTS is an important reason not to avoid landing page redirects: the HSTS preload list requires your site to redirect to https first, then to www or non www. If you want to preload your site on the preload list, don’t try to avoid this one extra landing page redirect.

Why is this important? HSTS headers should only be sent when the connection is https. As a result, if you would redirect http://domain.com directly to https://www.domain.com in one redirect, the non-www domain does not set the HSTS header. This would enable a man in the middle to show a malicious non https site to an unsuspecting visitor. HSTS is not set on the non-www domain, so the browser can show the fake website where the hacker can request personal data from the user, who is thinking he is on your website.

Please note that these redirects are only activated when the url is requested over the non-primary domain. As all redirects are done with 301 redirects, search results will only show the primary domain, and your users will never experience a redirect. Only old links on the web can cause a redirect.

Another issue with redirects: no SSL on www, or on non-www

You might also have SSL only for the www domain, or only for the non-www domain. If that is the case, you’ll find that your non SSL domain won’t function anymore if you move to ssl. To counter this, you could redirect all requests coming in on the non www domain to the www domain.

How to bypass these redirects

You can also edit the .htaccess file manually (make sure to edit the .htaccess file that’s in your web root, where the wp-config.php file is also located), by adding these lines to the file. Note: make sure to add them outside of the WordPress and Really Simple SSL comments.

#redirect non-www to www
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

These rules in human language:

When the rewrite condition “all domains that do not start with www” is met, redirect to the www domain.

If you want www. redirecting to non-www, add this to your .htaccess:

RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]

RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

The end result in your .htaccess file should look something like this, where the new redirect is added separately above the redirect inserted by Really Simple SSL:

#redirect all www requests to non-www.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

#redirect all non https requests to SSL
#Begin Really Simple Security
<IfModule mod_rewrite.c> RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%/$1 [R=301,L]
#End Really Simple Security
Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.