Wordpress site redirecting to https

We have written scripts to redirect our website to https but when we use Security Headers IO, the site reports our site is not redirecting to https.

Let me post our script for reference. We use GoDaddy as our hosting provider. We would like to have tips on how to write scripts which will redirect the site wherever it is called.

# BEGIN WpFastestCache <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTPS} =on RewriteCond %{HTTP_HOST} ^www.somebank.com # Start WPFC Exclude # End WPFC Exclude # Start_WPFC_Exclude_Admin_Cookie RewriteCond %{HTTP:Cookie} !wordpress_logged_in_[^\=]+\=some_admin|some_hr|zeus # End_WPFC_Exclude_Admin_Cookie RewriteCond %{HTTP_HOST} ^www.somebank.com RewriteCond %{HTTP_USER_AGENT} !(facebookexternalhit|WhatsApp|Mediatoolkitbot) RewriteCond %{REQUEST_METHOD} !POST RewriteCond %{REQUEST_URI} !(\/){2}$ RewriteCond %{REQUEST_URI} \/$ RewriteCond %{QUERY_STRING} !.+ RewriteCond %{HTTP:Cookie} !wordpress_logged_in RewriteCond %{HTTP:Cookie} !comment_author_ RewriteCond %{HTTP:Cookie} !wp_woocommerce_session RewriteCond %{HTTP:Cookie} !safirmobilswitcher=mobil RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC] RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/all/$1/index.html -f [or] RewriteCond /home/someict/public_html/wp-content/cache/all/$1/index.html -f RewriteRule ^(.*) "/wp-content/cache/all/$1/index.html" [L] </IfModule> <FilesMatch "index\.(html|htm)$"> AddDefaultCharset UTF-8 <ifModule mod_headers.c> FileETag None Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Mon, 29 Oct 1923 20:30:00 GMT" </ifModule> </FilesMatch> # END WpFastestCache # BEGIN GzipWpFastestCache <IfModule mod_deflate.c> AddType x-font/woff .woff AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript AddOutputFilterByType DEFLATE application/x-font-ttf AddOutputFilterByType DEFLATE application/vnd.ms-fontobject AddOutputFilterByType DEFLATE font/opentype font/ttf font/eot font/otf </IfModule> # END GzipWpFastestCache # BEGIN LBCWpFastestCache <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|webp|js|css|swf|x-html|css|xml|js|woff|woff2|ttf|svg|eot)(\.gz)?$"> <IfModule mod_expires.c> AddType application/font-woff2 .woff2 ExpiresActive On ExpiresDefault A0 ExpiresByType image/webp A2592000 ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpg A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/ico A2592000 ExpiresByType image/svg+xml A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/javascript A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/font-woff2 A2592000 </IfModule> <IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> Header unset X-Frame-Options </FilesMatch> <FilesMatch "\.(jpg|jpeg|png|gif|swf)$"> Header set Cache-Control "max-age=604800, public" </FilesMatch> <FilesMatch "\.(js|css|swf)$"> Header set Cache-Control "max-age=604800" </FilesMatch> Header set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "no-referrer" </IfModule> <IfModule mod_headers.c> Header set Expires "max-age=2592000, public" Header unset ETag Header set Connection keep-alive FileETag None </IfModule> </FilesMatch> # END LBCWpFastestCache # ---------------------------------------------------------------------- # | Compression | # ---------------------------------------------------------------------- <IfModule mod_deflate.c> # Force compression for mangled `Accept-Encoding` request headers # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html <IfModule mod_setenvif.c> <IfModule mod_headers.c> SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding </IfModule> </IfModule> # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Compress all output labeled with one of the following media types. # # (!) For Apache versions below version 2.3.7 you don't need to # enable `mod_filter` and can remove the `<IfModule mod_filter.c>` # and `</IfModule>` lines as `AddOutputFilterByType` is still in # the core directives. # # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype <IfModule mod_filter.c> AddOutputFilterByType DEFLATE "application/atom+xml" "application/javascript" "font/eot" "font/opentype" "image/bmp" "image/svg+xml" "image/vnd.microsoft.icon" "image/x-icon" "text/cache-manifest" "text/css" "text/html" "text/javascript" "text/x-cross-domain-policy" "text/xml" </IfModule> # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Map the following filename extensions to the specified # encoding type in order to make Apache serve the file types # with the appropriate `Content-Encoding` response header # (do note that this will NOT make Apache compress them!). # # If these files types would be served without an appropriate # `Content-Enable` response header, client applications (e.g.: # browsers) wouldn't know that they first need to uncompress # the response, and thus, wouldn't be able to understand the # content. # # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding <IfModule mod_mime.c> AddEncoding gzip svgz </IfModule> </IfModule> # `FileETag None` doesn't work in all cases. <IfModule mod_headers.c> Header unset ETag </IfModule> FileETag None <IfModule mod_expires.c> ExpiresActive on # Perhaps better to whitelist expires rules? Perhaps. ExpiresDefault "access 2 days" # cache.manifest needs re-reqeusts in FF 3.6 (thx Remy ~Introducing HTML5) ExpiresByType text/cache-manifest "access plus 0 seconds" # your document html ExpiresByType text/html "access" # rss feed ExpiresByType application/rss+xml "access plus 1 hour" # favicon (cannot be renamed) ExpiresByType image/vnd.microsoft.icon "access plus 1 week" # media: images, video, audio ExpiresByType image/png "access plus 2592000 seconds" ExpiresByType image/gif "access plus 2592000 seconds" ExpiresByType image/jpg "access plus 2592000 seconds" ExpiresByType image/jpeg "access plus 2592000 seconds" ExpiresByType video/ogg "access plus 2592000 seconds" ExpiresByType audio/ogg "access plus 2592000 seconds" ExpiresByType video/mp4 "access plus 2592000 seconds" # css and javascript ExpiresByType text/css "access plus 2592000 seconds" ExpiresByType text/javascript "access 7 days" ExpiresByType text/x-javascript "access 7 days" ExpiresByType application/javascript "access 7 days" ExpiresByType application/x-javascript "access 7 days" </IfModule> # gzip compression. <ifModule mod_deflate.c> <filesMatch "\.(css|js|x?html?|php)$"> SetOutputFilter DEFLATE </filesMatch> </ifModule> # BEGIN Cache-Control Headers <ifModule mod_headers.c> <filesMatch "\.(ico|jpe?g|png|gif|swf)$"> Header set Cache-Control "max-age=2592000, public" </filesMatch> <filesMatch "\.(css)$"> Header set Cache-Control "max-age=604800, public" </filesMatch> <filesMatch "\.(js)$"> Header set Cache-Control "max-age=604800, public" </filesMatch> <filesMatch "\.(x?html?|php)$"> #Header set Cache-Control "max-age=600, private, must-revalidate" </filesMatch> <FilesMatch ".(js|css|xml|gz|html)$"> Header append Vary: Accept-Encoding </FilesMatch> </ifModule> # END Cache-Control Headers <ifModule mod_headers.c> Header set Connection keep-alive </ifModule> <ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> # Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # Hide Server-side technology information <IfModule mod_headers.c> Header unset X-Powered-By </IfModule> # ---------------------------------------------------------------------- # | Reducing MIME type security risks | # ---------------------------------------------------------------------- # Prevent some browsers from MIME-sniffing the response. # # This reduces exposure to drive-by download attacks and cross-origin # data leaks, and should be left uncommented, especially if the server # is serving user-uploaded content or content that could potentially be # treated as executable by the browser. # # http://www.slideshare.net/hasegawayosuke/owasp-hasegawa # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx # https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx # https://mimesniff.spec.whatwg.org/ <IfModule mod_headers.c> Header set X-Content-Type-Options "nosniff" </IfModule> ## protect .htaccess file <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files> # Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files> <FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)"> Deny from all </FilesMatch> # protect wp-config <files wp-config.php> order allow,deny deny from all </files> # block directory indexing <IfModule mod_autoindex.c> Options -Indexes </IfModule> ## redirect non-www to www version <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteCond %{HTTP_HOST} !^www.somebank.com$ RewriteRule ^(.*)$ "https\:\/\/www\.somebank\.com\/$1" [R=301,L] </IfModule> # BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress #AuthType Basic #AuthName "statging" #AuthUserFile "/home/someict/.htpasswds/public_html/staging/passwd" #require valid-user # Wordfence WAF <Files ".user.ini"> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order deny,allow Deny from all </IfModule> </Files> # END Wordfence WAF <Files 403.shtml> order allow,deny allow from all </Files> deny from 192.168.0.0/16 deny from 172.16.0.0/12 deny from 10.0.0.0/8 RewriteCond %{HTTP_REFERER} !^http://somebank.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://somebank.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.somebank.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.somebank.com$ [NC] RewriteCond %{HTTP_REFERER} !^https://somebank.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^https://somebank.com$ [NC] RewriteCond %{HTTP_REFERER} !^https://www.somebank.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^https://www.somebank.com$ [NC] RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]