I use WP Engine as my development environment for client sites. Pushing code with git and migrating content with Migrate DB Pro makes development much easier, but there’s a small behavior worth noting: WP Engine forces SSL on the backend while allowing either HTTP or HTTPS on the frontend. Even when you set all site URLs to use HTTPS, browsing to the HTTP version of the site does not redirect to HTTPS. On production environments you can adjust SSL settings, but in transferable or staging installs the frontend HTTPS behavior can be inconsistent and the secured page may be effectively inaccessible.
This inconsistency can confuse clients who expect to see the browser’s “Secure” indicator and it can also introduce technical problems. For example, AJAX requests that rely on the same scheme and domain—for instance admin-ajax calls used by plugins—may fail due to mixed-scheme or domain mismatches.
One option is to install a plugin that forces SSL site-wide. However, I prefer not to rely on an extra plugin because it’s easy to forget to disable it when moving a site to an environment where HTTPS is not yet configured. Instead, I add a small snippet of code to my core functionality plugin (or as a lightweight standalone plugin) that forces frontend requests to HTTPS on WP Engine installs while leaving backend behavior intact.
The snippet below is intentionally minimal and focused: it checks whether the site URL indicates a WP Engine environment and whether the current request is not already using SSL. If both conditions are true, it issues a 301 redirect to the HTTPS version of the current request. This avoids installing a separate plugin just to enforce HTTPS for staging and development sites hosted on WP Engine, and it prevents AJAX or other frontend processes from failing because of mixed protocols.
Here is the PHP code I use. Add it to your core functionality plugin or include it in a small mu-plugin so it’s active in development and staging environments but easy to remove or ignore when moving to production environments with proper SSL management:
| /** |
| * Force SSL on WP Engine installs |
| * |
| * Checks for WP Engine in the home URL and redirects to HTTPS if the |
| * current request is not already using SSL. Useful for development and |
| * staging environments to prevent mixed-scheme issues with AJAX and other |
| * frontend requests. |
| */ |
| function be_force_ssl_on_wpengine() { |
| if ( strpos( home_url(), ‘wpengine’ ) !== false && ! is_ssl() ) { |
| wp_redirect( ‘https://’ . esc_attr( $_SERVER[‘HTTP_HOST’] ) . esc_url_raw( $_SERVER[‘REQUEST_URI’] ), 301 ); |
| exit; |
| } |
| } |
| add_action( ‘template_redirect’, ‘be_force_ssl_on_wpengine’ ); |
Notes and best practices:
- Place this code in a core functionality plugin, a small custom plugin, or an mu-plugin so it runs automatically in your development and staging environments.
- Using a 301 redirect tells browsers and search engines that the HTTPS version is preferred. For temporary testing you could change this to a 302, but 301 is suitable when you intend HTTPS as the canonical scheme.
- The code targets WP Engine installs by looking for “wpengine” in the home URL. If you host elsewhere or use a different pattern for identifying environments, adjust the conditional accordingly.
- Escape and sanitize server-supplied variables when constructing the redirect to reduce the risk of header injection or malformed redirects.
Adding this small, targeted redirect prevents mixed-protocol problems on WP Engine development sites without introducing a plugin you might forget to disable later. It keeps frontend requests consistent and avoids confusing clients who expect to see the secure lock icon in their browser while reviewing staging sites.