If I had to tell you what I thought the top priority for web companies in 2018 was, I would have to say security. Browser makers are pushing hard for HTTPS this year and have begun shaming sites that don't have it. If you have a form of any kind, be it a login, even forms for email or newsletter signups, and you don't have HTTPS, you get this version of a dunce hat in the address bar of your website visitors. The follwing image is representative of the dunce hat you'll get in Google Chrome.
With all the hacking and other shenanigans taking place on the web, this is completely understandable. You could wake up one morning, as many have, and find your bank account emptied or your credit cards maxed out with no knowledge of what happened or how to fix it.
However, this is no small task. The internet was initially started with the idea of sharing information, not hiding or concealing it. There were and still are all the politics around what is considered secure, who is responsible, and what technologies should be implemented to make it happen. For example, PayPal once adopted the FIDO U2F technology for password security, but try to find that in your settings now and the option is gone.
What's The Holdup?
The one thing we do know is that HTTPS is here to stay and being enforced with vigor. So why is the most popular CMS on the web having difficulty accommodating this transition? The effort to resolve this began years ago. Check out some of these efforts #15928, #27954, #28521, #29708.
From what I can see, the WordPress core has become a convoluted rat's nest of code resulting from an unflinching effort to provide backward compatibility for themes and plugins, the same line of thinking that held back the progress of web development for years. The implementation of new technologies finally exploded once Browser makers settled on the fact that they were going to have to make changes to their products in a way that made things quite painful for web developers.
A Spark Of Hope
Before learning that Google was throwing their weight behind WordPress in this Search Engine Land article, I was about to launch my newest project from a custom platform I had started building because WordPress falls short on several areas of SEO that this project could not suffer from and still succeed, like caching issues and load time.
The upcoming release of 5.0 is a promising opportunity. This is an opportunity to shake things up enough to get the attention of deadbeat Theme and Plugin developers in a way that gets them to do their homework, reading codex updates, and see what changes they need to make to their software in order to ensure compatibility in the very near future.
I myself have begun the development of a plugin for WordPress and I am working with the knowledge that I will have to make a lot of updates to it in order to keep pace with the upcoming changes, but this comes with the territory.
How To Redirect To HTTPS Until Then
Do the obvious things first, be sure you have your SSL properly installed on your hosting account, and be sure that your WordPress settings are correct by going to Settings > General and making sure the WordPress URL and Site URL is configured properly.
Now, to take advantage of the glitch/bug. Go to Settings > Reading and set your home page to a static page. You can use a plugin or widget, depending on your theme, to display your blog posts if you absolutely need to have your blog posts on your homepage.
How did I know you didn't already have a static homepage? This is the only instance where the HTTPS redirection breaks. Standard installs don't have this done by default, neither do some serious bloggers and for whatever reason, this is the only configuration I can find that the WordPress core solutions for HTTPS fall down.
If you've come across information or you are already familiar with redirecting by making changes to the htaccess file, I advise against it. Using the htaccess could have unforeseen consequences, such as multiple redirects which is bad for SEO. My policy is to allow software to do what it's supposed to and though my advice is to use a workaround in order to force WordPress to do its job, my solution is still handing the job to WordPress.
Using this nifty trick prevents the need for hard-coded customization and the results of this will work in a predictable way as you update to future WordPress versions.