Using example.com, what is the URL structure shown in the Admin > Settings > General panel for "WordPress Address (URL)" - and is it the same as the URL in the same panel for the "Site Address (URL)"? Is the URL shown there as https://www.example.com or http://www.example.com or https://example.com or http://example.com ?

Is there a set of canonicalization rewrite rules for https in the .htaccess file to rewrite requests for all versions to the same version which is shown in that Settings > General panel - before the

# BEGIN WordPress
<IfModule mod_rewrite.c> 

block of rewrites?

The 302 redirect comes up when another page temporarily replaces an existing page so it is supposed to be a 302 (temporary) redirect. The 301 redirects should take place before the plugin gets the request and 302s it to a temporary page. You can't make it a 301 (permanent) redirect to multiple different language pages.

Not that it "can't" be done, but it is a bad idea because it presents the same content in multiple language-versions as the master copy of a single page.

the proper order of redirects here would be a single 301 redirect from non-https and/or non-www requests to the canonical hostname and then a 302 redirect to the language-specific version if necessary or appropriate.

i would also first question which mod_rewrite directives (if any) precede the "BEGIN WordPress" block of directives.

@not2easy
The .htaccess has these:

Header always set Content-Security-Policy: upgrade-insecure-requests
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# START PHP VERSION CHANGE forced by SG Optimizer
AddHandler application/x-httpd-recommended-php .php .php5 .php4 .php3
# END PHP VERSION CHANGE
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

At the WP settings, the wordpress address and the site address have both this format: "https example com"

We have tried to play with the different settings of Polylang to remove the en/home/ from the homepage, as the English language is the default language, but although we managed to make the "www example com" 301 redirect to the "https www example com", we realised that half of the internal links still use the /en/ as a subdirectory, while other don't. So some of them were broken....
But while using the "example com" format we noticed that there were 2 301 redirects in place, first going to the "https www example com" and then to the /en/home/ url

I really don't know what else to try.

[edited by: phranque at 8:44 am (utc) on Nov 3, 2020]
[edit reason] unlinked "url" [/edit]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

i would first try something more like this:

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !(^www\.example\.com$)? [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

[edited for typo]

[edited by: phranque at 8:36 pm (utc) on Nov 3, 2020]

@phranque

So you are suggesting removing this part from my .htaccess:
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

And replace it with your script?

Also, I wanted to ask something about the setting up of Siteground.
I have this domain declared as "example com". Is this a mistake? Should I have included it as "www example com"?

[edited by: phranque at 12:38 pm (utc) on Nov 3, 2020]
[edit reason] unlinked "url" [/edit]

So you are suggesting

yes.

I wanted to ask something about the setting up of Siteground.

from the Charter [webmasterworld.com] for this forum:

Discussions On Hosting:
Public discussion and recommendation of hosting companies is not allowed in the Wordpress forum. If you are a subscriber to Webmaster World please see the Webhosting Issues and Options forum. Please be sure to read the forum Charter before posting!

Should I have included it as "www example com"?

probably, but i would try the suggested change first and then see what is required.

If the WP Settings panel shows "https://example.com" then definitely do not add in "www" on any other settings. WP will use the internal URL Settings and adding www in your canonicalization rewrites is going to cause problems. This is why you are seeing extra rewrites.

With the URL Settings as you describe, I would change your .htaccess to use:

#Redirect invalid and www requests
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

and if there is a need to use "No Case", use [NC] rather than {NC}, that looks like a typo in phranque's example.

BTW, your php handlers all use deprecated versions of PHP which, if you are still using any of those old PHP versions, will cause problems with WP functionality and speed. Today's WP runs better if you can upgrade your PHP to current versions. Your handlers show the newest version of 5 which was EOL a few years ago.

Siteground is a hosting company and we don't offer advice about hosting companies, sorry. If you want to talk about migrating a WP site, that's different.

Some clarifications:

Do I need to add this?
#Redirect invalid and www requests

Then, do I use this?
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]

Or this?
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

And the current PHP is 7.3.23

The # symbol is for your own information. It is used to "comment out" a line in htaccess so it does not get read by the server. You can keep it or remove it, it does not have any effect on the rule. It is similar to using

<!-- invisible --> 

to add notes in html for yourself. The htaccess lines you posted contain several examples such as # BEGIN WordPress

Those are two different rules. The first rule is to ensure that only one version of your domain is used, it needs to agree with the WP settings. This is the canonicalization rewrite rule.

The second (Port 80) rule is to deal with third-party content that might use http URLs. Less common today, I still add it because it helps keep ftp secure for incoming http: protocols. On WP people can add links, this helps ensure https - you can use it or not.

If you are using newer PHP, you should update your handlers as well. They list multiple versions of php, all of them long out of use. The common format would be:

AddHandler application/x-httpd-php73 .html .php

BUT check with your host because there are proprietary variations to that format.

Ok @phranque and @not2easy thanks a lot for these suggestions.
Will add them later to the htaccess, after I remove the previous code and will report my findings.

Then, do I use this?
RewriteCond %{HTTP_HOST} !^(example\.com)?$
RewriteRule (.*) https://example.com/$1 [R=301,L]

Or this?
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

you should combine those into a single ruleset, similar to my example above.
in my example above i assumed your canonical hostname was www.example.com but from your examples it looks like your preferred hostname is example.com.
the secure test can use either the HTTPS flag or the SERVER_PORT value.

try something like this:

RewriteCond %{HTTP_HOST} !^(example\.com)?$ [NC,OR]
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://example.com/$1 [R=301,L]

RewriteCond %{HTTP_HOST} !^(example\.com)?$ [NC,OR]

one more thing to note.
this example includes provisions to handle two issues that may not occur in your hosting environment:
- the HTTP/1.0 protocol [tools.ietf.org] didn't specify a Host header so most HTTP/1.0 spec user agents won't supply that header.
that's why the value of the Condition Pattern is possibly null in the RewriteCond directive.
user agents compliant with HTTP/1.1 (and subsequent protocols) will always supply the Host header.
most (all?) shared hosting environments will evaluate HTTP_HOST before your virtual host environment sees the request, so that null condition may never occur.
- in some cases hostnames may be requested in mixed or upper case.
the [NC] flag handles this situation.
in most hosting environments the hostname will be folded to lower case before your virtual host environment sees the request.

if you are in a hosting environment that always supplies a valuated Host header with a lower case hostname, you can simplify that directive:

RewriteCond %{HTTP_HOST} !^example\.com$ [OR]

Thanks again @phranque

Unfortunately I decided to deactivate Polylang till I decide what to do with the change of languages in the future.
Also, I thought that by removing this plugin, all /en/ parts will be automatically removed from all links, but this didn't happen. So we had to manually fix all internal links yesterday night.
And I changed at my Wordpress>Settings the website domain as: domain.com, instead of www.domain.com
Finally, I have decided to change the enforce of the SSL protocol. Siteground recommends to do it through its plugin and not from the Security section, as I had it before. So I have changed both settings and after these changes, this is my new htacess.

# HTTPS forced by SG-Optimizer
<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END HTTPS
Header always set Content-Security-Policy: upgrade-insecure-requests
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# START PHP VERSION CHANGE forced by SG Optimizer
AddHandler application/x-httpd-recommended-php .php .php5 .php4 .php3
# END PHP VERSION CHANGE
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Also, the addhandler was added somehow.

For now, all my redirections are working fine. By typing the domain.com it loads directly the site with no redirects and if I type the www.domain.com it does a simple 301 redirect to the domain.com.

A small issue is that by running the site: command, I get 10 links at the google results, which include the /en/ part and which are all broken links.
Shall I do anything about them, as I guess soon the correct ones will be indexed too?

[edited by: phranque at 8:46 am (utc) on Nov 4, 2020]
[edit reason] unlinked urls [/edit]

yeah...
that's probably not going to work for reasons described above.
have you tested it to insure that all requests to noncanonical hostnames are redirected to the canonical hostname in a single 301 redirect?
(btw this is not relevant to the subsequent language redirect by Polylang)

RewriteCond %{HTTP:X-Forwarded-Proto} !https

are you using a reverse proxy?
if not, you shouldn't be seeing this header.

"are you using a reverse proxy?
if not, you shouldn't be seeing this header.""

No idea what this is.

Also, can u give an example of a request to noncanonical hostnames which should be redirected to the canonical hostname in a single 301 redirect?

can u give an example of a request to noncanonical hostnames which should be redirected to the canonical hostname in a single 301 redirect?

http://example.com/
http://www.example.com/
https://www.example.com/
https://example.com:80/

All of them except the last one with the :80 work.
IS the last one important?

i made a typo here.
you should try specifying the default port which for https is:

https://example.com:443/

The 443 port works fine as well.
So, shall I think that everything works as it should be?

Also any suggestion for what other multilingual plugin can I use for this site, which would work with less complications than Polylang?

All of them except the last one with the :80 work.

We're constantly telling people that “doesn’t work” isn’t specific enough; you have to go into detail about exactly what happens. Here it’s the other way around, but still valid: What, exactly, does “work” mean?

What should happen is that all but one item on the list will redirect. (The one that passes through unchanged is the canonical.) If, instead, more than one form serves content without redirecting ... things need to be fixed.

Incidentally... The form
!^(example\.com)?$
will do no harm, but on shared hosting--or any setup involving a VirtualHost--it isn't needed; you can simply say
!^example\.com$
without the parentheses and question mark.

Some people say that
%{HTTPS} !on
is safer than
%{HTTPS} off
though on paper it should make no difference, since it's binary. Happily, it's the identical number of bytes either way.

So guys, I had problems with my Cloudflare (wasnt working) so I had to take one step backwards and push the www domain com as the main entity.

Can someone please suggest what sort of changes I should to at the htaccess now, as when I type the url as "domain com", there is a 301 redirect from "http domain com" to "https domain com" and then another 301 to "https www domain com".

Did you change the URLs in the WP adming Settings > General panel? That needs to be www if you want to skip the extra redirect.

The .htaccess rewrite rule's target needs to match that www. version also.

So guys, I had problems with my Cloudflare (wasnt working) so I had to take one step backwards and push the www domain com as the main entity.

i was going to ask about this and this is partly why the default example directives i gave above included the www in the hostname.
you cannot host your site on example.com if you plan to use a CDN - it must be hosted on a subdomain.

what sort of changes I should to at the htaccess now, as when I type the url as "domain com", there is a 301 redirect from "http domain com" to "https domain com" and then another 301 to "https www domain com".

i'm not going to do that, but i will try to help you get that working in a single 301 redirect.
i would go back and look at the directives i suggested in my second post in this thread and start there:
https://www.webmasterworld.com/wordpress/5015358.htm#msg5015404

Did you change the URLs in the WP adming Settings > General panel? That needs to be www if you want to skip the extra redirect.

this WP admin setting needs to be correct for other reasons, but a correct .htaccess will rely on apache to issue the canonical hostname redirect instead of relying on WP to get it right.

My WP settings got adjusted automatically I guess, as I have checked yesterday this area and both fields include the "www domain com".

So regarding the CDN I have decided to follow an official CLOUDFLARE guide which suggested to deactivate it and reactivate it again. Then it was marked as "ACTIVE", but I feel that it doesn't work as it should be.
First of all, I have run some speed tests and the scores are worse compared to the previous status. Also the site loads slower than before.

@phranque
You are talking about this part:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !(^www\.example\.com$)? [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

In order to avoid making any mistake, can you just include the whole code according to message 5015516?

Also, I have completed a Lighthouse audit through Chrome and I get many red flags about the webfonts.I think this started after I activated the Webfonts optimization from inside the SG Optimizer plugin.
The console is reporting something like:
Access to font at 'https://example.com/wp-content/plugins/elementor/assets/lib/font-awesome/webfonts/fa-brands-400.woff2' from origin 'https://www.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
or
GET https://example.com/wp-content/plugins/elementor/assets/lib/font-awesome/webfonts/fa-brands-400.woff2 net::ERR_FAILED

And one of the red warnings is about: Preload key requests

…webfonts/fa-brands-400.woff2(example.com)
3,750 ms

…fonts/eicons.woff2?5.9.1(example.com)
3,750 ms

…webfonts/fa-brands-400.woff(example.com)
3,750 ms

…fonts/eicons.woff?5.9.1(example.com)
3,750 ms

…webfonts/fa-brands-400.ttf(example.com)
3,750 ms

…fonts/eicons.ttf?5.9.1(example.com)
3,260 ms

[edited by: phranque at 9:12 am (utc) on Nov 5, 2020]
[edit reason] exemplified domains [/edit]

Also this warning of "Add Expires headers". I got it from both Gtmetrix and Pingdom.

For example for element:
https://use.typekit.net/luk7pbx.css

But if check its details, there is this setting:
cache-control private, max-age=600, stale-while-revalidate=604800

Is this not a Expires header?

[edited by: phranque at 10:36 am (utc) on Nov 5, 2020]
[edit reason] unlinked url [/edit]

In order to avoid making any mistake, can you just include the whole code according to message 5015516?

we don't really do that here.
you will have to try things to see what actually works in your environment.
i won't try to sort out the mess generated by the SG-Optimizer plugin.
i would suggest removing that and trying to get this working without the plugin.

all you need is to turn on mod_rewrite:

RewriteEngine On

the hostname canonicalization redirect:

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !(^www\.example\.com$)? [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

and your wordpress block of directives:

# BEGIN WordPress
...
# END WordPress

i would start with this and get this working first.
if necessary you can later add the Content-Security-Policy header directive and AddHandler directive.

But if check its details, there is this setting:
cache-control private, max-age=600, stale-while-revalidate=604800

Is this not a Expires header?

that is a cache control header.
see: https://tools.ietf.org/html/rfc7234#section-5.2

for the Expires header, see: https://tools.ietf.org/html/rfc7234#section-5.3

use.typekit.net

since you aren't hosting this resource, there isn't much you can do about the HTTP Response headers provided.