Currently you have the ability to access the forum from:

[url]http://www.trombonechat.com (www WITHOUT https)

[url]https://www.trombonechat.com (www WITH https)

[url]http://trombonechat.com (naked domain WITHOUT https)

[url]https://trombonechat.com (naked domain WITH https)

It's good practice to force an HTTPS connection for security, and force the URL to use www or its naked domain (typically not both).

Personally I think that:

[url]https://www.trombonechat.com

should be the URL that's redirected to, regardless of how someone types in/accesses the website. It looks like SiteGround is being used as the host (edit: maybe not?), they have documentation on how to do both of these things [url=https://www.siteground.com/kb/how-to-force-ssl-with-htaccess/]here and [url=https://www.siteground.com/kb/how_to_redirect_nonwww_urls_to_www/]here.

Thoughts?

I originally forced HTTPS but we had some login issues that I believe were related. You aren't wrong that it's best practice to use https (I use an extension called httpseverywhere) to force sites to use it even when they don't, but it's also good practice to have separate passwords for every site you have so that when (no, not if!) one gets breached you haven't just revealed your credentials to everything which would be one of the consequences of using http, though really that attack vector is limited to being in a public place with unencrypted wireless.

It's on our radar though and maybe we'll try to get that running this weekend. I'd prefer to do it at such a time when someone can be available to reverse it if it causes problems.