Small things you can do that make it less likely ordinary users would try (and fail) to connect to HTTP:
- HSTS - set HTTP Strict Transport Security for the site. This stops popular browsers from trying the unencrypted HTTP for your site so long as they remember they know about this, often months.
1a. HSTS-preloading. Several popular browsers agreed to use a list, created by Google, of sites that agreed to say they are HSTS and don't plan otherwise any time soon. For sites on this list, users needn't visit at all for their browser to learn never to use HTTP. However, you must have HSTS itself set up and working correctly first.
1b. Preloaded TLDs. All Google's new TLDs are HSTS preloaded. If you've got a .dev site, it has to have HTTPS because modern browsers will never try the HTTP protocol for the site. This likely will never happen to very famous old TLDs like .com but it may protect new sites you create with newer names
-
If this is a sub-site, make sure all your links leading there from the main site are correctly HTTPS links. If there's no way for a user to accidentally click a link that goes to the HTTP site, very few users will go there.
-
Make sure any SEO efforts you've made are directing people towards HTTPS rather than HTTP. In some media it may seem like you can just write yoursite.example and it works, but that may end up linking http://yoursite.example/ not https://yoursite.example/ so worth a moment to check.