At the moment it sounds like robots and humans can visit either version and having an SSL certificate does not stop that by itself. You could try redirecting everything to the https version with some htaccess as described here:
At a later stage you could also enable HSTS Preload, however that should only be done if you are certain you will always work with https. https://hstspreload.org