In the past, this was an expensive and highly technical process. But today services like Cloudflare can facilitate the process for you, eliminating the expense and IT headaches.
Unfortunately, WordPress sites can be a little wonky during the transition from HTTP to HTTPS—but with a couple of plugins you should be up and running in no time. This post is a quick overview of how to set up Cloudflare’s free Flexible SSL service with WordPress.
What Is Flexible SSL?
Flexible SSL is an encryption service available to all Cloudflare users, absolutely free of charge. You don’t need to purchase your own SSL certificate to use it; instead, you share a certificate with other Cloudflare customers.
You should be aware that Flexible SSL is not the ideal solution if you truly want to lock down your site’s security. This is because Flexible SSL is not an end-to-end encryption solution. With Flexible SSL, your data is encrypted while in transit between the user and Cloudflare, but unencrypted between Cloudflare and your web server. If you want full end-to-end encryption, you’ll need to purchase and install a certificate on your own server:
With that said, is Flexible SSL better than what you’ve got now? Definitely. For sites that don’t collect much sensitive user data, it’s a great option.
Setting Up Cloudflare
The first thing you’ll want to do is sign up for Cloudflare, select the free plan, and follow the onscreen instructions to add your domain name.
After you’ve changed your nameservers and they’ve finished propagating, log into Cloudflare and click Crypto at the top:
Make sure “Flexible” is selected under the SSL section.
Setting Up WordPress For SSL
Don’t change anything in your WordPress settings just yet. To prepare your site for SSL, you’ll need to install and activate two plugins.
The Cloudflare Flexible SSL plugin prevents a nasty redirect loop problem that often arises when enabling Flexible SSL on a WordPress site. No need to edit any settings or anything—just install and activate.
Next you’ll need the WordPress HTTPS plugin. Once you’ve installed and activated it, click the new HTTPS link in the main WordPress menu, and change the “Proxy” setting to “Yes.”
Testing Your Site
Cloudflare can take up to 24 hours to issue your Flexible SSL certificate, and that must be complete before you move forward. To check the status, you can try to visit the HTTPS version of your site—e.g.
https://yourdomain.com. If you receive a security error or a cPanel 404 page, that means your certificate hasn’t been issued yet and you’ll need to try again later.
As soon as your site starts loading over HTTPS, you can move forward.
Enforcing HTTPS Via Cloudflare
Once the HTTPS version of your site is loading properly, go back to Cloudflare and select Page Rules from the top menu, then click “Create Page Rule.”
Enter the URL of your WordPress site in the first box, beginning with
http:// and followed by a slash and an asterisk—e.g.
From the drop-down box, select “Always Use HTTPS.”
Then click “Save and Deploy.”
Changing Your WordPress Site Address
Finally, you’ll want to go to your General Settings page in WordPress and change your Site Address to
Warning: Don’t change this setting unless the Cloudflare Flexible SSL plugin is running, and don’t make any changes to your WordPress Address.
That’s it! Now your site should be up and running on HTTPS.
If you have any questions or problems, feel free to leave them in the comments below!