If you have web hosting set up with any web hosting provider but also use DNS servers and services from CloudFlare, sooner or later you will probably need to address how to set up HTTPS traffic on your website. CloudFlare offers several available options that we will look at today. Not all of them can be used all the time, and not all of them work without assistance with WordPress. So we will thoroughly discuss how to set up SSL for WordPress with Cloudflare DNS.
- CDN (Content Delivery Network) - enables the distribution of website content to servers all over the world, speeding up page loading for users in different parts of the world.
- DDoS protection - helps protect websites and applications against DDoS attacks and reduces the load on web servers.
- WAF (Web Application Firewall) - provides protection for web applications against security attacks such as SQL injection, cross-site scripting, and others.
How to set up SSL for WordPress with Cloudflare DNS
What methods of HTTPS can be used with Cloudflare? The basic HTTPS settings for Cloudflare include the following methods:
- Off (not secure)
- Full (strict)
Here are the individual SSL methods settings in Cloudflare and how they work:
Off (not secure) – This setting does not use SSL. All traffic between the client and server is transmitted in plain text without encryption. This setting should not be used if any form of personal or confidential information is being transmitted between the client and server.
Flexible – This setting uses SSL for the connection between the client and Cloudflare. But unencrypted traffic is transmitted between Cloudflare and the server. This setting is suitable only for websites that do not require the transmission of personal or confidential information between the client and server.
Full – This setting uses SSL for the connection between the client and Cloudflare. Also the same conection is between Cloudflare and the server. If an SSL certificate from a trusted authority is available on your server, you can use this setting.
Full (strict) – This setting uses SSL for the connection between the client and Cloudflare, as well as between Cloudflare and the server, and requires a valid certificate signed by a trusted authority. If you have a valid certificate on your server and want to secure all traffic between the client and server, this is the best setting to use.
In this article, I will focus on the two most commonly used methods: Flexible and Full (strict) methods.
What about the certificate on the target website?
There are only two options on the target website. Either the hosting provider will issue you an SSL certificate or not, and accordingly, the options are chosen on the Cloudflare side. So, you either have the certificate or you don’t.
This setting is suitable if you don’t have an SSL certificate on the target server, or if your provider refuses to issue one for some reason. It has certain limitations and potential problems, which I will describe below.
Setting Full (strict)
You can use this setting when you have a valid certificate on the target server. If there is a custom certificate on the server, any other setting usually triggers a redirect loop and creates a problem. Use the Full (strict) setting as the first option if there is a certificate on the target server for encrypting communication. Usually, no additional intervention is required, and the entire communication is encrypted. Specifically, the flow would be server -> Cloudflare -> user’s browser. This is practically the ideal choice and option.
Problems that may arise with the Flexible setting.
With WordPress, two things can happen that will need to be addressed. The first is that the entire website may appear to work under the https version, but the administration does not function. The second is that automatic redirection to HTTPS may not work.
When attempting to access the WordPress administration, you may encounter a loop problem. The administration will be stuck in a loop, and it will be impossible to access it. Also, the same thing will happen to the website if you force automatic redirection, for example, using rules in the .htaccess file.
The website may only appear to work on HTTPS in the browser, which automatically performs the redirection, even though it is not physically present on the website. If the user accesses the website from a browser that does not perform this function, they will receive the HTTP version. So, how do you solve the problem?
How to set up SSL for WordPress with Cloudflare DNS in Flexible mode?
It is necessary for the website to automatically function in HTTPS mode and have access to the WordPress administration. To make everything fully functional, two things need to be done:
- modify the wp-config.php configuration file
- modify the behavior on the Cloudflare side.
Editing the wp-config.php file
First, log in to the FTP of your website and locate the wp-config.php file. This is the configuration file for WordPress. To it, feel free to add this code at the beginning:
$_SERVER[ "HTTPS" ] = "on";
Please adjust the behavior of your Cloudflare service to enforce HTTPS-only transmission:
- Log in to your Cloudflare administration panel.
- Select the domain for which you want to configure the settings.
- Click on “SSL/TLS” in the first menu.
- From the submenu, select “Edge Certificates.“
- Enable the “Always Use HTTPS” option.
How to set up SSL for WordPress with Cloudflare DNS – Conclusion
Once you have made the necessary changes to the wp-config.php file and configured HTTPS on Cloudflare, your website should be fully accessible with the new Cloudflare SSL certificate. Additionally, the WordPress administration and automatic redirection should function properly. Problem solved. However, it is important to note that in this setup, only the communication between Cloudflare and the user is encrypted. It is important to consider the potential security risks and the fact that communication from the server to Cloudflare is not encrypted.
More content about WordPress
Je mi líto, že pro Vás nebyl článek užitečný.
Jak mohu vylepšit článek?
Řekněte mi, jak jej mohu zlepšit.