Coudflare provides Free SSL to all its users. If you are not aware what SSL (Secure Sockets Layer), it is a protocol which protects the data that is transferred between your website and visiter’s computer. If you are taking personal data (like credit card information) from your site users, you must have SSL. but even if you are not, you should consider installing SSL on your WordPress website becuse Google favours sites served over HTTPS and the green lock in the URL box inspires trust in your site users.
You need to first setup Cloudflare on your WordPress website in order to enable SSL. You can follow our tutorial to setup Cloudflare with best settings for your site. Once you are done with that you should login and go to the ‘Crypto’ tab in Cloudflare dashboard.
Cloudflare SSL Types
Here, you will see 4 different types of SSL setups – Off, Flexible, Full and Full (Strict).
When SSL is set to Off, it means there is no secure connection between your server and user. You site will be served over HTTP network.
Flexible SSLmeans that your site will be served over HTTPS and the user will see the green lock and HTTPS in his browser but the connection between Cloudflare and your host is not secure. Though a person seeing your site will see that your site is SSL secured but it’s not a complete SSL in its true sense and the data transferred between your site and user is not totally secure.
But this is the setting that we recommend to most of the bloggers. The reason is that most bloggers don’t take sensitive information like credit card data from users. Even if they sell something, they generally user third party checkout carts which have their own security mechanisms. So you don’t really need a fully secure SSL. Flexible SSL makes your site look better in the eyes of visitors and also Google. Later in future if you need you can always move to full SSL.
Full SSLmeans that the connections between site users and Cloudflare and also between Cloudflare and your host are secure. So, any data transferred through it is secure. For this you need to install a self-signed certificate on your host server. It’s like giving in writing that you are the owner of this domain but this certified is not verified by Cloudflare. So again it’s a complete SSL as complete SSL means that a third party gives you a verified security certificate which you install on your host server which is the last Cloudflare SSL setting called Full SSL (Strict).
Full SSL (strict)the best and completely secure SSL connection setup between your site and the visitors. To achieve this, you will have to install a valid SSL certificate issued by Cloudflare on your Host server.
Out of these 4 Cloudflare SSL settings, I recommend either Flexible SSL or Full SSL (strict). Full (strict) SSL needs you to install a certificate on your host server, so first you should check with your host if they allow you to do this or not. Shared hosting accounts generally don’t allow installing SSL certificates but many host will do this for your for a minimal charge. If you are on VPS or dedicated hosting, you should be able to do it easily.
Flexible SSL is the easiest to set up and is good enough for most bloggers and site owners. So let’s first see how we can set up Cloudflare Flexible SSL on our WordPress site.
How to Setup Cloudflare Flexible SSL on a WordPress Site
- I assume you have already added your site to Cloudflare, changed the nameservers and your site is being served through Cloudflare servers. If you haven’t done it yet, first do it following this tutorial – Free Cloudflare CDN – Latest Setup for WordPress (2017).
- First install Cloudflare Flexible SSL Pluginon your WordPress site. Don’t do any changes in Cloudflare SSL settings before installing and activating this plugin as it cause a redirect loop on WordPress admin login page and you will have problem accessing the WordPress dashaoard.
- Go to the Crypto settings on your Cloudflare dashboard and select Flexible SSL. It can take from 15 minutes to 24 hours for your SSL certificate to be issued and activated. Once it is active you will be able to see it with a green dot.
- Move to the Page Rules tab and enter http://*yourdomain.com/* in URL box and set it as Always use HTTPS. This will make sure that your site is always loaded on HTTPS, even when user HTTP in the address bar.
- If yours is a new blog, you should be done with the above Cloudflare setup but if you are setting up Flexible SSL on an existing blog, chances are that there are already links and images on your site that have HTTP. This can cause Mixed In secure Content Errors in some browsers and will show warnings to users. If that is the case install these two plugins and the problem should be solved. First is SSL Insecure Content Fixer Plugin.And the second is WordPress HTTPS SSL Plugin. Through this plugin has not been updated for quite some time, it may not show in plugin search in your WordPress dashboard. In that case, download it from the plugin page and upload it.
- Though this step is not necessary we recommend you should do it. After that go to the general settings in your WordPress dashboard and change both the WordPress URL and Site URL to HTTPS.
- Now clear your website cache, browser cache and cookies and test if your site is loading properly with HTTPS.
- You can also submit thehttps://and https://wwwversions of your website to Google Search Console.
Other Recommended Settings:
In the Cloudflare Crypto settings, turn on the Automatic HTTPS Rewrites.
Congratulations! You are done with Cloudflare SSL Setup on your WordPress site.
Cloudflare Full SSL (Strict) Setup for WordPress
All the above steps will be followed except selecting Full (strict) instead of Flexible in Cloudflare dashboard.
The extra steps that you have to follow are as following:
(Important:Change the URL to HTTPS in WordPress Settings only after you follow the steps below and the SSL certificates are installed on your host server)
In the Crypto Setting of Cloudflare, go to Origin Certificatesand click the Create Certificatebutton.
You domain names should already show there but if they are not showing enter – *.yourdomain.com and yourdomain.com and click Next.
Now Cloudflare will generate SSL certificates for your website and on the next screen you will find your Origin Certificate and Private Key. Copy and save these in a text file.
Now there is one more thing we need – Cloudflare Origin CA Bundle. Go to this Cloudflare Support pageto get it. It will give 2 certificates, choose the RSA Root one. Copy and save with other 2 certificates we saved in the last step.
Now you need to head to your web host and find the option to install SSL. It should be in the cPanel or in the WHM (for VPS hosting). Or you can contact your host support and give them the above 3 certificate keys and they will install the SSL for you.
If you can find the option to install SSL certificate at your host server, click it and it will take you to the following page. Click on ‘Manage SSL Sites’.
On the next page, select the domain on which you want to install SSL and paste (from the text file where you saved the 3 certificate keys) the Origin Certificate in the first box, Private Key in the second and CA Bundle in the third box and click Install Certificate.
Now change the site URLs to HTTPS in the WordPress – Settings – General.
Clear all the cache and cookies and test if your site is loading fine on HTTPS.
Submit the HTTPS versions of site to Google Search Console.
Congrats! You are done with Cloudflare SSL installation on your WordPress website.