About a year and a half ago, Google announced that they were going to start ranking sites served over an HTTPS connection slightly higher than sites that were served over a regular HTTP connection. They also indicated that this ranking signal will get more weight over time, so it is important that all sites are served over a secure connection. There really is no good reason not to use HTTPS on your site because there are so many free options available such as CloudFlare Free SSL.
Why Use CloudFlare Free SSL?
Technically you don’t really need it. If you have a website that’s been working fine for you over the years on an insecure connection, you don’t need to change. Also, if you have already paid for a security certificate through your host or another provider, you don’t need to use a CloudFlare Free SSL since you already have a certificate available to you, although you could still use this certificate with CloudFlare.
For starters, CloudFlare is free for everyone with no limits on the number of sites you can have in your account, or how many SSL certificates can be issued to your account. Using CloudFlare on any site will usually help improve the page load speed, and reduce the bandwidth your host has to use to serve content to your site’s visitors. A CloudFlare Free SSL will also enhance the security of your site for your visitors. Really, it’s a no-brainer to use it.
How to Enable CloudFlare Free SSL in WordPress
The good news is that if you have a CloudFlare account, you already have an SSL certificate issued to you (or you will shortly if you added your site within the last 24 hours). Now all that is left is making sure it is enabled, and that your site is able to start using it.
If you are just starting with CloudFlare, you will need to follow their setup guide to make sure your DNS records are configured correctly. It’s a quick process, but your domain may not fully point to CloudFlare immediately once you’re done with the setup.
After getting your domain set up in CloudFlare, login to your CloudFlare account and select the site you want to start using SSL on. On the Overview page, you will see your Settings Summary. Click the word next to SSL (Flexible, Full, or Strict).
Next, make sure it says Active Certificate in the SSL section.
If you do not have a security certificate on your server, you will want to use the Flexible option. This is because the SSL certificate that is used is issued on CloudFlare’s servers. So everything between your visitor’s browser and CloudFlare’s server will be encrypted, but everything between CloudFlare and your host’s server will not be encrypted.
However if you already have a certificate, you can use either the Full or Strict option. The Strict option needs a certificate signed by a Certificate Authority (CA), but the Full option can use a self-signed certificate. You may need to contact your host if you need help setting up a certificate on your site’s server.
- Flexible: Traffic from your host’s server to CloudFlare is unencrypted. Traffic from CloudFlare to the site visitor is encrypted.
- Full: Traffic from your host’s server to CloudFlare is encrypted. Once on CloudFlare’s server it is unencrypted, and then re-encrypted. Traffic from CloudFlare to the site visitor is encrypted.
- Strict: The same as Full, except CloudFlare will also verify the certificate is issued from a trusted Certificate Authority, and is not expired.
If you see something other than Active Certificate it may mean that your certificate hasn’t been issued yet, which is common for sites that were just set up in CloudFlare. You’ll have to wait about 24 hours for the certificate to be issued. If your site has been in CloudFlare for a while and you don’t see Active Certificate listed, you may need to contact CloudFlare to get some help with that.
Next, click on the Page Rules link at the top of your CloudFlare page. On this page, you can toggle the “Always use https” option to On. You will also have to enter a URL pattern, which tells CloudFlare the specific pages on your site that you want to follow this rule. For example, if your site is mycoolwebsite.com, you could enable SSL on all pages by entering the wildcard asterisk after your domain mycoolwebsite.com/*. If you only want a certain page to always use SSL, you could enter mycoolwebsite.com/some-page. Or if you want all pages on a forum on your site to use SSL, you could enter mycoolwebsite.com/forum/*.
Free accounts get three rules to use, which should be plenty for most sites, especially if you are using SSL on all pages of your site with the wildcard. If you have more complex page rules than your account can manage, you can also use the free WordPress HTTPS (SSL) plugin to add similar rules to your site, and can even force SSL on individual pages or posts.
Optionally, on your WordPress site you can install the free CloudFlare plugin. This plugin is recommended by CloudFlare for any WordPress site that is running through CloudFlare. This isn’t necessary for the CloudFlare free SSL certificate to work, but it does have some benefits that go beyond the scope of this article. You can read more about the plugin and other best practices here.
That should be all you need to do to get a CloudFlare Free SSL certificate set up and working on your website. If you need help getting CloudFlare Free SSL set up on your WordPress site, use the contact form below and we’ll be glad to help you out.