You Need to Use https:// and SSL
The time has come to switch all of your sites to using SSL and the https:// protocol. SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser. Beginning in 2017, Google and its popular browser Chrome are pretty much insisting that web sites use the SSL protocol.
Traditionally, getting your site to work with SSL has been any thing but trivial, or even cheap. It has required installing an SSL certificate for each and every one of your domains, coordinating this with your hosting company. This has not been easy.
But it doesn’t have to be so! This article covers about the easiest and cheapest way (FREE) to add SSL to your site. Using the combination of a free CloudFlare.com account for your sites, clicking a few check-boxes, and making a couple of edits to your WordPress site, you can be switched to SSL almost immediately, and with a minimal amount of work.
And note – this method is not confined to Weaver Xtreme. It will work for any WordPress theme.
Step 1 – Setup CloudFlare – YOU MUST DO THIS FIRST!
This free and easy way to switch to HTTPS is based on CloudFlare. We have highly recommended CloudFlare as a great website tool for quite some time, and switching to SSL makes it almost essential. CloudFlare offers some very useful services with its basic free account:
- AntiHacking features – it blocks many hacking attempts on its servers, before they even get to your site. It has a feature that can stop denial of service attacks instantly. These features greatly increase the security of your site above and beyond WordPress security plugins such as our favorite Wordfence.
- It provides caching for much of your static content on its world-wide servers, increasing your site’s performance.
- It provides FREE SSL certificates for all sites you have setup on CloudFlare.
Okay, this will be the hardest part of this whole exercise, but it is not difficult, and absolutely worth the effort. Just like setting up and account on any web service, you have to create and verify your account. Then you add your site or sites to your CloudFlare account.
Warning: Sign up with CloudFlare directly! Do NOT use any auto-setup provided by your hosting company. If you already connected to CloudFlare automatically, it might still be possible to then enable the CloudFlare Flexible SSL, but you will then have to jump through hoops with your hosting company support, and it is then complicated. Search CloudFlare’s site for how to get around the limits of a host-auto-connected account.
CloudFlare has excellent instructions for stepping you through the setup, but here’s a very brief outline to be sure you cover the steps needed to get your SSL connection working. The process is actually easier than these steps might indicate.
- As part of setting up your CloudFlare account, you will have to change your DNS name server settings on your web host. This is usually not difficult, and you will change from the existing server to CloudFlare’s. The CloudFlare setup process will provide the correct server names.
You may have to wait a bit for the DNS server change to propagate, but it usually is not long.
- The CloudFlare can usually auto-detect the actual IP used by your hosting company, but you may need to provide it. After this is all set up, all visits to your site first go through CloudFlare’s servers which do their magic, and then on to your host servers. All of this is totally invisible.
Enable CloudFlare’s Free Flexible SSL
This is the Free and Easy part. CloudFlare provides an SSL service called Flexible SSL. This is what is used to make your site HTTPS compatible. You must enable this from your CloudFlare account. From the CloudFlare front page, select your site, then click the Crypto button on the top menu. Set the top box labelled SSL to “Flexible”. You MUST use Flexible SSL, and NOT Full. There might be some delay before the certificate is active, but once it is your are ready to go.
Install CloudFlare plugins on your WordPress Site
Once you have your CloudFlare account set up, you need to get your WordPress site to communicate properly with CloudFlare. This means getting your CloudFlare Global API key, found on the My Settings dropdown from your Account Name in the upper right of the CloudFlare home page.
There are two plugins to install and activate:
- The CloudFlare Plugin – After installing, open the plugin from the Dashboard menu, and then provide CloudFlare API credentials. There are settings you can change to optimize how the plugin works.
- CloudFlare Flexible SSL – This plugin helps WordPress work properly with CloudFlares Flexible SSL.
If you have additional WordPress sites installed in subdirectories for your main site (e.g., example.com/wp-in-subdirectory), you need to install these plugins on any of those sites as well.
As noted, this is probably the most complicated part of this setup. But compared to finding, buying and paying for a dedicate SSL certificate for each and every one of your sites, installing, and setting it all up, this is really simple. And don’t forget, you are also getting new security and performance enhancements.
Step 2 – Change WordPress Address
Once you have the CloudFlare set up, all the IPs have propagated, and the Flexible SSL certificate is active, you need to make just a few more change to WordPress settings.
Before proceeding with the WordPress settings changes, you can check if all is ready by accessing your site with HTTPS from a browser by entering https://enter-your-site-name.com to test if the HTTPS is working via CloudFlare. If it is, then your site should display. If not, then you should get a warning from your browser. Wait until the warning goes away before going on.
If you are using a Login redirect plugin such as Rename wp-login.php or other plugin that redirects or deactivates the normal login page, you should deactivate the plugin before changing the site url to https://, and then reset the alternative to https:// after.
Now you need to change your WordPress settings to use HTTPS on your site by updating your site URL. Do this for any sites installed in subdirectories as well.
For a standard, non-Multi-Site, you can do this by going to Settings » General and updating your WordPress and site URL address fields.
If you want to add SSL and HTTPS on your WordPress multi-site admin area or login pages, then you need to configure SSL in wp-config.php file.
First, be sure to network activate the two Cloudflare plugins. Then, simply add the following code above the “That’s all, stop editing!” line in your wp-config.php file found in the root directory of your WordPress site:
This wp-config.php SSL trick works for single sites as well as multi-sites. You don’t even need to change the WordPress Address and Site Address values if you use this method.
HTTP vs HTTPS URLs on Your Site
Okay, one more potential problem area. If you’ve only used built-in WordPress links, including Media Library Links, your site might actually work. But it is very common for you to have entered http:// based links. These are not allowed by the HTTPS protocol, and will produce warnings.
There are three approaches to solving this issue:
- Easiest – be sure the CloudFlare plugin’s Settings -> Automatic HTTPS Rewrites option is on. At the expense of a tiny bit of filtering on your site’s output content, this will change all http:// references to simply //, which is a universally safe way to provide URLs for both HTTPS and HTTP.
- Easy – Install aWordPress http:// fixer plugin such as HTTP / HTTPS Remover.
- Permanent – Manually find all of your http:// references and change them to // (// is better than hardwiring https://).
This post revised January 3, 2017.