Cloudflare WordPress HTTPS Tutorial

Suyash Bansal

Nowadays, HTTPS has become a basic requirement for security purposes. Users want their browsing data to be protected and Website Admins want their users to trust them with respect to their data security. The best way to ensure this is to make use of encryption on the website. Whenever there is a request from a user to access the page, the page content is encrypted and then it is sent, so that only the user can see the content and no one else can alter it in between the transmission.

So many people (including us, over at StudyKorner) are using WordPress for their website content management because of its ease of use and awesome online support, hence we thought we should write a detailed article to help people migrate to HTTPS for free without much fuss.

Currently there are 2 basic ways to add HTTPS to a WordPress website

  1. We purchase and install a certificate (free like Let’s Encrypt or paid like Comodo) on our web server. This way the user is accessing the secured content directly from our server.
    Direct connection
  2. We do not install any certificate our self and use Cloudflare flexible SSL. User is served a secure version of the website via Cloudflare.
    cloudflare connection

In this tutorial we will focus on the second method. It is free and requires least changes. So even a non-technical blog administrator can understand the detailed working of Cloudflare Flexible SSL. You can read this guide for more information.

Overview

First of all, let’s see what we will do throughout this tutorial to add HTTPS to your WordPress website.

Firstly, we will change the original nameservers to Cloudflare ones. Then we will enable flexible SSL which usually takes some time to activate. In the meantime, we will install the WordPress plugin and then check if we are able to use the website, both over HTTP and HTTPS. If everything works fine then we will add a redirect rule in the Cloudflare that will redirect all the non-secure requests to the secure version. Sounds easy? Let’s start.

Detailed implementation

I recommend you to follow each step as mentioned below furthermore you can also watch the above video which demonstrates the full HTTPS migration of a demo WordPress website.

  1. Change your domain nameserver to Cloudflare ones
    Open the Cloudflare panel and add your website URL. It will analyse your domain and then provide you with new nameservers.
    cloudflare nameservers
    Configure these new details at your domain registrar’s website.
    change to new nameservers
    The changing of the nameservers can take some time. Click the recheck button to see if the changes have been successful.

    Please check the video for additional (optional but recommended) steps.
  2. Enable Flexible SSL

    Go to the Crypto tab in Cloudflare and click the full option in SSL. Change it to flexible.
  3. Install the WordPress plugin
    In the WordPress admin panel, click on add new plugin. Search for ‘Cloudflare Flexible SSL’. Install the plugin and then activate it.
  4. Check the HTTP and HTTPS version of the website
    Now try to open the website in both ways, with and without https. It should be working fine either ways. If everything works fine, the only step left would be to redirect the users (who try to open the HTTP) to the secure HTTPS. For best results, we will do this on Cloudflare. This will also reduce the load on our server.
  5. Apply a page rule in Cloudflare to redirect all HTTP request to HTTPS.
    In the Cloudflare, open the Page Rules tab and click on ‘Create Page Rule’. In the URL box enter

    http://*<your website url>/*

    and then click on ‘add a setting’. Choose ‘Always use HTTPS’ and then hit the green button saying ‘Save and deploy’.

That’s it! Congratulations!! You are now running an awesome WordPress website — and over HTTPS. I hope this tutorial helped you in migrating to HTTPS successfully.

finally secured website

Things not to do!!

  • After wasting so much time on redirect loops, I would recommend that you should not touch the WordPress address and the Site Address under Settings>General. Do not edit them to HTTPS. It will break your website.

Comments 5

    1. Post
      Author
  1. Brother I accidently Change the website setting>general from http:// to https://. I am stuck in a redirect loop. I cannot access my website even the admin dashboard. I cant revert it back because cant open the admin panel…What should i do now? Please help me

    1. Post
      Author

What do you think about the article?