WordPress CloudFlare Flexible SSL – Making It Work

By 7th October 2014 July 28th, 2017 WordPress News and Updates

Making WordPress and CloudFlare Flexible SSL work together is a fine art. This article will walk you through exactly how to do it.

We’ve been touting CloudFlare since we first stumbled upon it a couple of years ago.  In the last week or so they took a huge step by offering HTTPS / SSL for all clients – free or premium.

If, like us, you see the ability to run free SSL on your website as a good thing, and you want to enable this neat feature on your WordPress sites then you’ve got a few things you need to do.

We’ve done it, we’ve encountered the pitfalls, and this article is designed to help you get past most of them without too much trouble.

CloudFlare Flexible SSL – what is it exactly?

I’ll assume here you know how CloudFlare itself actually works – When a visitor loads your website they’re not actually directly connected to your web server, they’re connected to CloudFlare.

When you enable SSL on CloudFlare, you say “when a visitor is browsing my site, communicate with them over HTTPS/SSL”. With Flexible SSL enabled, CloudFlare will talk to your visitors over SSL, but will talk with your web server over non-SSL.

This means that the communication channel is not 100% SSL.  As always it’s broken up into 2 stages:

  • Visitor <=> CloudFlare
  • CloudFlare <=> Your Web Server

The difference now is that with Flexible SSL, the first stage is encrypted.

Is this ideal?  No.  Is it better than what you had a week ago?  Sure!

WordPress and CloudFlare Flexible SSL

As with all things that are simple, when combined with WordPress it’s never, ever as easy as you’d like.

You can’t just pop into CloudFlare and turn on Flexible SSL.

Why?  Because with Flexible SSL, the web requests that hit your actual WordPress site are actually still “non-SSL”.  This means that when WordPress responds with assets/links, it’s still using the non-SSL protocol: “HTTP://” instead of “HTTPS://”.

You need a way to “trick” WordPress into serving the site as-if it’s actually running on HTTPS.

To facilitate this, we’ve created a very simple WordPress plugin to do just that. It examines the traffic and request headers coming to your WordPress site and if it sees it’s coming from CloudFlare, and it’s HTTPS, we turn on SSL for WordPress, tricking it into believing it’s an HTTPS/SSL connection.

We’ve also found that if you want all your visitors to browse using HTTPS instead of HTTP by default, your best bet is to not change your WordPress URL within the General Settings of your site. Read that sentence again.

Instead, you should use CloudFlare page rules to automatically redirect your visitors to SSL for you.  This means it’s much less likely that you’ll break your website while setting up SSL and while it’s running.

Step-by-Step How To: Enabling CloudFlare (Flexible) SSL On WordPress

If you want this to work, and you don’t want to break your site, read all these steps carefully and understand them fully before you make any changes on your site.

If you skip a part, or you mix it up, you stand to break your site.

  1. At no point do you need to change your website’s URL under Settings -> General -> Website Address (URL)
  2. Install our simple CloudFlare Flexible SSL WordPress plugin from WordPress.org and activate it.
  3. Browse to your website using HTTPS instead of HTTP. Your website should load as normal.  If it doesn’t, you probably have certain assets such as CSS or JPEGs that are hard-coded to use HTTP and not HTTPS.
    You may need to take some time and update your themes etc.  Wherever you see an asset such as Javascript or CSS coded to use “HTTP://”, you should replace “HTTP://” with simply two forward slashes “//”  In this way it will automatically adapt to load HTTP or HTTPS depending on the nature of the current visitor.  Wherever possible you shouldn’t use HTTP or HTTPS anywhere, unless you need to force HTTPS.
  4. Once you have confirmed your website properly loads under HTTPS, you now will want to force all visitors to use it.  This is best done by CloudFlare, and not on your WordPress site.  Within CloudFlare go to the Page Rules section for your domain and enter a rule just as shown in the screenshot below:

The rule should be:  http://*your-full-domain.com/*
Always Use HTTPS – On

Create a new Cloudflare Page Rule

CloudFlare Page Rules

And that is it.

Once this is saved, after a few minutes, CloudFlare will start forcing all traffic over SSL.

Full SSL vs Flexible SSL

Is flexible SSL better than no SSL whatsoever?

It’s debatable and we can discuss it ’til the cows come home. I prefer it over no SSL whatsoever.

The ideal scenario is Full SSL – where visitor traffic is over SSL at every stage of communication. The only way to get this is to have an SSL certificate installed on your web server.

If you want, you can even use a Self-signed certificate! This isn’t a problem because your visitors wont see any certificate warnings in their browsers, and you’ll have the advantage that ALL your traffic is encrypted over SSL.

Ideally what you would like is to have valid, certified SSL certificate, but at least with Flexible SSL, and Full SSL modes you’re making progress towards that without the added costs.

Once you get Flexible SSL up and running, talk with your web host to see what your options are with self-signed certificates and when you can, move to Full SSL with CloudFlare.

Important Points To Note

  1. When you add a site to your CloudFlare account, the SSL certificate on the CloudFlare side must be updated to cater for your domain name. We’ve seen this delayed in some cases >24hrs. Solution: Add your site to CloudFlare at least a day or so before you intend to enabled Flexible SSL (to ensure the SSL is ready for your domain).

Questions or Comments?

Please use the comments section below to report issues or suggestions you may have.


Join the discussion 150 Comments

  • Paul, so you also recommend that we edit our website url in the Settings>General>Website Address(URL) ? Should we remove the http here as well?

    View Comment
    • Paul G. says:

      Nope, you should just leave the HTTP in there. Changing that to HTTPS is actually likely to break your site and you’d need to jump into your database to fix it if it all goes wrong.

      Instead, relying on CloudFlare’s page rules to handle the redirects sorts you out nicely 🙂

      Good luck!

      View Comment
      • Just got into that trouble myself (changing site URL from WP admin panel…). Didn’t need to get into the database, but had to open wp-config.php and paste these two lines:


        Thanks for the great tutorial.

        View Comment
      • Francesco says:

        This is not a solution. Every post image, navigation link etc. point to http items, and the browser throws a warning about unsafe items in the page (even if they seems to get loaded). It also happens in the admin panel so it’s not a theme issue…

        View Comment
        • Paul G. says:

          Hi Francesco,

          You’re right in that the problems you have described are not solved by this plugin – it is not designed to solve this problem.

          You need to fix those problems yourself or through the use of another plugin. But the original problem with support CloudFlare Flexible SSL and redirect loops etc. is solved.

          Thanks for your comment.

          View Comment
          • Simon says:

            Francesco is right, it’s not a solution. It’s frustrating when both your plugin page and your article here seem to indicate that everything will just work smoothly, when in fact other plugins are required to rewrite HTTP URLs to HTTPS.

            View Comment
          • Paul G. says:

            Hi Simon,

            The indication is that it will work smoothly because it does. It works very well – for the problem it’s designed to solve.

            Yes, mixed content and HTTP/HTTPS rewrites are related to CloudFlare Flexible SSL redirects, but it’s not the same problem.

            Sorry for your frustrations, but I’ve provided a plugin an article to solve a very particular and significant problem. If you would like to undertake the challenge of URL rewriting, I’d be happy to incorporate your contributions into the plugin – it’s no trivial task which is why I haven’t yet undertaken it myself.

            Thanks for your feedback.

            View Comment
  • Rishi says:

    I’ve been following the ticket (#29708) on WP’s core Trac – glad to see a workaround for the site environment problems regarding SSL. Thanks Paul!

    View Comment
    • Paul G. says:

      Glad to hear this works for you! The thing with this ticket is I’m not quite sure it would resolve this problem anyway.

      In general WordPress needs to take account of the HTTP_X_FORWARDED_PROTO header and it should solve this problem for most cases.


      View Comment
  • Ryan says:

    It doesn’t look like forcing https is an option for free plans now but it works fine on all the sites I have a pro plan on. For free plans that don’t allow forcing https via cloudflare you can just set the url to use https:// (i did this via a mass find + replace) and it’ll work. Thank you for the plugin!

    View Comment
    • Paul G. says:

      Hi Ryan,

      I have no problem forcing SSL on all free and paid plans… I’m guessing perhaps there’s a slight flaw in the testing you’re doing.

      And, you need to be careful doing find-replace for HTTP and HTTPS if you’re doing this on the database level… the reason is that if this data is stored in serialized data, it’ll break that data.

      Otherwise, glad you find this plugin helpful! Thanks for commenting! 🙂

      View Comment
      • Gabriele says:

        The best way to do a search and replace without the risk to damage serialized data is to use an ad-hoc to do that like this one: https://interconnectit.com/products/search-and-replace-for-wordpress-databases/

        To more safety, you can use the lightweighted CloudFlare official plugin too which filter out the ‘http:’ on every link, leaving out a protocol-safe ‘//’ without hacking the code.

        Said that, I can force redirect to https using a pagerule (in free plan you have 3 for each website).

        But when your website is cached through CloudFlare CDN you simply can’t do that as you need to use the 3 available pagerule slots to keep cache working.

        Following the comment above, I’m wondering if replacing the url to https:// you will get the same effect, but saving the pagerule…

        View Comment
  • Virendra says:

    Thanks for the plugin. It helped me a lot. I have been trying to fix the redirect issue for a few hours now. Once I installed the plugin and followed the steps, my site is not on https.

    View Comment
  • Kat says:

    Thanks a lot pal! You really helped me with these instructions.

    Since Google announced that SSL would matter to their ranking algorithms, I really wanted to implement it on my site.

    I believe that Flexible SSL is seen by Google as a secure site, and that will help a little; that’s my purpose. I not so concerned with security, because I’m using a few security plugins, plus the security that Cloudflare provides.

    I tried another tutorial using this plugin https://wordpress.org/plugins/wordpress-https/ and changing the protocol inside WP admin to https – it broke my site.

    With your instructions and your plugin I was able to finally make everything work smoothly! Every single page – even when I type the domain only, without http or https, redirects to https and loads without any problem.

    In fact, it took me some time to change all the links and references that were preventing some pages to be seen as secure.

    I found a plugin that you could recommend to your audience: https://wordpress.org/plugins/ssl-insecure-content-fixer/

    It is hard to edit every plugin we use, and some of them, I don’t know why, just force http, instead of https, preventing some pages to have the secure status.

    View Comment
    • Paul G. says:

      Yea, making all assets such as images and CSS etc. load over HTTPS is tricky. I think WordPress could definitely better handle this since as it is, it falls short when you insert media into your posts for example.

      Thanks for the plugin recommendation – I hope other readers take a look without having to go through the trouble of manually editing their whole site.

      Cheers for taking the time the comment!

      View Comment
  • Hello Paul…
    I almost got everything you written in the above article and I am trying to fix the insecure content in my site. Somehow I got it fixed the links which are having http:// (repalced http:// with //). But the thing is how to fix the links in scripts… Like for example how to fix the link when it doesn’t have http:// in it. like in this case. wp_register_style(‘cookieinfo’, plugins_url(‘css/cookieinfo.css’, __FILE__), array(), ‘1.0’); How to fix (‘css/cookieinfo.css’). Should I put the absolute path of the file and remove http: from it Or should I put one forward slash in (‘/css/cookieinfo.css’).

    Please help me out.

    View Comment
    • Paul G. says:

      I personally would always, where possible, code in the absolute path to the CSS file. However, I would use WordPress functions and constants to compose the path and that way it always works. Using relative paths is funky and can sometimes cause trouble.

      Your plugins_url() function should work just nicely for this.

      View Comment
  • Razib Hasan says:

    Flexible SSL breaks my site’s JS and CSS. I guess I need to change hardcoded http to https so that the site loads properly. Unfortunately, some themes are too complicated for most of the people.

    View Comment
    • Paul G. says:

      Yea, this is a problem. If themes and plugins used the correct methods to include their assets this really wouldn’t be a problem. Your best bet might be to contact the authors directly and ask them to update their code. That’s the best solution really.


      View Comment
  • Bhupen says:

    HI, I installed and activated your plugin (CloudFlare Flexible SSL) and its not working.. am i missing something here. as per the instruction, after activating the plugin i went on typing https://apexworld.com.au but the browser takes me to my hosting servers welcome page. So now i don’t know what to do. So, I was wondering if you could help me on this.

    – I have a permanent redirect in my server setting i.e., any www. redirect to http://apexworld.com.au
    – I have a ithemes security and w3total cache plugin enabled in this site.
    – i have an active flexible cloud flare account with flexible ssl enable in setting. But have not used the page rule since the tutorial says do it at last when everything is running properly.

    I would really appreciate if you could tell me if any of the plugin or setting is affecting this.


    Bhupen T.

    View Comment
    • Paul G. says:

      Your redirect / rewrite rules might be probably interfering here. It’s also quite possible your security plugins and W3Total Cache are causing issues.

      When experimenting with a major change like this, try to remove all outside influences on your site to get it working. Then, one-by-one, reload your previous settings and see what breaks and when. That’s the only way.

      I hope this helps Bhupen.

      View Comment
    • Are you absolutely sure you have changed your name servers with cloud flares?
      Once you are on cloudflare, your web host’s site should not load unless you have set up a redirect (which I doubt)

      View Comment
  • Amish says:

    What I want is if user accesses site using http://mywebsite.example.com then all links should also be non-SSL.

    If user accesses using https then all links should also be SSL.

    Is it possible?

    View Comment
    • Paul G. says:

      Making a site work both over HTTP and HTTPS is a separate challenge. If you don’t put in the cloudflare rule to always forward to HTTPS, this should theoretically work if all your plugins and themes enqueue scripts and CSS properly.

      This should be possible, but it might be a bit tricky to ensure everything works all of the time.


      View Comment
  • salem says:

    CloudFlare Page Rules redirect only homepage To https not inner contents
    I see message from FF ” content that isn’t secure ”
    Because images in the page still use default http format

    Any way I already tied this to change WP default address
    within wp-config.php

    And its work

    But that make another issue with subdomains WP forced it to https
    And I see “This Connection is Untrusted” message from FF
    Because Cloudflares not support subdomains wildcard the page served from my host directly .
    I found temporary solution is adding each subdomain manually to Cloudflares .

    View Comment
    • Paul G. says:

      Ahh, that’s good to know about subdomains… in general, you shouldn’t really be using wildcards unless you’re operating at a large scale.

      The problem with images within posts I’m not sure how to solve. The way I’ve addressed it is that I’m slowly going through all my pages and where it says src=”http://……” I change it to src=”//….”. This means it works for both SSL and non-SSL.

      Hope that helps!

      View Comment
  • saurav k says:

    Hey Paul, that was an awesome article for wordpress website administrators like me. But a slightly different request, how can Ido that for joomla websites also. If possible please help.
    Otherwise thanks for the article again! 🙂

    View Comment
  • Amit says:

    Hi Paul,

    Glad I stumbled on your post here, I’m testing my Flexible SSL on WordPress on a non-production instance prior to taking it live. There’s definitely quirks!

    I had a question on Cloudflare over https. One of the main reasons that Cloudflare is great is that they provide a “free” CDN as well. When you add a page rule, all other control disappears, e.g. cache control, how long resources are cached for, etc.

    So the question is – does Cloudflare actually cache static resources under HTTPS, and if so – what exactly are the cache settings? If I wanted to tweak things like I can with normal page rules e.g. “Simple caching”, “Aggressive caching”, etc. – how does one do that?

    It seems a two-sided coin here, there’s a lack of CDN control, even through you get SSL (which is great).


    View Comment
    • Paul G. says:

      Hi Amit,

      With the flexible SSL you are a little more limited if you want to redirect all traffic to HTTPS using CloudFlare, and I can only assume that your global CloudFlare page settings (such as simple/aggressive caching) come into effect otherwise.

      You can create another page rule after your SSL forwarding for web requests over HTTPS and use custom rules if you need. Free plans come with 3 page rules to get started.

      I hope that helps!

      View Comment
  • Gangsar Swa Purba says:


    it works!

    View Comment
  • Thanks Paul. You helped my clients get back online 🙂

    View Comment
  • Gabriele says:

    Tnx for your post! I’ll absolutely give it the try. But I have several questions before:

    – Using your plugin, can I definitively retire the slow and buggy WordPress-HTTPS plugin, which is simply too much for simple CloudFlare-related facts?
    – Since I’ve already used my free pool of PageRules for CloudFlare cache handling (as described here: https://www.seedprod.com/how-to-make-wordpress-fast/), I’m wondering if a web-server rewriterule would work, too. I’m using IIS and this is the rule I would like to test: http://stackoverflow.com/questions/26876134/redirect-http-to-https-for-multiple-wordpress-blogs-running-under-iis

    any idea?

    tnx in advance!

    View Comment
    • Paul G. says:

      Hi Gabriele,

      Whether you can retire the other plugin depends on how you’re using it. Our plugin does only 1 thing – read the directive coming from CloudFlare on whether this is an SSL based connection and make WordPress believe it. If you’re using other functionality of other plugins, our plugin is not a replacement for that.

      A server-side rewrite rule is different. Though what you could do is what the PHP does and look for a header and then set a server environment. I’m not sure how you would do that under IIS… but theoretically that’s possible. Not quite sure to be honest until I played around with it…

      Thanks for your comment!

      View Comment
      • Gabriele says:

        I got the point: I still need another https-related plugin to (for example) parsing http src tag to https (the unique notable feature of wordpress-https)

        that rule on IIS is just a simple rewrite rule, while as you said I probably need to set a server var…pretty tricky, actually!

        tnx for your reply!

        View Comment
  • Game Boy says:

    Thank you Paul G. Because you made it!
    After trying with lots of .htaccess solution and plugins I wasn’t able to fix infinity loop on my website. Even itheme security ssl option failed. I have godaddy + cloudflare free plan on. I have one SSL running at primary domain of godaddy also which came from godaddy. I installed your plugin and followed your step and my site which were running free ssl from cloudflare got fixed completely. No more annoying infinity loop!.

    keep up the good work!

    View Comment
  • Rishi says:

    Thanks for the wonderful plugin, Paul! You’ve helped a lot of us tremendously!

    View Comment
  • J. C. says:

    I just try to use Free Clouflare SSL so I no need use their Paid plan and setup the Https access from Wp-config.php.
    One blog with it’s own SSL Certificate installed on the server => SSL work good.
    Another blog that do not have SSL Certificate installed on the server, only self-signed SSL => SSL not work.
    Could you advice me ?
    Thank you.

    View Comment
    • Paul G. says:

      Hi J. C.

      Thanks for the comment… unfortunately I really can’t comment on why your site wouldn’t be working. You just need to ensure that your site can load with your SSL certificate in the first place, before trying to turn on CloudFlare.

      Once you have it working with the self-signed certificate, only then you should try and enable cloudflare.

      Please let me know how you get on with it, and sorry I can’t be of more help from here.

      View Comment
  • Kaz Nishimura says:

    I’m now building a WordPress-based members’ wiki site.
    After installing your plugin, most pages are okay, except admin pages.
    Because it’s a wiki site, members must have an access to admin pages.
    RIght now, http://mysite.com/wp-admin/ works fine but https:// does not.
    Do you have any idea?
    Meanwhile, I will turn off all other plugins and turn them on again one by one to see if there’s a bad guy. Huh…

    View Comment
      • Kaz Nishimura says:

        I had to work on other projects, and I get myself back to this problem today.
        And I notice that, as is often the case, I AM THE BAD GUY!!!
        It’s not the admin page that doesn’t work, but my custom login page.
        I didn’t know that even when I had logged in via http, I had to log in again via https.
        Do you have a custom login page, too?

        View Comment
  • Walid says:

    I have same problem here, hen I go to Wp-admin area it gets me to 404 error

    Please help

    View Comment
  • Kaz Nishimura says:

    I have another problem.
    In admin pages, some links to non-admin pages begin with http: instead of https:
    This includes “View” links in the page/post list and the “View site” link in wpadminbar.

    View Comment
  • Elias says:

    Thank you, this is an extremely helpful piece of information. Plugin is working great!

    View Comment
  • Mark Llego says:

    It works! Thank you Sir Paul.

    And for those running forced SSL on admin and you don’t want links to the front end to remain https here’s the code I’m using.

    	add_action( 'template_redirect', 'bhww_ssl_template_redirect', 1 );
    	function bhww_ssl_template_redirect() {
    		if ( is_ssl() && !is_admin() ) {
    			if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
    				wp_redirect( preg_replace( '|^https://|', 'http://', $_SERVER['REQUEST_URI'] ), 301 );
    			} else {
    				wp_redirect( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301 );
    View Comment
  • Tim says:

    Just a quick comment to say brilliant job. I added https in setting and had to edit database (change back to http in wp-options) to be able to log back in and followed your steps to success.

    View Comment
  • Selvam says:

    What is your final conclusion now? When i seen this FAQ page
    https://support.cloudflare.com/hc/en-us/articles/203487280–How-do-I-fix-the-infinite-redirect-loop-error-after-enabling-Flexible-SSL-with-WordPress- in cloudflare website.

    This issue seems absolute. Do you recommend me to use free SSL through cloudflare?

    View Comment
  • Bobby Chahal says:

    Perfect. I did it without any hassle after reading your guide. Now i am having ssl protection for my blog too.

    View Comment
  • Brett says:

    Nice write up but without being rude I am having a hard time understanding why you wouldn’t go the extra yard to stop the mixed content browser warning, probably just upgrading and is temporary but it does take away from the article slightly for me.

    Anyways cheers for the write up and here is the browser alert

    “The page at ‘https://www.icontrolwp.com/2014/10/enabling-cloudflares-universal-flexible-ssl-wordpress-without-infinite-redirect-loops/’ was loaded over HTTPS, but is submitting data to an insecure location at ‘http://www.icontrolwp.com/’: this content should also be submitted over HTTPS.”

    View Comment
    • Paul G. says:


      For this page’s URL I don’t get any browser warnings… not sure what that would be referring to.

      It’s easy to understand why I wouldn’t go the extra yard and that’s simply because it’s not just a “yard”. What you’re referring to is massively more complex and beyond the scope of the original plugin – whose mandate was to remove the infinite redirect loops.

      To remove browser warnings requires two things:
      – full dynamic content rewriting as the page is loaded, before being sent to the browser
      – plugins and themes written correctly, using native WordPress functions to includes scripts and styles, to ensure that re-writing these is even possible. Once you’ve been developing WP plugins for any length of time, you’ll find this is rare.

      Not a trivial programming exercise, and one that has been attempted by various other plugins already.

      This article + plugin solves two significant challenges:
      – infinite redirects caused by CloudFlare flexible SSL and WordPress
      – no need to actually change your WordPress core site URL, something that often breaks a site and breaks plugins.

      The work to get your site fully HTTPS compliant is a whole other job and not “fixable” by any single plugin.

      Thanks for your feedback Brett.

      View Comment
  • Gopi c says:

    Hi Paul,

    I am using windows iis 8 server + cloudflare. I have been getting redirect loop if i use webconfig file to make a redirect. Do change redirect in cloudflares will fix this problem?

    Gopi C

    View Comment
  • kaskus says:

    This is how i makes https in my site fully green:
    1. Setting cloudflare page rules to Always use https on
    2. Install WordPress HTTPS plugin with default options
    3. Check my site errors in whynopadlock.com or Right click on my site > Inspect element > Console.
    4. Fixed those errors manually by editing specific lines in some files from http://anydomain.com to https://anydomain.com. In my case i only have to fix around 3 lines of errors instead of my whole site 😀

    But even everything is working i can’t login to my admin dashboard. I have to temporarily turn off “Always use https” in cloudflare to be able to login. After login i can re add/turn back on that setting.

    Not meant to promote them, but this article might also help you: https://managewp.com/wordpress-ssl-settings-and-how-to-resolve-mixed-content-warnings

    View Comment
  • Crawl says:

    Just for info guys, you don’t have to add 301 redirection in htaccess for SEO purpose because after i doing some Redirect Check from my http, Cloudflare Page rules for “Always use https” setting was already have “301 Moved Permanently” to https.

    View Comment
  • Ahmed says:

    Hi Paul,

    It’s a great post and I made it worked in my site 99%. The remaining 1% was due to another “auto-signon-via-oauth” plugin. When I developed the plugin I didn’t turn on the ssl cookie so it was refusing any communication which involve http (e.g. you try to view admin-dashboard after logging in).

    Later, I modified these wp_signon function by enabling ssl cookie and it worked 100% 🙂

    Thanks again, v.good work.

    View Comment
  • George says:

    Hi Paul, the above flexible SSL trick will give mixed content error and there is insecure content in this page also. I think its better to get a comodo positive SSL free for first 90 days and then around $10 for 3 years.

    Insecure content in this page
    Insecure URL: http://www.icontrolwp.com/wrdp/wp-content/uploads/2015/01/wordpress-simple-firewall-rename-wordpress-login-option-300×102.png
    Found in: https://www.icontrolwp.com/2015/01/security-rename-wordpress-wp-login-php/

    View Comment
  • Sutopo says:

    thanks nice post ..
    i like your sharing information..

    View Comment
  • Ian Atkins says:

    Hi Paul,

    We’re using WooCommerce and Cart fragments to allow ajax updating of the cart total. WooCommerce always returns an http:// URL to the cart. Any suggestions?


    View Comment
  • Marcus Fant says:

    Through this method, would I need to update any information to the Google webmaster tools for tracking?

    View Comment
    • Paul G. says:

      Hi Marcus,

      Though not quite related, if you’re changing your website to use HTTPS, you’ll need to update your Webmaster properties accordingly.


      View Comment
      • Marcus Fant says:

        Yes, not directly related, but I wanted to use this option in order to be able to get started using Stripe. I just wanted to ensure that I’d have to help Google look at the correct pages, so with that I believe I’ll go in and have the search engine serve the https pages.

        View Comment
  • RojoTheBear says:

    I’m having trouble with my own website. I have Flexible SSL turned on. I have your plugin installed. I even have Cloudflare’s plugin to rewrite URL’s. When I get to Step 3 of your step-by-step above, and add “https” to my site’s URL, most things look fine except the logo in the header won’t load.
    I contacted my theme’s developer, and they say there are no hardcoded links to http or https for the logo, and if I do inspect element to the broken image link it shows that’s true. If I click on the image link there I get a “Failed to load resource: The certificate for this server is invalid” notice.
    So what am I doing wrong?

    View Comment
  • sham says:

    Thank you. I followed your guide step by step and it’s working on my website.

    View Comment
  • Bob says:

    Cheers Paul G thank you for your commitment and knowledge. I used the Cloudflare WP plugin but was only getting the green lock on my navigation bar pages, but not on the main page or posts.

    Downloaded Really Simple SSL plugin for WP. It scanned and automatically debugged the issue and presto green lock on all pages.


    View Comment
  • Skyler says:

    Worked exactly as it was supposed to. Great plugin, and a great explanation of exactly how to use it. I only wish I would have found it sooner 🙂

    View Comment
  • fadhilah afif says:

    Hi Paul G, thank you for the tutorial.
    i have a little serious problem,i can’t login to dashboard, it keep looping at login page,
    do you know how to fix it?

    thank you.

    View Comment
  • Ronnie says:


    I am facing a big Issue on My blog. I have not be able to access WordPress dashboard after login, because it is showing HTTPS, but I have not done any changes to my site in last few days, it’s just I updated some bulk plugins. I don’t enabled any SSL or anything similar, I don;t have much knowledge about it.

    I just able to login using my username and password and that’s it, can’t go ahead. Please help me out. It’s urgent.

    Not been able to access dashboard from 24 hours now.

    View Comment
    • Paul G. says:

      I’m sorry, I’m not sure I can help you with this. You may need to ask for help from a dedicated WordPress developer. It doesn’t sound like your problem is from using our plugin … though if you think it is, please remove the plugin using FTP.


      View Comment
  • Hi, thanks for the post.

    I made this and it’s working fine !

    But now i can’t acess mysite.com/webmail

    I’ve tried the rule *mysite.com/webmail (bypass caching) but it isn’t working.

    Tks a lot

    View Comment
  • Hi,

    I ‘ve created a dns cname webmail and points to original ip

    Now it’s working for me on webmail.mysite.com


    View Comment
  • is it possible to uninstall? when i saw what i needed to do to fix my theme, i removed the plugin from my plugin directory, but now when i try to view pages on my site, the little lock icon with the red slash comes up in my address bar. how can i prevent that? i’ve even tried to enter http: instead of https: in the url bar and it re-writes every time.

    View Comment
  • Mido says:

    Thanks Paul, Great plugin.

    Though.. for those who still get mixed content, you should disable “Rocket Loader” .. i tried everything and it was the problem.

    View Comment
  • Russell says:

    Just wanted to know, do I need both this plugin and the official CloudFlare plugin running? Or either of them will do? Many thanks!

    View Comment
  • John Zell says:

    @icontrolwp This is an awesome plugin and solution! We have used it multiple times are suggesting it to clients and we actually just published our own writeup on how to get woocommerce working with stripe and cloudflare SSL without redirect loops using your plugin. No Coding Needed. If it’s a valuable resource for your readers feel free to share our research or use our method.

    Free SSL And Stripe Payment Gateway For Woocommerce No Coding Necessary

    Thanks again for the great plugin!

    View Comment
  • Göran says:

    your instruction about page rules in Cloudflare are wrong.

    You must add http:// in your page rule at Cloudflare, you can not set it without it otherwise a good article!

    View Comment
  • Mark says:

    I’m a long time paid Cloudflare user on three sites, all running Flexible SSL, and running the official Cloudflare plugin. Last week I received an email from Cloudflare saying I should create a page rule to 301 rewrite my page from http to https. I’ve done that on one of my sites and all is working well.

    However, I’m left with one question: should I change the http protocol URLs on my pages and posts to https? I know I don’t need to to make my site work — it currently works great. But I’m wondering if somehow in Google’s eyes that there is some problem — specifically, am I losing any link juice between my pages and posts because the actual page source shows http in my links, but they are pointing to https.

    And I see that if I decide to change the URLs, there is a 4.5 star highly downloaded plugin called Velvet Blues Update URLs, so I would not have to manually make the changes. But it does make me very nervous. 🙂

    Thanks. I hope people are still reading this great comment thread.

    View Comment
  • Angraj says:

    There is no such option ( Always Use HTTPS – On/Off ) on Cloudflare page rules.
    Available options are:
    Then the settings are: Always online, Browser cache TTL, … SSL etc
    which option should I use here?

    View Comment
  • John says:

    Hey Paul thanks for the plugin:
    Following up on the UI change, I’m also seeing a change in the required input:

    results in an error “The URL must begin with “http://” for Always Use HTTPS to work”

    worked for me.
    thanks again,

    View Comment
  • Allan D. says:

    @icontrolwp Awesome article and plugin! Keep up the good work!

    I have a question. I was on a shared host, from which I bought a Comodo Positive SSL certificate as an extra add-on a month ago.

    I have moved from them to Digital Ocean hosting. I am using ServerPilot to manage it, and Free CloudFlare with flexible SSL. I have followed your instructions very carefully and https is working on my website. What I don’t like is the “Exclamation Mark” that is next to my url and the “warning” that comes with it. Here is a screen shot: http://prntscr.com/ct8qtm

    I have an “ssl” folder in the root of my backup folder from the other host, on my computer. It contains 2 files. A “Key” file and a “Security Certificate” file. Can I use this ssl certificate with my Cloudflare (and the new web host)? Is it the solution to the exclamation mark problem? How do I proceed to replace the “free CF flexible SSL” to the paid one that is currently just sitting in my computer?

    Thank you very much.

    Best regards. Keep up the great work!

    View Comment
  • TBN says:

    My flexible SSL certificate not been activated on Cloudflare for a week. Flexible SSL certificate is still showing “AUTHORIZING CERTIFICATE”. How could I make this “ACTIVE CERTIFICATE” ?

    View Comment
  • Bernardo says:

    Hey hey. I can’t stop getting error 525! I’ve installed this plugin and I continue not to access the website. Could you please help me?

    View Comment
  • Simon T says:


    This is not the first time I’ve been amazed by your plugins, I use and adore the CBC one. Today I added CloudFlare to my hosting and was surprised by the flexible SSL they offered. After it went active I loaded up my page on https:// and it was a mess, unsecure images, CSS and JS. So i did some googling and there you were with another solution!

    So, I installed it, and after fiddling with a couple of plugins using “WP_PLUGIN_URL” instead of “plugins_url()” It worked perfectly.

    so thanks again my friend.

    I haven’t actually made all my traffic switch from http to https just yet, because I fear I’ll lose SEO, always been fearful of 301’s, but having it there ready to go is really pleasing.

    keep up the amazing work!

    View Comment
    • Paul G. says:

      Hey Simon,

      Great that you made progress with this and our plugin helps.

      Actually, CloudFlare seem to have added a relatively new option whereby they rewrite your assets and other files to use HTTPS automatically for you. Have a look under “Crypto” for “Automatic HTTPS Rewrites”. This might help you out 🙂


      View Comment
  • Adil Shah says:

    Its awesome article..i just followed the steps given by you and added ssl to my site http://www.rapidtricks.com without any problem. Thanks Paul G.

    View Comment
  • Dz Mehedi says:

    Awesome Work, It Works Perfectly Thank You

    View Comment
  • Marcelo says:

    Hello Paul,

    I almost did it work. On my pages an error message appears informing that http://www.sublimacao.net/index.php and http://www.sublimacao.net/wp-comments-post.php has unsecure content.

    Do you have any advice? Thanks

    View Comment
  • HerpDerp says:

    Just passing by to say thanks!

    View Comment
  • Darlene says:

    Thanks, Paul! I spent a couple of hours trying to solve this problem before I discovered your plugin and accompanying article. Worked like a champ. This was exactly what I needed!

    View Comment
  • Therese says:

    I used this method and it works fine, but now when I add an new image to the website it uploads as http and causes an insecure content alert in the browser. While I can always remember to fix this, my client won’t know how to do this. How does this get resolved?

    View Comment
  • Vasilis says:

    Paul thank you for this plugin!

    I just installed it and followed the instructions , being an advanced WordPress user myself.

    So , trying to load https:// bring an “Error Loading Page…The page does not exists…”

    For every page of my website…

    Next step , should I try force Https via .htaccess or is this a server problem?

    Plugin is active right now and you can see the difference between http:// and https:// version going to


    Let me know if there is a suggestion.

    Thank you

    View Comment
  • Rohit Kumar says:

    nice post

    View Comment
  • raj says:

    Thanks alot for this plugin it has helped me alot to set up ssl on my blog. Big cheers for this details tutorial

    View Comment
  • Thanks a lot!

    Did exists a masive method to change the old http for https of images?

    View Comment
  • Pierre says:

    Thank you very much for this lovely plugin!

    I’ve carefully followed your instructions, and everything worked like a charm. For people having the Mixed Content alert, try first to activate the “Automatic HTTPS Rewrites” in the Crypto menu of CloudFlare. If this still doesn’t work, install the “SSL Insecure Content Fixer” WordPress plugin, activate it and configure it as indicated in the instructions. The Mixed Content problem should disappear, and you should get a green padlock everywhere.

    View Comment
  • kamran says:

    hey paul,

    I have faced a lot of issues while installing SSL but I couldn’t. My site was down and up tons of time and I have tried deleting and installing SSL again and again from CloudFlare but failed.

    Now the scenario is, I edited the wp-config file for changing site URL and got access to my site and admin area later. now when I go to the settings in admin panel > general > both the URL text box is auto filled and not editable. Even if I remove the site URL from wp-config, the site goes down.

    Please help as I can’t Install SSL now, I think due to this issue only

    View Comment
  • austin says:

    Hi, thanks for the plugin! The redirect on the wp-login.php was driving me mad 🙂 all good now though.

    Not sure if this the correct place to ask but Google rewards sites that use https with a better SEO score than sites that use plain old http.
    However with the free Cloudflare Flexible SSL cert (as you mentioned above) the “CloudFlare Your Web Server” traffic is unencrypted – does anyone know if Google can spot this and potentially reduce your page ranking? I’m guessing not, but just thought I’d see what your thoughts are.


    View Comment
  • Malik says:

    Hello guys is working for me in Flexible SSL (Free) in CloudFlare with my wp site: https://wordpress.org/plugins/force-https-littlebizzy/ because, will fix the insecurity and redirect. but I don wana buy the cert cuz expensive………. thanks

    View Comment
  • Josh Salganik says:

    Just as you stated, everyone familiar with the web should know by now that Google has made SSL a ranking factor and therefore it is a no brainer to deploy a cert to help with SEO efforts, and not to mention, protect your users, But in the absence of SSL, Chrome may display warnings to users stating that the site is not secure – which brings me to my question:

    Why would anyone opt for flexible ssl if full ssl is an option that is on all free + paid plans?

    View Comment
  • Kanuj says:

    Dear Paul thanks for the Amazing plugin, I changed my website candytech.in from http to https 6 months back using the cloudflare flexible SSL.
    We updated the wordpress url and site address to https from http, though your post says not to do it, I read your post today.

    We dont have any mixed content or performance issue we also use SSL Insecure Content Fixer along with your plugin and all seems to work fine.

    Though my question is we have half the website prior to migration as http for hard coded links while all current posts have https as hard coded links do you think this can cause a crawl or anyother issue.

    View Comment
  • Dumitru says:

    With your solution I saved much time. I was trying to find out why my site isn’t working after implementing the cloudflare ssl, and the problem is I was changed the rule in wordpress general settings. I installed the plugin suggested and replace back to http and now is working just perfect. Thank you!

    View Comment
  • Ganesh says:

    This is great content and I liked it!

    View Comment
  • Anonymous says:

    Great post. I’m going through some of these issues as well..

    View Comment
  • Should I use a security plugin like Wordfence even when I am on Cloudflare?
    Wordfence is a resource-intensive plugin. My site is always at the resource limits. Is there a better alternative to Wordfence –lite and simple?

    View Comment
  • bubu says:

    To enforce SSL, there is an option under Crypto tag:
    Always use HTTPS
    Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone.
    This saves you a page rule quota, but it is domain-wide.

    View Comment
  • Chris says:

    Hi Paul,

    I just migrated my WP site to a new hosting package that offers a complimentary SSL certificate that they will install (hopefully later today). Up to this point, my site was using the Cloudflare “Flexible” setting because I didn’t have a server-side SSL Certificate. Once installed, my understanding is that I would switch the Cloudflare SSL setting to “Full” or “Full strict” (not sure which is better–if you can offer council on that, I’d appreciate it). In that case, would it be best for me to deactivate and delete the “Cloudflare Flexible SSL” plugin? Is there risk that it could create conflict with my site if it remains active? If I should remove it, could you give me the proper order of operations for deactivation so I can avoid creating an internal site conflict? Not sure if I would deactivate the plugin first and then switch to the Cloudflare “Full” setting or vice-versa.

    Perhaps there is no risk to simply leaving it active but my preference would be to remove it if it is not necessary to reduce the number of installed plugins on my site.

    Thanks Paul! Very much have appreciated how well the “Cloudflare Flexible SSL” plugin has worked for my site to date.


    View Comment
  • Shahbaz Anshari says:

    Thank you for the post. While installing the Cloudflare SSL certificate many issues have occurred.

    View Comment
  • Devendra says:

    I have setup clouldflare ssl certificate to my website
    all the things working fine. i have create my own email id in cpanel it was successfully created and send mail to anyone . but i can’t receive email. anyone send me mail to that time show aunthanticated.
    help me.

    View Comment
  • Jean Andre says:

    Wow, functioned as it should have. Phenomenal plugin, and even an outstanding clarification of what it does precisely. so I really also actually hoped I discovered it earlier.

    View Comment
  • Suhail Ahmad Sofi says:

    I understood the 3 types of SSL certificates very well in this article. I just installed Flexible SSL

    View Comment
  • Bob says:

    Perfect article
    thanks for sharing

    View Comment
  • Zia says:

    Hi Paul! I am facing some troubles.
    I just applied this guide on my blog. My blog is loading well under HTTPS.
    But the redirection is still not working.
    Any idea?

    View Comment
  • Paul Carter says:

    Hello Peeps, is this still in affect. I’m about to install the plugin. But it says its not tested on my current Version. 5.2.1. Excellent blog

    View Comment
  • Nikhil says:

    Installing the plugin solved the redirection loop problem. Instead of page rule, I changed the http to https urls in general settings, which solved the problem of warning about partial content (assets) on http in browsers. Is there any specific reason you recommended adding a page rule instead of changing general settings?

    I also have turned on the ‘Always use HTTPS’ from edge certificate settings undere SSL/TLS tab on cloudflare.

    View Comment
  • marrakech says:

    great plugin! thanks for sharing.
    overall great article…

    View Comment
  • kabiri says:

    hi there ,
    could You tell me if it affects SEO or not ?


    View Comment

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By