Not long ago, setting up an SSL certificate was a nightmare even for a seasoned technology veteran. Thanks to new services that allow quick, free setup of fully functional SSL on your site, it’s easy and accessible for everyone.
Today, we’ll walk through the simple steps for setting up SSL with Cloudflare.
First, create your free Cloudflare account. You’ll then need to follow their steps for migrating your DNS to the site. Generally speaking, this is a quick process, and you just need to change your nameservers when it’s done (as you would any time you change to a new web host). In addition to providing free SSL, Cloudflare also has tons of excellent free performance, firewall and caching tools, as well as premium options that up the ante even further.
Once you’ve changed your nameservers and are operating your site with Cloudflare as your DNS provider, log into your account and click the “Crypto” button across the top of your dashboard. Then set your SSL to “Full,” as shown in the screenshot below.
This alone will allow your site to function properly under SSL (that is, https://yourdomain.com). You may need to take a few additional steps, depending on your host and how your site has been built.
If you’re hosting with WP Engine, one of our top recommended WordPress hosts, the next step is as simple as clicking a few boxes and buttons to add a free Let’s Encrypt certificate on your hosting account. You can then use the default WP Engine settings to force all traffic to use SSL, which should cause all your pages to appear secure (and will redirect insecure URLs to their secure counterparts).
For other hosts, you may not need to take any direct action at all, assuming your host will present a “self-signed” certificate for SSL traffic. This is a default certificate that exists on most web servers in some form, and normally it would show a “Can’t verify certificate” error in your browser. The great thing about using Cloudflare is that it presents the verified Cloudflare certificate to the end user, allowing you to use the self-signed certificate on your web server (thus saving you the cost of a formal, verified certificate). The key here is that the encryption is the same whether your certificate is self-signed or verified by an external certificate authority. You save the cost and complexity of verifying and installing your own certificate, since most servers have a self-signed one by default (or your host can easily set this up via a support request).
The last important point: you’ll need to make sure you are not running into “mixed content” errors, which occur when you attempt to load an insecure file, such as an image, JavaScript or CSS file, on an otherwise secure page. If your browser bar isn’t showing a “secure” symbol, check your browser error console to see what the culprits are. Usually this is a result of a reference to off-site file where you have “http://” hard-coded in the URL. This needs to change to “https://” or “://” (the latter will pick up whichever protocol is in use by the current page).
Here are the best ways to fix mixed content issues:
- Change your WordPress URL and Site URL at Settings > General to use https://.
- Try a Force SSL WordPress plugin. There are a few, and some behave differently with different hosts, so you’ll need to experiment.
- If URLs are hard-coded in your theme, you’ll need to edit your theme files directly to change them.
- If you continue to have issues, contact your host. They’ll either be able to change settings for you or help you make a change to your .htaccess file to do a better job of forcing SSL on all requests.
Questions? Shoot us a message or comment below and we’ll be happy to help.
