In one of my previous posts, I wrote about getting a free SSL certificate with Cloudflare. Today, I am going to guide you on how to install or setup a Cloudflare Free SSL certificate in WordPress.
Note before starting: Ensure that you have a recent (updated) theme and your WordPress website is last version, as if it is not the case, once you activate the SSL you will see your website like in the old HTML version. This because some old themes may refer to HTTP from a relative URL path. Usually, you can fix it activating the https rewrites (see below), while other time you will need to check where is the issue. It is always a best practice anyway to have the latest version of WordPress installed.
Note 2: Please ensure to do these steps during low peak traffic if you can, for example in the night or early morning. You know when your users are not browsing your website. So, in the event of something goes wrong, you have time to revert to previous settings and have a check, or have time to fix it.
Note 3: Another best practice in WordPress World is making a backup of your database, just in case something (it never occurred to me in ages) goes sour. Still a good habit to pursuit.
Steps on how to Setup the free Cloudflare SSL Certificate
Step 1: Install Really Simple SSL Plugin
This plugin is Free and it is listed in my Essential WordPress Plugin guide.
On your Dashboard, go to Plugins > Add New. Then type the name in the search bar and install. You can activate the plugin. Once the plugin is activated it will tell you if it can see the SSL certificate or not. It is not always simple to get the https ready and straight from the activation. Sometimes it takes more time and you have to figure out on how to fix it and where the issue is located.
Step 2: In Cloudflare, you have to activate the SSL and do some settings
Go to Cloudflare dashboard and click on Crypto tab.
Ensure that these options are enabled:
- SSL – Flexible (double check that the status of your certificate is Active = you have an SSL certificate);
- Always use HTTPS: On;
- Authenticated Origin Pulls: On;
- Require Modern TLS: On;
- Opportunistic Encryption: On;
- TLS 1.3 : Enabled + 0RTT;
- Automatic HTTPS rewrites (very important) must be ON;
In the last option, this ensures that eventual calls from the HTTP in your website will be transformed to https:
If your site contains links or references to HTTP URLs that are also available securely via HTTPS, Automatic HTTPS Rewrites can help. If you connect to your site over HTTPS and the lock icon is not present, or has a yellow warning triangle on it, your site may contain references to HTTP assets (“mixed content”)
Wait 5 minutes and go back to WordPress Dashboard. Reload this page. If the certificate is active you might be logged out. Once you go back to your dashboard you will see the https working. SSL Settings section can be found in Settings > SSL where you can see eventual errors or enable debug mode.
On the overall, I have tried these steps above on several websites so far, and I had just one that was harder to activate the SSL. In some cases, it is just a matter of cache to flush to see your website in HTTPS. Don’t panic, focus on where the issue might be. If you had some issues with this certificate and you fixed, you can share your thoughts in the comment below (Zero tolerance policy to spammers).
Disclaimer: Trademark/Copyright/Logo goes to their respective owners. I am not endorsed by Cloudflare. I don’t participate in any affiliation. I just want to share my knowledge and the use of this free product. I am not responsible if following the above steps may cause any issue to your website. These are the steps I have used to activate SSL on my websites. If you feel not confident to follow the steps above you should hire a professional.