You can get Free SSL (Flexible SSL) from CloudFlare. With that, CloudFlare has added support for HTTP/2 protocol. CloudFlare is a Content Delivery Network, that will optimize the delivery of your web pages so that your visitors get faster load times and better performance.
This is how CloudFlare itself actually works – When a visitor loads your website they’re not actually directly connected to your web server, they’re connected to CloudFlare.
When you enable SSL on CloudFlare, you say “when a visitor is browsing my site, communicate with them over HTTPS/SSL”.
This means that the whole communication channel is not 100% SSL.
As always it’s broken up into 2 stages:
* Visitor <=> CloudFlare
* CloudFlare <=> Your Web Server
It’s not ideal, but it’s probably better then no SSL at all.
If you transmit secure information over your website, I strongly suggest you install an SSL Certificate on your hosting server. Then you’ll have both directions encrypted, and you’ll be able to select Full SSL on Cloudflare.
Here are 7 steps to enable Free Flexible SSL from CloudFlare on a WordPress website:
- Create an account on CloudFlare.com. Add your website URL. CloudFlare will scan your site and it will give you 2 Name Server addresses.
- You need to go to your Domain Registrar (where you purchased your domain from, example: Godaddy.com, your hosting provider, etc). In your Domain Registrar, under Domain Settings, change name servers to those 2 Addresses you just got from CloudFlare.
It will take a few minutes, and your Domain will be propagated to go through CloudFlare. You’ll see a green bar, as below that it was successful.
- Then click on Crypto button and choose Flexible SSL option. On a free account, it takes up to 24 hrs to issue a certificate. It even tells you that right there.
- In 24 hrs go to CloudFlare and check if SSL certificate has been issued.
You’ll see Green sign that says: Active Certificate
- Go to your Admin panel, such as www.yoursite.com/wp-admin, and install 2 Plugins:
- Activate SSL Insecure Content Fixer plugin
- Once you have confirmed your website properly loads under HTTPS, you now will want to force all visitors to use it.
If you go to your site’s URL as https, BEFORE certificate is issued, you’ll see this security warning:
Make sure you read Step-by-Step Guide how to enable Cloudflare Flexible SSL.
At no point do you need to change your website’s URL under Settings -> General -> Website Address (URL)
This plugin will help you clean up your WordPress website’s HTTPS insecure content and mixed content warnings. It will solve most insecure content warnings with little or no effort.
Choose any of the following options. Off-Simple, Widgets, Content, Capture. Choose an option that fits your site best. I chose Widgets, since I had links in my Widgets.
Browse to your website using HTTPS instead of HTTP, such as https://yoursite.com. Your website should load as normal. If it doesn’t, you probably still have certain assets such as CSS or JPEGs that are hard-coded to use HTTP and not HTTPS.
You can test your website for insecure content warnings.
Why No Padlock is a great site for diagnosing certificate problems and logging insecure content. It even goes beyond your website and checks that any links to other sites are also problem free.
Read this helpful Cleaning Up Guide to make a plan of fixing insecure content warnings.
This is best done by CloudFlare, and not on your WordPress site. Within CloudFlare go to the Page Rules section for your domain and enter a rule just as shown in the screenshot below:
The rule should be:
If you decide to have both directions encrypted, enable SSL on your host, and just switch SSL type to FULL at CloudFlare.
You can test any website to see if it supports HTTP/2 protocol here
More about HTTP/2 protocol