Google is making a big push to get sites secured with SSL certificates. Here’s a good article from last year with some of the details Google will Soon Shame Sites that are Unencrypted. On top of that there are now proven SEO benefits to have that little padlock next to your domain name.
Now that a good chunk of the web is running on WordPress I’ve made some notes on how to make your website have SSL for free and a little bonus is you get a speed boost on your site and improved security. Speed and SSL are current google ranking signals.
Sign up for CloudFlare under the free plan.
Under Add a Website put in your domain name. Then have it scan.
When the scanning is done click Continue.
View the records to see if they are correct. Easiest hint that it’s correct is an A record that shows your domain name points to the IP of the server it’s currently hosted at. Click Continue.
Select Free. Click Continue.
You will be given two nameservers. Go to your domain registrar and change your nameservers to these.
After changing the nameservers click Continue at CloudFlare.
The domain will show as Pending. (Do not hit the refresh button here or you’ll have to wait another hour for it to show active)
After a minute or two Go to https://cachecheck.opendns.com/ and put in your domain. If the IP is different from your original IP in most locations your site is now on CloudFlare.
When you see you’re on CloudFlare’s servers click on Recheck Nameservers. Now your site is Active.
Click on Crypto at the top of the screen. Under SSL select Flexible. It takes about 10 minutes or so for the certificate to become active but while waiting start working on the rest of the steps.
Go to your WordPress and install these plugins, CloudFlare, CloudFlare Flexible SSL, WordPress HTTPS (yes the one that hasn’t been updated in 4 years). Do not activate any of them.
In WordPress activate CloudFlare plugin. Go to settings. Add your email address (that you used for CloudFlare) and add your API key (it can be found by clicking on the top right corner of CloudFlare where it says your email address under My Settings towards the bottom). Use Global API Key.
When the plugin finishes loading with your credentials click Apply under Apply Default Settings.
Automatic Cache Management > On
Go to Settings within the CloudFlare plugin and Automatic HTTPS Rewrites > On
Go to your Plugins page and activate CloudFlare Flexible SSL. Activate WordPress HTTPS.
On the left side bar in WordPress Admin there is a new option called HTTPS. Under Proxy select Yes. Save Changes.
Back at CloudFlare at the top of the page click on Page Rules. Create Page Rule. Type http://*yourdomain.com/* > Add a Setting > Always Use HTTPS > Order > First > Save and Deploy. (this step is suppose to create a 301 re-direct so that the search engines will see this as a permanent link change so that there aren’t two copies of your site on the search engines)
Wait about 60 seconds and visit https://yourdomain.com . You should have a nice padlock next to your domain name in your browser now.
If you have multiple sites you just click on Add Site in your CloudFlare account and repeat the steps above. The other sites are free also.
As a bonus the nameservers are the same so it’s easy to make the change later.
Also if you completely mess up your whole setup you can just change your nameservers back and things go back to normal (usually).