How to make WordPress play nice behind Flexible SSL

Categories: Development, WordPress

Flexible SSL is more than a fancy word. It’s an alternative to the more complicated and sometimes expensive method of adding a secure HTTPS connection to your site. Having a secure website isn’t just good for authentication, data integrity, or encryption. It is also something that Google will factor in when ranking your site. It is also something that will determine what features your website can use.

Modern browsers will be or have already reduced or removed support for Geolocation, Service Workers ( Notifications ), Web Bluetooth, Webcam, Microphone on insecure origins.

So what does that mean?

If you’re not concerned about losing some browser features should you bother with SSL? Well, the short answer is yes. It Google will look at this more favourably and as the general public becomes accustomed to seeing the green bar, or as browsers begin to highlight the fact that a site is not secure it will become more important than ever. If anything it’s for appearances.

How can I fix this?

Well, If you have ever tried to set up a secure install of WordPress on your own you might know that there are a few things to consider.

There are two main methods of securing your site.

The old way, but still good.

First is to install an SSL certificate on your server. This can be done using the command line and purchase a certificate from a Certificate Authority and this has its pros and cons. For me, it’s cost. Purchasing a basic certificate can be as low as $15-$30 a year and as high as thousands. You also can’t simply purchase a certificate and add it to your server. You need to run a few terminal commands, prove that you own that server and reconfigure your hosting environment to use that certificate. If you are using shared hosting then you might have the ability to use SSL provided by the hosting company, usually for less money, but is more limited in what it covers.

More modern and more progressive hosting companies might offer Lets Encrypt which is free, but needs to be supported by the host.

Lets Encrypt is also available to be installed manually.

The faster and better way in my opinion.

The second method uses what is called non terminated SSL or Flexible SSL. You can do this without having to make any changes to your server, or even logging into the command line. The two more popular services that I have used include CloudFlare and Cloud Front.

Personally, I use Cloud Flare. But both services offer a few added advantages like caching, firewall, DDoS Mitigation, Basic DNS, and page rules ( Redirects ).

Sounds perfect! Oh but wait. WordPress actually does not like this method at all.

Non-terminated or Flexible SSL takes an HTTPS connection and proxies it through to a standard HTTP connection. So what WordPress sees is the same old insecure connection. But you will find that WordPress no longer knows how to handle URL’s, or enqueued assets. So you have to force WordPress to play nice and pretend that it’s secure.

Unfortunately, you can’t simply go and change your URL to be HTTPS, WordPress does some backend checking to check and see if it’s secure or not. This is where you will need a plugin. Cloudflare, or Cloudflare Flexible SSL. If you are using Amazons CloudFront then you will need to find a different plugin, but you shouldn’t have any problems.

In Conclusion

As I mentioned, I use and prefer Cloudflare for my personal sites and CloudFront at work. Both are great and have some minor differences but personally, I use Flexible SSL because it allows me to move my VPS without needing to regenerate certificates, It also lets me add new SSL really quickly. I also take advantage of Caching, and HTTPS2 that Cloudflare offers.