Protecting your self hosted WordPress from threats and securing with https/SSL for free with CloudFlare

Having a domain of your own is a wonderful thing but like many things in life it comes with responsibilities. Self-hosted WordPress blogs are a regular focus of spammers and brute force attacks and more than likely your webhost already has measures in place to prevent the bots getting in. There are proactive measures you can also take to protect your domain and a host of plugins and tutorials to help with this.

To add to the collection I want to share with you my experiences of setting up and using CloudFlare. CloudFlare creates an extra layer between your website and the world allowing them to block threats as well as host and optimise your content. At an entry-level you can also use CloudFlare for free, which I’ve been doing for the last couple of months.

httpsRecently CloudFlare announced they were Introducing Universal SSL for all users for free. SSL/TLS are encryption protocols used to secure Internet communication. Hopefully you are familiar to looking for the https:// and not just http:// when you are doing your online banking or online shopping, the ‘s’ indicating the information you see and enter is secure, encrypted, preventing eavesdropping or tampering of the data. But why would I want to use a similar level of security for my blog as for banking? CloudFlare make a great case for this in their post:

Having cutting-edge encryption may not seem important to a small blog, but it is critical to advancing the encrypted-by-default future of the Internet. Every byte, however seemingly mundane, that flows encrypted across the Internet makes it more difficult for those who wish to intercept, throttle, or censor the web. In other words, ensuring your personal blog is available over HTTPS makes it more likely that a human rights organization or social media service or independent journalist will be accessible around the world.

[Another consideration is Google announced it would use https as a rank factor in it’s search results]

So how do you go about moving your blog to https? Well first, if not already, you need to sign up and setup CloudFlare. There are two routes to do this provided by CloudFlare. Unfortunately my host, Reclaim Hosting, isn’t yet so I had to go through changing nameserver settings (CloudFlare have additional tips on using their service with WordPress). When CloudFlare is set up, to switch enable SSL you need to go into the CloudFlare Settings > Setting overview where you see the SSL configuration:

SSL settings

CloudFlare SSL OptionsCloudFlare actually have a couple of options: Off, Flexible SSL, Full SSL, and Full SSL (Strict). Flexible is by far the easiest to set up and for most people the best place to start. There is a lot more detail about the difference between these in this CloudFlare post. In this they say:

Flexible SSL encrypts all data between your site’s visitors and CloudFlare using TLS configured with best practices such as forward secrecy and more. This is where most threats to web traffic happen: in your coffee shop, by your ISP, and others in the local network.

With this enabled and directing traffic through CloudFlare you can start using https on your blog. There are a couple of things to bear in mind as well as things you have to do. To use https effectively you need to tell your blog this is what you want to use.  There are plugins like WordPress HTTPS (SSL) that can help with some of this but I decided to do it the manual way.

Dashboard and site over SSL

Initially when I tried switching to SSL I ended in an endless redirection loop. Fortunately I came across this post on how to  Setup SSL on WordPress Behind Cloudflare Reverse Proxy. This is backed up by the WordPress documentation on Administration Over SSL and you might want to start with using the first 3 lines of code in your wp-config.php file to test that SSL is working:

define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
       $_SERVER['HTTPS']='on'; 
define('WP_HOME','https://yoursite.com');
define('WP_SITEURL','https://yoursite.com');

When switching to SSL you may find parts of you posts don’t load. Some of this is down to how your theme has been written and for good themes it shouldn’t be a problem. The next problem might be missing videos or images in posts. Basically modern browsers don’t like mixing http with https content. So if you use iframes as a way to embed content like YouTube videos and they are loaded over http nothing will appear. Google updated the embed snippet for YouTube videos from <iframe src=http://www.youtube… > to <iframe src=//www.youtube… > which defaults to serving the content using the same method as the main page. You can run MySQL commands to update these or it might be better to use one of the WordPress SSL rewrite plugins.

Forcing to SSL

So far we’ve enabled the option for your blog to be browsed over SSL including internal navigation links, but some one still might initially land on an http address. CloudFlare mention Page Rules in their admin interface for forcing to SSL but that setting appears to have disappeared. CloudFlare also mention a way that Apache hosted blogs can use the .htaccess file to redirect a user on to SSL:

 RewriteCond %{HTTP:CF-Visitor} !'"scheme":"http"'
 RewriteRule ^(.*)$ https://www.domain.com/$1 [L]

If like me you still use FeedBurner (I know) for your RSS feed you should also bear in mind that you need to keep your feeds alive for Feedburner (avoiding 400 error) – basically Feedburner doesn’t like to be given feeds over SSL. So my snippet for .htaccess becomes:

# HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteCond %{HTTP:CF-Visitor} !'"scheme":"http"'
RewriteRule ^(.*)$ https://yoursite.com/$1 [L]

Remember if you are forcing to SSL that any tools/apps you use connected to your blog like Live Writer might need updating .. as I discovered

Letting Google know you’ve moved

The last thing I did was let Google Search know my blog was now over SSL. You may have plugins that handle your sitemap and updates to search engines. For me I did this using Google guide on Move a Site with Url changes.

Future

So a bit of work to get myself on SSL and save a couple of bucks on a SSL certificate. The good news is this sort of thing is hopefully going to get easier and more widespread

4 Comments


  1. Brilliant, thanks Martin. It’s something that’s been on my mind for a while now, but looks too advanced for the likes of me, at the moment.

    David


    1. Being me I make it harder than it should be. Take it in steps and you’ll be fine :)


  2. Fascinating, wonderful. I need to do this. (I also need to start blogging again.) Thanks, Martin.


  3. Thanks! Before doing this I was in the https is for e-commerce camp but now I can see why it’s not just for when you are sending your bank card details. [I keep nudging Tim to integrate Cloudflare into Reclaim hosting which would make this easier]

Comments are closed.