I use CloudFlare on all my own sites to cut down on the resources that get sucked up by unwanted bot traffic. It’s free and I can actually enable it through the SiteGround cPanel. (If you don’t have CloudFlare available through your hosting control panel, you can go directly to CloudFlare and set up a free account.)
My own sites don’t currently have SSL certificates, though I am leaning toward implementing Let’s Encrypt so I can get HTTP/2. But some of my clients have e-commerce sites, and it was on one of them that I discovered that the combination of CloudFlare SSL with SSL certificates installed on your host can lead to redirect loop problems, specifically with WooCommerce. This is not a new issue, but I only found out about it today, so I figure there might be a few of you out there who haven’t encountered it, either.
Side note: if I enable a free CloudFlare account through SiteGround, I don’t get SSL, but I do get SSL if I set up the account through CloudFlare. I’m not sure why there’s a difference, though it might have to do with the limitations of cPanel.
Anyway, the Orchard Jewelry website (which I did not design but hope to redesign, as the theme is a hot mess) already had an SSL certificate from the hosting company, but was running into performance issues partly due to an assault of bots. So I set up a free CloudFlare account…and I turned the SSL settings for CloudFlare to Full. (SSL settings are under “Crypto” on the CloudFlare menu.) The “Flexible” setting enables SSL on any account; the “Full” setting checks for the existence of a certificate.
Unbeknownst to me, this created a redirect loop on the checkout page because of a conflict between CloudFlare and the WordPress HTTPS plugin. (Said plugin has incidentally not been updated for three years.) The problem was, naturally, discovered by someone trying to purchase something on the client’s site. OOPS.
If I unchecked the “Force SSL” button in WooCommerce, the checkout page would load…but without HTTPS. Obviously sending card info over an unsecure connection, or even a connection that WordPress thinks is insecure (apparently WP can’t detect the existence of CloudFlare’s SSL, so assumes your site is insecure), is not going to work.
If I turned CloudFlare SSL to “Off,” the ENTIRE SITE ended up with a redirect loop, because WordPress HTTPS was trying to make the site load securely and CloudFlare was telling it not to. Ugh.
What finally worked was setting CloudFlare’s SSL to “Strict” (which checks for a signed certificate), deactivating the WordPress HTTPS plugin, and re-checking “Force SSL” in the WooCommerce checkout settings. (Leave the second box, “Force HTTP when leaving the checkout” unchecked–CloudFlare will appy SSL to your entire site, both the front end and the admin.)
That’s two hours of my life I won’t get back and won’t get paid for (I created the problem by not understanding how CloudFlare’s SSL worked, and I’m not about to charge my client for nearly losing a sale), but at least now I know what to do, and I’m posting it here in case I need to refer back to it.
Sallie, thank you for the post. Setting up CloudFlare on a client’s WooCommerce/SSL site now. Hopefully I can avoid this issue! To confirm — did you leave the WordPress HTTPS plugin disabled?
I did, but then I had to switch everything back to accommodate Cloud Cart Connector.
Thank you for this. May I ask which CloudFlare plan you used? Was it the Pro or Business? I am trying to figure all of this out myself. The information about SSL on CloudFlare’s website is confusing.
I’ve only ever used the free plan on CloudFlare.
Great article!
I tried once to configure my wp site with flexible SSL and it worked, but… my revolution slider plugin stopped working and there were some other minor issues, I was afraid I could not solve so I gave up.
(sorry about my english, I am not a native speaker)
No worries about your English, Victor. You were very clear.
On this site I use a Let’s Encrypt certificate (which I didn’t have yet at the time of writing this post) and I have CloudFlare’s SSL set to Full(strict). If you have an SSL certificate for your site, you should use either Full or Full(strict).
A quick search for Slider Revolution and CloudFlare reveals that others have had the same problem you do, and that it appears to be a conflict with the rocket loader setting in the CloudFlare plugin. If you have the CloudFlare plugin installed, try turning off the Rocket Loader.
Great Article! I was recently doing some research about the same topic… Giving users a way to add SSL and Stripe to their woocommerce store without too much added cost. We recenetly published an article about it over on our website. Please feel free to take a read and let me know your thoughts. Our solution uses a few plugins but is a no code necessary solutions
Free SSL And Stripe Payment Gateway For Woocommerce
That looks like a good article. Thanks for sharing it.
Hey Sallie. Thanks for the info. When setting up CloudFlare to run with Woocommerce, are there any specific page rules you need to set up over at CloudFlare as well?
Not that I noticed, but you may have to do some testing.
Hey, thanks for this! Ran into some issues implementing CloudFlare on a WP/WooCommerce install today and you really helped me sort it out.
Well, if not “sort it out” per se, at least I knew other smarter people had broken things in the past.
So thanks.
I’ve learned a bit more about Cloudflare since, and you may need to set up page rules to exclude the cart and checkout pages, as well as the WP Admin. Somewhere in my copious spare time I’ll be posting a bit more on the subject.
Sallie, thank you for the post. This topic is very confusing. If you can add more after your recent research it would be great.
I don’t have an ecommerce site but thinking about setting up one with woocommerce. My current site which I use to blog is hosted at Siteground.
When I build ecommerce site, my understanding is, I can buy SSL certificate from Siteground which is around $80/yr. Siteground has supercacher and some say it is even better than w3 total cache.
Question: I heard that if I use siteground cloudflare or cloudflare option with SSL, there might be issues. Siteground rep told me to get cloudflare pro. Is this correct or he is simply trying to sell it to me?
You should set up your Cloudflare account directly through Cloudflare. I use SiteGround myself, but it turns out that there are aspects of their version of CF that cause some problems with SSL, or did. But you can use SSL with a free Cloudflare account just fine, and it’s a good option. SiteGround also offers free Let’s Encrypt SSL certificates, though those might not be sufficient for your payment processor/merchant service provider.
Thank you Sallie.
Hey there! Great post, I’m looking for a little more light because I ran into a weird issue, for example, I have my own VPS (nginx), letsencrypt installed and DNS managed by cloudflare but when I enable Stripe and trying to do the checkout (with live mode enabled on woocommerce and stripe), I always get the message that Stripe is in test mode so I can’t really use it, but when I test the page for the SSL it says that it’s grade A. I’ve added a page rule that include the checkout URL in the cloudflare cert but got the same behavior which don’t let me use Stripe as a payment gateway…
You might need to be sure you clear all possible caches, since it might be that your browser doesn’t know you’re in live mode. And you might look for some sneaky additional place that Stripe needs to be set to live. For instance, do you have the correct live webhooks? I remember some time back I had a similar issue and there was something in Stripe itself that I hadn’t set correctly, but unfortunately that was a couple of years ago and I can’t remember what it was.
Thank you for this post, but I do not understand why I would need cloudfare SSL ?
I already have a Let’s encrypt SSL on some woocommerce websites and Comodo SSL on some others.
Do I really need to setup anything concerning SSL on cloudfare ?
Sorry, I am very new to the topic 🙂
Thank you so much again.
If you are using Cloudflare, it needs to talk to your existing SSL certificate in order to avoid redirect loops, and to make sure that the connection is encrypted between Cloudflare and the visitor, as well as between Cloudflare and you. Cloudflare itself is helpful for reducing bandwidth issues and bot attacks, as well as speeding up delivery of your site.
There are some hosts that don’t provide Let’s Encrypt, and for people using them, Cloudflare offers free SSL, though in that case only the connection between Cloudflare and the visitor is actually encrypted.
The important thing to remember is that the best setting on Cloudflare if you already have SSL is “Full (Strict)” whereas if you don’t, it’s “Flexible.” And you may need to turn the automatic HTTPS redirects either off or on, depending on how you are set up.
Hello, why using WordPress HTTPS plugin ? not updated for years and I was thinking that everybody was using Really simple SSL ?
Anyway, when a website already has SSL from host, should we select STRICT as SSL on cloudflare ?
Thank you for your post and your help.
I now use Really Simple SSL, but WordPress HTTPS is what was on the site at the time I wrote the post. And yes, select Full(Strict) on Cloudflare when you have an SSL certificate.