• Skip to primary navigation
  • Skip to footer navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

WP Fangirl

WordPress Consultant Sallie Goetsch

  • speakerdeck icon
  • Home
  • About
  • Why WordPress?
  • How I Work
  • Portfolio
  • Services
  • Blog
  • Contact

Adventures in SSL, CloudFlare, and WooCommerce

December 9, 2015 by Sallie Goetsch 21 Comments

screenshot of CloudFlare's Crypto page with SSL set to strict

I use CloudFlare on all my own sites to cut down on the resources that get sucked up by unwanted bot traffic. It’s free and I can actually enable it through the SiteGround cPanel. (If you don’t have CloudFlare available through your hosting control panel, you can go directly to CloudFlare and set up a free account.)

My own sites don’t currently have SSL certificates, though I am  leaning toward implementing Let’s Encrypt so I can get HTTP/2. But some of my clients have e-commerce sites, and it was on one of them that I discovered that the combination of CloudFlare SSL with SSL certificates installed on your host can lead to redirect loop problems, specifically with WooCommerce. This is not a new issue, but I only found out about it today, so I figure there might be a few of you out there who haven’t encountered it, either.

Side note: if I enable a free CloudFlare account through SiteGround, I don’t get SSL, but I do get SSL if I set up the account through CloudFlare. I’m not sure why there’s a difference, though it might have to do with the limitations of cPanel.

Anyway, the Orchard Jewelry website (which I did not design but hope to redesign, as the theme is a hot mess) already had an SSL certificate from the hosting company, but was running into performance issues partly due to an assault of bots. So I set up a free CloudFlare account…and I turned the SSL settings for CloudFlare to Full. (SSL settings are under “Crypto” on the CloudFlare menu.) The “Flexible” setting enables SSL on any account; the “Full” setting checks for the existence of a certificate.

Unbeknownst to me, this created a redirect loop on the checkout page because of a conflict between CloudFlare and the WordPress HTTPS plugin. (Said plugin has incidentally not been updated for three years.) The problem was, naturally, discovered by someone trying to purchase something on the client’s site. OOPS.

If I unchecked the “Force SSL” button in WooCommerce, the checkout page would load…but without HTTPS. Obviously sending card info over an unsecure connection, or even a connection that WordPress thinks is insecure (apparently WP can’t detect the existence of CloudFlare’s SSL, so assumes your site is insecure), is not going to work.

WooCommerce Settings: Force SSL

If I turned CloudFlare SSL to “Off,” the ENTIRE SITE ended up with a redirect loop, because WordPress HTTPS was trying to make the site load securely and CloudFlare was telling it not to. Ugh.

What finally worked was setting CloudFlare’s SSL to “Strict” (which checks for a signed certificate), deactivating the WordPress HTTPS plugin, and re-checking “Force SSL” in the WooCommerce checkout settings. (Leave the second box, “Force HTTP when leaving the checkout” unchecked–CloudFlare will appy SSL to your entire site, both the front end and the admin.)

That’s two hours of my life I won’t get back and won’t get paid for (I created the problem by not understanding how CloudFlare’s SSL worked, and I’m not about to charge my client for nearly losing a sale), but at least now I know what to do, and I’m posting it here in case I need to refer back to it.

Related Items

  • It’s WordPress Plugin Developer Donation Day!
  • WP-Tonic 111: What makes a WooCommerce site successful?
    WP-Tonic 111: What Makes a WooCommerce Site Successful?
  • There’s a Plugin for That Presentation

Share this post:

Share on Twitter Share on Facebook Share on Pinterest Share on LinkedIn Share on Email

Filed Under: Hosting and Servers Tagged With: CloudFlare, SSL, WooCommerce

Reader Interactions

Comments

  1. Ron says

    February 18, 2016 at 9:17 pm

    Sallie, thank you for the post. Setting up CloudFlare on a client’s WooCommerce/SSL site now. Hopefully I can avoid this issue! To confirm — did you leave the WordPress HTTPS plugin disabled?

    Reply
    • Sallie Goetsch says

      February 19, 2016 at 6:55 am

      I did, but then I had to switch everything back to accommodate Cloud Cart Connector.

      Reply
  2. Chad says

    June 28, 2016 at 1:33 pm

    Thank you for this. May I ask which CloudFlare plan you used? Was it the Pro or Business? I am trying to figure all of this out myself. The information about SSL on CloudFlare’s website is confusing.

    Reply
    • Sallie Goetsch says

      June 29, 2016 at 10:48 am

      I’ve only ever used the free plan on CloudFlare.

      Reply
  3. Victor says

    June 30, 2016 at 8:48 am

    Great article!
    I tried once to configure my wp site with flexible SSL and it worked, but… my revolution slider plugin stopped working and there were some other minor issues, I was afraid I could not solve so I gave up.

    (sorry about my english, I am not a native speaker)

    Reply
    • Sallie Goetsch says

      June 30, 2016 at 9:16 am

      No worries about your English, Victor. You were very clear.

      On this site I use a Let’s Encrypt certificate (which I didn’t have yet at the time of writing this post) and I have CloudFlare’s SSL set to Full(strict). If you have an SSL certificate for your site, you should use either Full or Full(strict).

      A quick search for Slider Revolution and CloudFlare reveals that others have had the same problem you do, and that it appears to be a conflict with the rocket loader setting in the CloudFlare plugin. If you have the CloudFlare plugin installed, try turning off the Rocket Loader.

      Reply
  4. John Zell says

    August 2, 2016 at 11:20 am

    Great Article! I was recently doing some research about the same topic… Giving users a way to add SSL and Stripe to their woocommerce store without too much added cost. We recenetly published an article about it over on our website. Please feel free to take a read and let me know your thoughts. Our solution uses a few plugins but is a no code necessary solutions
    Free SSL And Stripe Payment Gateway For Woocommerce

    Reply
    • Sallie Goetsch says

      August 2, 2016 at 12:29 pm

      That looks like a good article. Thanks for sharing it.

      Reply
  5. Josh says

    November 1, 2016 at 7:42 pm

    Hey Sallie. Thanks for the info. When setting up CloudFlare to run with Woocommerce, are there any specific page rules you need to set up over at CloudFlare as well?

    Reply
    • Sallie Goetsch says

      November 1, 2016 at 10:15 pm

      Not that I noticed, but you may have to do some testing.

      Reply
  6. George says

    December 14, 2016 at 3:18 pm

    Hey, thanks for this! Ran into some issues implementing CloudFlare on a WP/WooCommerce install today and you really helped me sort it out.

    Well, if not “sort it out” per se, at least I knew other smarter people had broken things in the past.

    So thanks.

    Reply
    • Sallie Goetsch says

      December 15, 2016 at 10:45 am

      I’ve learned a bit more about Cloudflare since, and you may need to set up page rules to exclude the cart and checkout pages, as well as the WP Admin. Somewhere in my copious spare time I’ll be posting a bit more on the subject.

      Reply
  7. stan says

    December 21, 2016 at 3:59 pm

    Sallie, thank you for the post. This topic is very confusing. If you can add more after your recent research it would be great.

    I don’t have an ecommerce site but thinking about setting up one with woocommerce. My current site which I use to blog is hosted at Siteground.

    When I build ecommerce site, my understanding is, I can buy SSL certificate from Siteground which is around $80/yr. Siteground has supercacher and some say it is even better than w3 total cache.

    Question: I heard that if I use siteground cloudflare or cloudflare option with SSL, there might be issues. Siteground rep told me to get cloudflare pro. Is this correct or he is simply trying to sell it to me?

    Reply
    • Sallie Goetsch says

      December 21, 2016 at 4:30 pm

      You should set up your Cloudflare account directly through Cloudflare. I use SiteGround myself, but it turns out that there are aspects of their version of CF that cause some problems with SSL, or did. But you can use SSL with a free Cloudflare account just fine, and it’s a good option. SiteGround also offers free Let’s Encrypt SSL certificates, though those might not be sufficient for your payment processor/merchant service provider.

      Reply
      • Stan says

        January 21, 2017 at 4:39 pm

        Thank you Sallie.

        Reply
  8. Jorge says

    January 30, 2017 at 12:12 pm

    Hey there! Great post, I’m looking for a little more light because I ran into a weird issue, for example, I have my own VPS (nginx), letsencrypt installed and DNS managed by cloudflare but when I enable Stripe and trying to do the checkout (with live mode enabled on woocommerce and stripe), I always get the message that Stripe is in test mode so I can’t really use it, but when I test the page for the SSL it says that it’s grade A. I’ve added a page rule that include the checkout URL in the cloudflare cert but got the same behavior which don’t let me use Stripe as a payment gateway…

    Reply
    • Sallie Goetsch says

      January 30, 2017 at 1:04 pm

      You might need to be sure you clear all possible caches, since it might be that your browser doesn’t know you’re in live mode. And you might look for some sneaky additional place that Stripe needs to be set to live. For instance, do you have the correct live webhooks? I remember some time back I had a similar issue and there was something in Stripe itself that I hadn’t set correctly, but unfortunately that was a couple of years ago and I can’t remember what it was.

      Reply
  9. MakeOnlineShop says

    April 6, 2017 at 6:19 pm

    Thank you for this post, but I do not understand why I would need cloudfare SSL ?
    I already have a Let’s encrypt SSL on some woocommerce websites and Comodo SSL on some others.
    Do I really need to setup anything concerning SSL on cloudfare ?
    Sorry, I am very new to the topic :-)
    Thank you so much again.

    Reply
    • Sallie Goetsch says

      April 6, 2017 at 6:28 pm

      If you are using Cloudflare, it needs to talk to your existing SSL certificate in order to avoid redirect loops, and to make sure that the connection is encrypted between Cloudflare and the visitor, as well as between Cloudflare and you. Cloudflare itself is helpful for reducing bandwidth issues and bot attacks, as well as speeding up delivery of your site.

      There are some hosts that don’t provide Let’s Encrypt, and for people using them, Cloudflare offers free SSL, though in that case only the connection between Cloudflare and the visitor is actually encrypted.

      The important thing to remember is that the best setting on Cloudflare if you already have SSL is “Full (Strict)” whereas if you don’t, it’s “Flexible.” And you may need to turn the automatic HTTPS redirects either off or on, depending on how you are set up.

      Reply
  10. MakeOnlineShop says

    April 8, 2017 at 8:53 am

    Hello, why using WordPress HTTPS plugin ? not updated for years and I was thinking that everybody was using Really simple SSL ?
    Anyway, when a website already has SSL from host, should we select STRICT as SSL on cloudflare ?

    Thank you for your post and your help.

    Reply
    • Sallie Goetsch says

      April 9, 2017 at 9:36 am

      I now use Really Simple SSL, but WordPress HTTPS is what was on the site at the time I wrote the post. And yes, select Full(Strict) on Cloudflare when you have an SSL certificate.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

What I Write About

  • Book Reviews
  • Content Strategy
  • Design
  • Hosting and Servers
  • Most Valuable Plugins
  • There's a Plugin for That
  • Using WordPress
  • Widgets
  • WordPress Consulting
  • WordPress Events

Series

  • Interviews (5)
  • Checking Up on Your Website (4)
  • Client from Hell (5)
  • WordCamps (17)
  • WP-Tonic Roundtable (30)
  • Modern Tribe Tutorials (13)

Follow Sallie on Twitter

    Sorry, no Tweets were found.

RSS Latest News from the East Bay WordPress Meetup

  • Does It Work? Using The New CSS Layout with Rachel Andrew
    Things change rapidly in the WordPress world. The content in this post is more than a year old and may no longer represent best practices.Description Over the past two years, […] The post Does It Work? Using The New CSS Layout with Rachel Andrew appeared first on East Bay WordPress Meetup.
  • Speaker Training
    Get the workbook and slides for the October 2019 speaker training, plus background and pro tips. The post Speaker Training appeared first on East Bay WordPress Meetup.
  • SEO Audit Template & Resources
    Our November speaker, John Locke, graciously provided a template for an SEO audit report. You can download it as a Microsoft Word or PDF document. The post SEO Audit Template & Resources appeared first on East Bay WordPress Meetup.

Footer

Contact Info

2063 Main St #133 · Oakley, CA 94561

+1 (510) 969-9947

author-izer

sallie [at] wpfangirl [dot] com

Location

Map of East Contra Costa County

I live in Oakley, CA and run a WordPress Meetup in Oakland, CA. Don't confuse them!

Subscribe for New Posts

  • Since I blog on an unpredictable schedule, you might want to subscribe by email. I'll also send out occasional announcements about events.

  • Privacy Policy: I will never sell or rent your contact information.

  • This field is for validation purposes and should be left unchanged.
  • Contact
  • Colophon
  • Comment Policy
  • Privacy Policy
  • Five for the Future

Copyright © 2023 · Utility Pro on Genesis Framework · WordPress · Log in

MENU
  • Home
  • About
  • Why WordPress?
  • How I Work
  • Portfolio
  • Services
  • Blog
  • Contact