I use CloudFlare on all my own sites to cut down on the resources that get sucked up by unwanted bot traffic. It’s free and I can actually enable it through the SiteGround cPanel. (If you don’t have CloudFlare available through your hosting control panel, you can go directly to CloudFlare and set up a free account.)
My own sites don’t currently have SSL certificates, though I am leaning toward implementing Let’s Encrypt so I can get HTTP/2. But some of my clients have e-commerce sites, and it was on one of them that I discovered that the combination of CloudFlare SSL with SSL certificates installed on your host can lead to redirect loop problems, specifically with WooCommerce. This is not a new issue, but I only found out about it today, so I figure there might be a few of you out there who haven’t encountered it, either.
Side note: if I enable a free CloudFlare account through SiteGround, I don’t get SSL, but I do get SSL if I set up the account through CloudFlare. I’m not sure why there’s a difference, though it might have to do with the limitations of cPanel.
Anyway, the Orchard Jewelry website (which I did not design but hope to redesign, as the theme is a hot mess) already had an SSL certificate from the hosting company, but was running into performance issues partly due to an assault of bots. So I set up a free CloudFlare account…and I turned the SSL settings for CloudFlare to Full. (SSL settings are under “Crypto” on the CloudFlare menu.) The “Flexible” setting enables SSL on any account; the “Full” setting checks for the existence of a certificate.
Unbeknownst to me, this created a redirect loop on the checkout page because of a conflict between CloudFlare and the WordPress HTTPS plugin. (Said plugin has incidentally not been updated for three years.) The problem was, naturally, discovered by someone trying to purchase something on the client’s site. OOPS.
If I unchecked the “Force SSL” button in WooCommerce, the checkout page would load…but without HTTPS. Obviously sending card info over an unsecure connection, or even a connection that WordPress thinks is insecure (apparently WP can’t detect the existence of CloudFlare’s SSL, so assumes your site is insecure), is not going to work.
If I turned CloudFlare SSL to “Off,” the ENTIRE SITE ended up with a redirect loop, because WordPress HTTPS was trying to make the site load securely and CloudFlare was telling it not to. Ugh.
What finally worked was setting CloudFlare’s SSL to “Strict” (which checks for a signed certificate), deactivating the WordPress HTTPS plugin, and re-checking “Force SSL” in the WooCommerce checkout settings. (Leave the second box, “Force HTTP when leaving the checkout” unchecked–CloudFlare will appy SSL to your entire site, both the front end and the admin.)
That’s two hours of my life I won’t get back and won’t get paid for (I created the problem by not understanding how CloudFlare’s SSL worked, and I’m not about to charge my client for nearly losing a sale), but at least now I know what to do, and I’m posting it here in case I need to refer back to it.