Sure, it may be a cunning plan to sign lots of us up, and then switch on the “Sorry, you’ve got to pay now Dude” sign. But I hope not. Perhaps their goal is to create a rapid, secure DNS service by offering SSL to the masses?
I don’t know. Anyway, let’s press on, I have lots to do and get on and show you just how easy it is to rock SSL on your WordPress site. By the way, this will of course work on all websites, you don’t have to run WordPress to sign up to CloudFlare’s services. But I can’t find any good reason not to use WordPress, can you? 😉
There is one big caveat. The CloudFlare SSL for Free plan works only with these modern browsers which support Server Name Indication (SNI):
- Internet Explorer 7 and later
- Firefox 2
- Opera 8 with TLS 1.1 enabled
- Google Chrome:
- Supported on Vista and later by default
- OS X 10.5.7 in Chrome Version 5.0.342.0 and later
- Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later)
- Mobile Safari for iOS 4.0
- Android 3.0 (Honeycomb) and later
- Windows Phone 7
If you need more compatibility with older browsers, such as Windows XP SP2 and Android <3.0, you will need to sign up for one of CloudFlare's premium packages. So for some, you might as well stop reading here. Bye, sorry but it would seem if you're going to have to pay if you want SSL. But, if like me you and you have a project where you don't need to support older browsers then CloudFlare's free plan looks irresistible.
So enough already with the preamble. How do you get CloudFlare Free SSL & WordPress to play nicely?
1. Sign up for CloudFlare
Sign up with CloudFlare. Add your domain to your control panel, select the free plan, then make a note of the CloudFlare Name Servers, then head over to wherever your domain name DNS is registered with. Change the Name Servers to CloudFlare. That’s it. I have gone with the safe defaults for now. When I’m feeling braver I might try some of their bleeding edge settings.
2. Install the CloudFlare WordPress plugin
This is an optional step, but installing the CloudFlare Plugin seems like a good move to me:
By using the CloudFlare WordPress Plugin, you receive:
Correct IP Address information for comments posted to your site
Better protection as spammers from your WordPress blog get reported to CloudFlare
THINGS YOU NEED TO KNOW:
The main purpose of this plugin is to ensure you have no change to your originating IPs when using CloudFlare. Since CloudFlare acts a reverse proxy, connecting IPs now come from CloudFlare’s range. This plugin will ensure you can continue to see the originating IP.
Every time you click the ‘spam’ button on your blog, this threat information is sent to CloudFlare to ensure you are constantly getting the best site protection.
We recommend any WordPress and CloudFlare user use this plugin.
For more best practices around using WordPress and CloudFlare, see: Using CloudFlare and WordPress Five Easy Steps.
Yeah, yeah, yeah, but does it work?
Well it’s still early days in my trial, but it’s all fine and dandy.
I have installed it on the WordPress Bournemouth website. It’s a new site, no one has actually signed up yet! It is the Official Billy-No-Mates of WordPress Meet Up Groups™. But It’s not the quantity, it’s the quality. Anyway, I hope this will change with SSL… Plus, WP Bournemouth is aimed squarely at people who have at least an interest in WordPress. I know I am generalising but I don’t expect many of them to be rocking IE6. At least I hope not…
CloudFlare are not only offering a very slick, easy to use way of setting up SSL. But a lot more as well. Albeit, visitors using older browsers or operating systems like Windows XP will see SSL warnings on the free SSL option. I am not sure how well screen readers and other user agents will fare either.
Also, I set this up on a WP Engine site.
However in addition to the free SSL, their free plan offers:
- Globally load balanced content delivery network (CDN)
- Automatic static content caching
- IPv6 compatibility and gateway
- Always Online™
- Rocket Loader™ (don’t know what this does, but it sounds cool!)
- SPDY Support
Plus these added security features:
- Reputation-based threat protection
- Comment spam protection
- Content scraping protection
- Block visitors by IP range or country
- Deploy collective intelligence to identify new threats
- Notify visitors on how to clean their infected machine
- Basic DDoS protection
The DDoS protection could prove to be really useful.
Seriously you will probably have set this up a lot quicker than you have taken to read this. I am really impressed so far. A doddle to setup. Works like a dream with BuddyPress, bbPress and Gravity Forms with no changes whatsoever to my inaugural CloudFlare site, which bodes well for most WordPress sites. I really want to set this up on a WooCommerce site running Stripe. I can’t think of an easier way to setup a secure and seamless eCommerce experience than this.
The future’s bright, the future’s SSL
I think SSL will become more and more important. I believe their will be a slight SEO advantage and of course increased visitor confidence in a site using SSL. Plus it makes it by definition, more secure. So, I think now is really the time to start embracing SSL on all sites, and especially so on new installs.
I would love to hear your experiences of using the Free plan from CloudFlare and WordPress, please hit up the comments.
A big thank you to Alex
Also, Alex kindly suggested that I install the WordPress Force HTTPS, which I’ve just installed.
Coming later this year is Let’s Encrypt:
Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
Sounds promising, and Automattic are a major sponsor too. 😉 Thanks to Laura Steiner for the heads up on Let’s Encrypt.