Problem with mixed-content after updating links to https

mixedcontent

#1

Hi fellows,

I activated my ssl certificate following this instructions: https://www.000webhost.com/forum/t/how-to-use-cloudflare-for-ssl/53612 in CloudFlare. My website is hosted in 00webhost and I bought a domain in Hostinger.

After activating my ssl certificate I had problem with mixed content and its layout also got messed up. To solve this issue, I installed the plugin CloudFlare Flexibe SSL to enable me to access my dashboard and the plugin Better Search Replace to substitute all http links to https in WordPress. My layout is ok now but I still receive a message in the browser saying my website is not totally save.

What should I do?


#2

This line in that guide is worrying :confused:

Next, go to the “Crypto” tab of your Cloudflare dashboard. Make sure “SSL” is set to flexible.

Unfortunately, it doesn’t look like end-to-end encryption is something 000 supports so you’ll likely have to continue using Flexible.

Could you post your domain so we can help troubleshoot the mixed content?


#3

That is a 000 issue! As you say, they don’t support anything else! I have been trying to post a link to my Flexible article on their community but their discourse email verification is down :joy:


#4

Is there another way of making my website 100% secure? I heard CloudFlare was the option for who has a website hosted in 000webhost.


#5

Not as far as I know with 000webhost.

Yes, it’s the only option for your site to appear secure, but being set to Flexible isn’t actually secure (please see the link @judge posted earlier). Without switching to a paid host, not sure there is a lot you can do…


#6

Thank you for your support! :slight_smile:


#7

Actually, when you use Flexible, though the encryption is not end-to-end as some have pointed out here, you should be able to have a page that shows in the browser as “safe”.

The browser has no business knowing what lays beyond Cloudflare once you properly set your site to go through it, using the orange cloud icon in the DNS app. Make sure you have Always Use HTTPS and Automatic HTTPS Rewrite on the Crypto app. You could be prevented from showing your site as safe, though, if you depend on third-party assets that cannot be loaded over HTTPS.

Having said that, showing a padlock on your browser will not make the connection between CF and 000 safe, as @Judge, @domjh and others in this community are always correctly reminding us. So it’s a matter of trust, but technically you can have a site showing as 100% secure in the browser.

The issue with 000webhost.com is that they are a free hosting company, but hosting costs money. So they have as part of their business plan to insert promotional links on the bottom of your pages, and they can only enforce that if you do not use SSL. So I wouldn’t expect that they might be open to change that behavior any time soon.


#8

Looks like this has finally been allowed :joy:, hopefully they will update their tutorial to include this :grin:


#9

Just an update… Thank you @sulliops for updating your tutorial on 000webhost to explain about Flexible and linking to my article on here. :slightly_smiling_face:

https://www.000webhost.com/forum/t/cloudflare-flexible-ssl/156733/4


#10

Anytime my man.

Also yeah, sorry everyone for the security concerns. As @domjh said, I’ve updated my tutorial to add the security warning — however, the freemium business model dictates that we leave things as-is. If users want added security, they can switch off the free servers and onto something that earns us money. It’s a win-win in the case of the premium plans.

At any rate, if it were up to me I’d have a custom integration with Cloudflare working side-by-side with us to improve security on the free level. I’ve been trying to convince the higher-ups for a long time, but they’re focused on the premium users (and rightfully so, paying customers are always top priority) and won’t be pursuing that for a long time (if at all). So for now, thank you all for bringing this to my attention, and I hope my contributions set your minds more at ease!

Huge thanks to @domjh, he’s been a hero in all of this. By the way, I’m not sure why the forum wasn’t letting you post the links to your post until recently — the spam bot is on super high but it shouldn’t have any qualms with a Cloudflare link.