I have a wordpress site that was set up as http and showed as unsafe.
I added the site to cloudflare and updated nameservers, all done.
The cloudflare system originally set the security to FULL. I copied the origin cert and key to my CPanel and it showed as done.
Now, 18 hours later, the site still shows as unsafe and when I look back at the Cloudflare site, the setting is now FLEXIBLE.
Is this a Wordpress issue?
Why did it switch back to Flexible?
Do I need to generate new certs and change them on my CPanel?
How do i get my site showing as https?
Any help would be welcomed!
Thanks,
Cliff
There’s a fair bit to unpick.
What is the site?
You can check what makes changes to your Cloudflare configuration in the audit log…
https://dash.cloudflare.com/?to=/:account/audit-log
You should use only “Full (strict)” which requires your site to have a valid (trusted, not self-signed, in date, matching name) SSL certificate on your origin server.
Hello,
the site is oxlade.me.uk
I am told that wordpress will only support FLEXIBLE
I am also told that the site may now be showing as secure and it is just my cache that is the problem…
Kind Regards,
Cliff
Flexible is insecure as traffic from Cloudflare to your origin will always be unecrypted even if you use HTTPS to Cloudflare. You should only use “Full (strict)” or “Off” to avoid deceiving your users that their data is secure when it is not.
It is best to pause Cloudflare, ensure your Wordpress installation is correctly configured for SSL on its own, then re-enable Cloudflare.
My hosting company (SITE5) tell me that Wordpress is only able to use Flexible
I did set Cloudlfare to Full when i added the site, I then copied across the certs to my CPanel.
Then this morning, the site still showed as unsecured on my PC but likely due to cache I am told…When I checked back on Cloudflare, it now shows Flexible so it seems that Cloudflare itself has changed from Full to Flexi…
I looked at the dashboard and the log didn’t make an real sense to me
Cliff
Wordpress works fine with Full (strict), many use it. A host telling you to make your site insecure isn’t good.
It may be that their hosting doesn’t work through Cloudflare (usually this is because of SSL certificate generation/renewal requiring direct access) in which case you should use Cloudflare with “DNS only”.
If your host doesn’t support SSL at all, you should find one that does. Fronting an HTTP-only site with Cloudflare SSL is worse than having an HTTP only site as it deceives users.
Cloudflare doesn’t change settings on its own. Check your audit log to see why it changed…
https://dash.cloudflare.com/?to=/:account/audit-log
Having a few issues editing the site with Elementor now and have Site5 people looking at the back-end to see what is causing it so cannot play with the SSL at the moment.
My understanding, before Site5 told me otherwise, is that you enable FULL SSL in Cloudflare and then install the supplied data into the CPanel to make it work but will try that again and challenge Site5 on the issue once the Elementor issue is resolved…
Never ending fun!
Actually looks like cloudflare, once running messes up the Elementor web scripting system…
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.