SSL issue with Wordpress.com-hosted blog

I have transferred in multiple domains to Cloudflare as my registrar but I just realized there’s an issue with SSL on the Wordpress.com “domain mapped” blogs that I have, including the one at singlemaltcloud.com.

The site loads via https, but I don’t get the lock symbol in the browser, and when I click on the information button, it says the connection isn’t fully secure, even though the certificate for sni.cloudflaressl.com is valid.

I reached out to the Wordpress.com support folks and asked about this and they noted I am not using their DNS servers, and if I were, they would be handling SSL for me (as they have in the past). They suggested I use their DNS servers, but that doesn’t appear to be possible for me at my account level (I setup a free account before transferring my domains over), nor do I think it would make sense to pay for a Business account to do that.

I’ve tried adjusting the SSL settings under Crypto (it’s at Full now), but the other settings either don’t change things for the better or make it worse.

I seem to be in a catch-22. Wordpress.com won’t handle SSL unless I use their DNS servers, but I can’t do that with my domain registered at Cloudflare.

Am I missing something?

Hi @mikestanley00,

The issue you see there is ‘mixed content’ and needs to be fixed on your site. Cloudflare can help to fix some

Mixed content errors mean that your website is being loaded over HTTPS but some of the resources are being loaded over HTTP. To fix this you will need to edit your source code and change all resources to load over a relative path, or directly over HTTPS.

For example, if you load your images with a full URL:

<img src="http://example.com/image.jpg" />

You would want to change this to:

<img src="//example.com/image.jpg" />

By removing the http:, the browser will use whichever protocol the visitor is already using. An alternative option would be to enable the Automatic HTTPS Rewrites feature that can potentially fix these errors for you automatically. Do be aware that resources loaded by JavaScript or CSS will not be automatically rewritten and mixed content warnings will still appear.

See this Community Tip for further details

This is far better than Flexible, but Full (strict) would be even better if you have or can get a valid cert on your server.

1 Like

Thanks. I reviewed that tutorial and it worked for two of the three Wordpress.com-hosted blogs, including singlemaltcloud.com. What I did was enable “Always use HTTPS” and “Automatic HTTPS Rewrites.”

Oddly, when I followed the same procedure on the other blog, I got the “too many redirects” error. This one is just a portfolio site, so I’m not as concerned about it at the moment, but I’ll do some searching for that error later and see if I can fix it. For now, I’ve disabled “Always use HTTPS” for that one. If you have any suggestions, let me know!

As for Full (strict), I don’t think I have that option as the cert on the Wordpress.com site is essentially *.wordpress.com, and I don’t think I have any way to change that.

Was this one set to ‘Flexible’ instead of ‘Full’ by any chance? This is the most common cause.

Fair enough, Full is still far better than Flexible :slightly_smiling_face:

Was this one set to ‘Flexible’ instead of ‘Full’ by any chance? This is the most common cause.

It was not. I’m going to keep poking at it this week. Thanks for your help!