Hi there - I am working with a site which uses the Cloudflare pro plan with a dediciate SSL from Cloudflare.
The site has been using Cloudflare for over a year. The site uses Wordpress and Woocommerce.
Within the Wordpress admin area, all settings are using http. For example,
*Go to Woo, Status and System status. Neither the home or site URLs indicate https
*Same section, scroll down to security, Secure connection (HTTPS): indicates not using https
*Under Woo, Settings, Advanced, force secure checkout is checked
*Go the Wordpress admin, neither the wordpress url or site url are set to https. Both use http.
I wanted to determine how the site was achieving https, and figured it out by visiting the SSL/TLS settings. Under this section the settings match what is listed within this article
Now for my question, if a website just uses the above configuration, does that mean traffic is encrypted from the user, to Cloudflare and to the server? Or is it just encrypted from the user to Cloudflare?
Doesn’t best practice indicate that the resources at the website level be https rather than http. For example in this case,
*Go to Woo, Status and System status. Neither the home or site URLs would use https and not http
*Same section, scroll down to security, Secure connection (HTTPS): This would indicate https was being used
*Under Woo, Settings, Advanced, force secure checkout would not be checked
*Go the Wordpress admin, both the wordpress url or site url would use https and not http