Going Secure via Cloudflare (and a Warning)

Forced to be Secure by Google

The more observant amongst you may have noticed that the site is now “secure”. Quite why a blog needs to be so I am not sure but Google is starting to insist on such things so I am in the process of converting all my sites to load via https.

To be honest it has been a bit of a trial, partly because this site runs on a WordPress multi-site installation and that has thrown up a few peculiarities. Anyway, the change from Google has forced me to look at all my sites and try and get them “secure”.

SSL with Cloudflare

I’ve chosen to do this via the Cloudflare service because this is reasonably frictionless although, as you will see, it does require you to do a database update… Setting Cloudflare is simple enough – go to the right domain, select Crypto from the menu, make sure you have a SSL cert setup and then select “Always use HTTPS”. Click on the image below to see all the settings for this domain:

Cloudflare SSL settings

However, that, for me, wasn’t sufficient as I started to get a “mixed content” message and Google still was showing the site as insecure. Mixed content means that some resources, usually images, are still being loaded over a non-secure link (i.e. http). Now there is a setting in Cloudflare called “Automatic HTTPS Rewrites” which should resolve these issues but in my experience this hasn’t worked and has caused multiple redirect issues. Of course, your mileage may vary, so give it a go and see but don’t be surprised …

Updating the Database

If you find that the automatic rewrites aren’t working for you then you are going to have to roll your sleeves up and update the database. I cannot stress this enough but make sure you BACK UP THE DATABASE before starting this. I made a couple of mistakes and was glad that I had the database to roll back to.

So the command that you need to run is the following. You will need to remember to change the “x” in “wp_x_posts” to the correct site instance and the from and to website address:

UPDATE wp_x_posts SET `post_content` = REPLACE (`post_content`, 'http://www.yourblog.com/', 'https://www.yourblog.com/');

And that should be sufficient to get you up and running on SSL.

And a Warning

The issue with Cloudflare is that, of course, it could go bust or their business model may change and what is currently generously provided for free may not in the future. So you are placing your faith in them being around for the duration but if anything changes I’ll be in the same boat!