Website DIY - tricks and solutions

Cloudflare, WordPress & flexible SSL: a fix to enable login as HTTPS

You’re using Cloudflare with flexible SSL and your visitors can view your site “securely”. However; for some reason, (and you’ve tried “everything” including CF plugins) you are still unable to login to WordPress and WP Admin using HTTPS.

Hopefully the solution below will work for you.

Warning – solutions to avoid:

The claimed solutions I Googled (for “HTTPS login”, “infinite loop”, “too many redirects” or “page not found”) simply redirect your browser to an insecure HTTP login page. i.e. adding code to do what you can already do yourself – enter an “http://” address for “wp-login” in your browser. Your login credentials are just as insecure either way.

The solution that worked for me:

Edit: I’ve added some comments at the bottom of this page about a WordPress Plugin that might also provide a solution.

A single line edit of “wp-config.php” to insert the following code:

if (stripos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false)

I added it just below the “define” statements at the top of wp-config.php n.b. (Caveat: I make no guarantee that it won’t break your site).

I tried various Cloudflare and CF plugin settings, but doing the above was the only solution that worked for me (add a comment to let me & others know whether or not it worked for you).

N.B. flexible SSL is not “full” SSL. Under HTTPS your login credentials will be encrypted between you and Cloudflare and so more secure. But if you are a user of their free service then the connection between Cloudflare and your server is probably HTTP and still open to potential eavesdropping.

If you have a decent host it is also possible to make the Cloudflare<->Server leg secure at no cost. I’ll add an article about that, once I’ve confirmed the details.

Tip: If your site also has mixed content issues then these can probably be solved by installing the official Cloudflare plugin and switching its “Automatic HTTPS Rewrites” setting to “On”.

How did I find the solution?

By chance when researching another project.

It is in the WordPress Codex and is part of suggested code to avoid redirect loops when forcing SSL login!

When only able to login under HTTP, the last place most of us would have looked for a solution would have been an article on how to block HTTP login (and lock ourselves out)!

A possible plugin solution

If you have edited WordPress/Theme files before then the above solution is probably better – it uses minimal resources and is not dependent continued support and maintenance by a plugin author. If you are unhappy DIYing (mistakes could break your site) then:

The Really Simple SSL plugin’s description indicates it might solve your login problem. I’ve not tried it, but you can ask the question on the plugin’s support forum. Note: most reviews are positive, but a small proportion of reviewers claim the plugin broke their websites.

If the plugin does solve your issues, then please let other readers know via comments below.


  1. Harish

    Hello mate and about Force SSL plugin?? https://wordpress.org/plugins/force-https-littlebizzy/

    • AW

      Thanks for this Harish. Its documentation states it works with Cloudflare and is worth people trying. I’ve not had time to test or delve through its code so I can’t yet confirm it provides a working “HTTPS” login and solution of the above problem for everyone.

  2. LJ

    Thanks for the code it worked for me!

  3. mehmetnadir

    I’m just writing to thank you. I’m grateful for the code you’ve added to wp-config.php.

  4. Manuel

    Gracias, me tomo horas poder resolver esto.

Leave a Reply

Your comment will appear after its approved; usually within 12 hours but can be up to a week.
Email is optional and never published. It will only be used to contact you if clarification of your comment is needed.

Copyright © 2017-2024 Webstuff.Inblighty.Com
This site recommends and is hosted by: Kualo Web Hosting.    
Theme: hemingway

Blog home  |  ↑ Top of Page ↑