Skip to content

Instantly share code, notes, and snippets.

@currentcreative

currentcreative/SSL-for-WP-with-Cloudflare.md

Created July 4, 2025 18:35
Show Gist options
  • Save currentcreative/29a88809d8302490911f998898399c20 to your computer and use it in GitHub Desktop.
Save currentcreative/29a88809d8302490911f998898399c20 to your computer and use it in GitHub Desktop.
Download ZIP
SSL - for .httaccess and wp-config for WordPress WITH Cloudflare
Raw
SSL-for-WP-with-Cloudflare.md

If you ARE using Cloudflare and having SSL problems, these are the best solutions:

• If you are NOT using Cloudflare and having SSL problems, see other Gist named: "SSL - for .httaccess and wp-config for WordPress WITHOUT Cloudflare"

• Do not use a plugin like ReallySimpleSSL in combination with these. It might give conflicting advice that causes problems.

MENU:

  1. For .httaccess file
  2. For wp-config file
  3. What to do on the CloudFlare website
  4. Optional (BAD CHOICE) to not use CloudFlare for SSL

1. Leave the default htaccess file alone. If you're still having problems after doing everything else, you can copy this example and make sure it looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

<IfModule mime_module>
AddHandler application/x-httpd-ea-php82___lsphp .php .php8 .phtml
</IfModule>

2. Just add this to your wp-config.php near the top to detect HTTPS from Cloudflare::

// Fix HTTPS detection behind Cloudflare
if (
  isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
  $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https'
) {
  $_SERVER['HTTPS'] = 'on';
}

3. What to do on the CloudFlare website:

Use Cloudflare to force HTTPS (preferred)

Do not rely on .htaccess to force HTTPS when using Cloudflare.

Instead:

• Go to your Cloudflare dashboard

• Select your site

• Navigate to SSL/TLS → Edge Certificates

• Turn on: “Always Use HTTPS”

This ensures:

• All HTTP requests get redirected to HTTPS at the edge, before they ever reach Hostgator.

• You avoid any ERR_TOO_MANY_REDIRECTS due to mismatched redirect logic.

• It’s faster and cleaner than having Apache handle it.

Set Cloudflare SSL mode to “Full” or “Full (Strict)”

• Go to SSL/TLS → Overview

• Set to:

Full (Strict) if you have a valid SSL cert on Hostgator (recommended)

Full if you're using a self-signed cert on Hostgator

Never use “Flexible” — it will break WordPress HTTPS detection and create redirect loops

4. Optional BAD CHOICE to not use Cloudflare for SSL:

Why this doesn't make sense: if you're already using Cloudflare to serve your images and site faster, you should just use it to serve your SSL faster and cleaner, too.

• But, if for some reason you're running into problems you can't seem to fix, then this is the optional .htaccess file you can use even if your site:

AGAIN: THIS IS NOT RECOMMENDED. ONLY DO THIS IF YOU ARE NOT USING CLOUDFLARE FOR SSL LIKE OUTLINED IN STEP 3

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Only redirect if not already HTTPS (including behind Cloudflare)
  RewriteCond %{HTTPS} off [OR]
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment