Redirect loops with SSL, WordPress and CloudFlare

You’ve set up CloudFlare to cover your website with SSL. Good for you, konklone would be proud.

You’ve waited patiently for their Universal SSL service to pick up your domains, and you’re refreshing every five minutes until you see something like this:

Screenshot 2014-10-10 19.18.05

Fury. You forgot that your WordPress install doesn’t know that you’re behind and SSL proxy, so all your unencrypted links are broken.

You have two options:

  1. Add an SSL certificate to your site.
    Now, you’re not going to do that, because you’re lazy and that’s why you’re using CloudFlare.

  2. Convince WordPress to that it’s under SSL when it’s not.
    That’s a little trickier. First, change your Site URL and Home address to point to https://yoursite instead of http://yoursite. You can either do that through the Settings page, or in the database like a baller. If you’re using Multi-site, you have to do it in the database. Once that works, it will force WordPress to spit out https URLs, just like you like them.
    Once you’ve changed the URLs to https, you’ll find yourself in a redirect loop. It’s unpleasant.
    To fix that, add this line to wp-config.php before the require_once(ABSPATH . 'wp-settings.php') line:

      define('FORCE_SSL_ADMIN', true);                                                                              
      // Amazon AWS Elastic Load Balancer, CloudFlare, and some others                                              
      if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {              
      else {
        $_SERVER['HTTPS'] = false;
      define('WP_SITE_URI', ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["HTTP_HOST"]);                        
      define('WP_SITEURI', ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["HTTP_HOST"]);                         
      define("WP_CONTENT_URL", WP_SITE_URI . "/wp-content");                                                        

    ..and add these after the require_once(ABSPATH . 'wp-settings.php') line:

      wp_cache_set("siteurl_secure", "https://" . $_SERVER["SERVER_NAME"], "options");                              
      wp_cache_set("home", WP_SITE_URI, "options");                                                                 
      wp_cache_set("siteurl", WP_SITE_URI, "options"); 

    That will tell WordPress to pretend that it’s using SSL when it’s behind the CloudFlare servers. I won’t tell anyone if you won’t.

2 thoughts on “Redirect loops with SSL, WordPress and CloudFlare

  1. Thanks for this, works very well. However I’m having issues with my 2nd wordpress blog hosted in a subdirectory. Does this only work on the root of a website perhaps?


    1. Yes, it just works for the root of the site as written.

      If you want to make it work for a blog in a particular subdirectory, you could to change the WP_SITE_URL definition to point to that subdirectory. So something like:

       define('WP_SITE_URI', ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["HTTP_HOST"]."/mysubdir");

      You can even make it conditional on a particular hostname:

       if ($_SERVER["HTTP_HOST"] == '')
            define('WP_SITE_URI', ($_SERVER["HTTPS"]?"https://":"http://").$_SERVER["HTTP_HOST"]."/mysubdir");


Comments are closed.