WordPress with HTTPS on Dreamhost and CloudFlare
3 min read

WordPress with HTTPS on Dreamhost and CloudFlare

WordPress with HTTPS on Dreamhost and CloudFlare

Today I've got my blog work over HTTPS, including admin. Woo-hoo! Below are the steps I used to do it.

Prerequisites

My configuration is as follows:

  • Hosting on Dreamhost.com
  • Use CloudFlare free account
  • Wordpress 4.7.1 at the time of writing

Initialisation

From the Dreamhost Panel, select Domains > Secure Hosting:

Secure hosting

You'll be presented with a panel to select the type of certificate. I chose to use Let's Encrypt because it's free:

Details

Once you select Let's Enctypt SSL, you'll have to select the domain, accept the T&C and click Add Now:

Let's encrypt

In the Domains > Manage Domains section of the panel, your domain will have "https On" and "Certificate active":

Certificate

Now you'll have to wait for your confirmation that HTTPS has been activated.

Tweaking Wordpress

I've looked for several options in making Wordpress available via SSL. Some suggested changing the WP_HOME and SITE_URL (hard-coding in wp-config.php) to have the https prefix. Others suggested changing the options (which are stored in the DB):

update_option( 'siteurl', 'http://example.com' );
update_option( 'home', 'http://example.com' );

I tried both but I got HTTP 302 (which was probably the fault of my initial CloudFlare config...).

The solution that worked for me had 2 parts:

  1. Add define('FORCE_SSL_ADMIN', true) to wp-config.php

  2. prepend .htaccess with:

    <IfModule mod_rewrite.c>
     # Redirect all insecure requests
     RewriteCond %{HTTPS} !=on
     RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
     </IfModule>
    

This will force redirect to HTTPS

If you don't have CloudFlare, this is the end.

CloudFlare

To set up your CloudFlare for HTTPS, you'll need to enter the Crypto tab for your site (red mark below):

Cloudflare

IMPORTANT: Make sure you have a FULL SSL communication. This will make sure the communication between CloudFlare and Dreamhost is also secure. Otherwise, you'll get the 302 I mentioned above.

Once you have the Edge certificate enabled, you should be good to go.

Note: You should be able to us the automatic HTTPS rewrites on the CloudFlare side (to avoid changing the .htaccess file on your host). It's located at the bottom of the Crypto tab:

Automatic rewrites

I personally haven't tried it.

Credits

To get through this, I've got inspiration from the following sources:

HTH,