Securing my witterings: Cloudflare Universal SSL and WordPress
Ok, a bit unfair – my mind has clearly been infected by skimming one too many clickbait headlines: I am sorry.
I use CloudFlare for most of my non-temporary sites so I can skimp on hosting. I’m pretty sure that’s not the tagline they push, but it works well and gets rid of those annoying image loading lags for the most part with very little effort from me.
I’d been ignoring the Universal SSL stuff as I just don’t have the need for their commercial CDN, but that’s changed with the recent move to enable it for all customers, although just visiting https://minimal.cx/ was a mixed bag: yes, my site was served with zero SSL config on my part (and with zero webserver config), but the style sheets had gone, along with all the images.
Changing the site URI in the config of WP just gives an infinite indirect loop – the issue is not that setting but the fact that the site itself thinks it’s insecure and so all constructed links point to the insecure data. It’s the browser which refuses to accept the mixed-security assets (generally a good thing), but like XSS protection, a PITA when you’re testing.
Simple solution: download the SSL Insecure Content Fixer plugin and use the
Test is_ssl() option. For me, the solution was to add a single
if statement into
wp-config.php which allows the plugin to know that my proxy was handling the SSL for me, and so all constructed links should be
https:// prefixed. The site is now available via both methods, but once the check is in place it’s also safe to change the site config within WP, meaning that redirects kick in when accessing in plain text.
So I’ve done that: no idea if it’ll be a full-time change, but it’s possibly the first crypto-related change I’ve ever done online that hasn’t left me just wanting to give up and stick with plain-text wire-auth…