How to Add Free HTTPS SSL/TLS Protocol for your Website

Hyper Transfer Protocol Secure (HTTPS) adds a layer of security to your website. SSL/TLS (Secured Socket Layer or Transport Layer Security) uses cryptography when a user tries to communicate with a server. This layer of encryption secures the data communication and is actually useful for protecting sensitive information.

This Google Webmaster Central post highlights the importance of security in websites. They want to make sure that the websites people access via Google are safe and for that safety HTTPS is encouraged. It has impact on search engine rankings. Only 1% of the global queries are affected. This number might grow and so, it is necessary to adapt to HTTPS instead of HTTP if possible.

It is definitely possible as CloudFlare provides “Flexible SSL” security protocol for free. The option is also available for users who use their free plan. If you don’t know what Cloudflare is — it is a Content Delivery Network (CDN) which enables your content to load quickly. You can easily make the switch to this CDN in a few steps where you sign up, configure your account and change your domain’s DNS.

First you have to use CloudFlare CDN

Here are the steps:

• Sign up with CloudFlare and add a website to begin.
• Your DNS records are scanned automatically.
• Verify your DNS records. CloudFlare’s automatic scanning gets all the details.
  
• Hit “I’ve added all the missing records, continue”.
• Choose a plan: Free Plan is awesome.
  
• Change the default options for performance, security and others only if you know what you are doing. Hit Continue.
• In your domain registrar’s website, change your domain’s name severs to darwin.ns.cloudflare.com and nelly.ns.cloudflare.com.
• Back in CloudFlare, hit “I’ve updated my name severs, continue” button.

Notes:

• Up to 24 hours is required to update the name server.
• Flexible SSL CloudFlare SSL encryption takes time. Let it authorize and wait a day.
• It doesn’t seem to work with sub-domains.

After everything is set up, you can access your website using https://www.example.com instead of http://www.example.com. You still will have to edit your links in articles and other content manually to make sure that you link to https:// content instead of just http://. All the embedded content in your pages like your images and JavaScript should also begin with https://. If you have placed external content like Facebook like boxes, those should use the https:// version as well. Viewing the entire source of your pages help to detect such non-https content.

Otherwise, you can get a browser message that says:

Your connection to www.example.com is encrypted with 128-bit encryption. However, this page includes other resources, which are not secure.

You can also redirect your http:// page to https:// using .htaccess on an apache server. Try this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


For WordPress Blogs and Websites

If your website or blog uses WordPress as a content management system, you can easily switch to HTTPS. Just follow the above mentioned steps for using CloudFlare CDN.

Then, make these changes for your WordPress blog:

• In WordPress admin, visit Settings > General.
• Use the https:// protocol for your WordPress Address(URL) and Site Address (URL).
  

You have configured it correctly, but sometimes you get the following error:

This webpage has a redirect loop

To get rid of the redirect loop error:

Install CloudFlare Plugin: Install this unofficial plugin which will prevent infinite redirect loops.

Disable your Caching Plugins: If you use WordPress caching plugins like W3 Total Cache or WP Super Cache, those need to be disabled. Sometimes removing them and installing them back helps.

Edit your .htaccess: Remove the codes that your caching plugins add to your .htaccess file. You should do this if you use WP Super Cache and you have configured it to use the .htaccess method to redirect. I chose to remove this plugin along with the .htaccess codes because if you use CloudFlare, it handles your web page caching.

Note:
After you get the redirect error, you will have to access your website using HTTP if WordPress automatically forwards you to the HTTPS version. You might even have to switch your default settings to point your WordPress and Site Address URL to http from your MySQL databases. Use this option only if you are not able to access the admin area.