How to Get Free SSL and HTTPS on Your WordPress Site

Ever saw this little lock next to a website URL? Securing your website via SSL and offering an HTTPS version of your site by default is a mark of safety for your visitors, especially if you are selling something to them. Some WordPress plugins, like Gumroad, require that your website uses SSL. It’s even said that in the future Google wants to start penalising websites that are not secured with a SLL certificate.

That’s all good reasons to use SSL & HTTPS on your WordPress site. However, it can still be really difficult and costly to use SSL on your website. Usually, you would need to buy a SSL certificate, and install it on your site. My host, Siteground, asked me for about $40 a year for one certificate. That’s not too much compared to other hosts, but that’s just for a single website! In this article, I will show you that there is another way, which is not only easier to configure, but is also completely free!

Setting Up CloudFlare

The whole method is based on CloudFlare, which is a service to speed up & protect your websites by putting them behind their own cloud. If you website is already behind CloudFlare, you can skip this section. Otherwise, create an account at:


You will be taken to the CloudFlare registration page:

Screen Shot 2015-12-13 at 11.10.41

You can now click on Add site:

Screen Shot 2015-12-13 at 11.12.56

As an example, I will take a website of mine that I put behind CloudFlare, Dividend Academy. First, add the URL on CloudFlare, and start the scan:

Screen Shot 2015-12-14 at 19.14.48

This will take 2-3 minutes, depending on your hosting provider. Then, the following screen will appear:

Screen Shot 2015-12-14 at 19.15.57

Just confirm and move to the next screen. You will be asked to choose a plan. There are paid plans, but simply choose the free one:

Screen Shot 2015-12-14 at 19.16.18

After that, CloudFlare will tell you to modify the DNS records of your domain name:

Screen Shot 2015-12-14 at 19.16.26

This is really easy to do. You need to now login at the provider of your domain name, where the DNS records are set. For me, it was on GoDaddy for this particular domain name. There, you will find the DNS records next to the domain name:

Screen Shot 2015-12-14 at 19.17.24

After that, modify them so they match the CloudFlare’s nameservers your were given earlier:

Screen Shot 2015-12-14 at 19.18.01

Finally, go back to CloudFlare. CloudFlare is now waiting for the change in the DNS records:

Screen Shot 2015-12-14 at 19.18.14

This can take a while, up to 24 hours in theory. However, I found out that in general it’s now done in less than 10 minutes.

Setting Up WordPress

In the meantime, we are going to configure WordPress. You need to login on your WordPress site, and look for the WordPress HTTPS (SSL) plugin, that you need to install:

Screen Shot 2015-12-14 at 19.19.31

Activate the plugin, and go back to CloudFlare.


Activating Redirection to HTTPS

After a while, your CloudFlare redirection should be active:

Screen Shot 2015-12-14 at 19.21.51

From now on, your website is using SSL. However, you still need to ‘force’ your visitors to use the HTTPS website by default. You can now access several parameters for your domain name. Click on Pages Rules on the top menu:

Screen Shot 2015-12-14 at 19.23.37

You can add several rules using this page, which is what we will use to force our site to use HTTPS by default now. Type the URL of your site, without the www, in a new rule. Also click on Always use https:

Screen Shot 2015-12-14 at 19.23.50

Add the rule, and create a new one with the same parameters, this time with the www:

Screen Shot 2015-12-14 at 19.24.00

You should see your two newly created rules now inside your CloudFlare account:

Screen Shot 2015-12-14 at 19.24.06

Finally, wait a while, or clear the cookies in your browser (otherwise your browser will still access the non-HTTPS version). Then, visit your website again. It should now be protected by SSL, showed by the little lock near the URL:

Screen Shot 2015-12-14 at 19.34.05

Now, go back to your WordPress blog, and open the plugin settings. In there, you just need to check the first box, and save the changes:

Screen Shot 2015-12-14 at 19.21.29

You now have a secure website (and a secure admin panel as well) that will not only be more trustworthy for your clients, but also allow you to use plugins like Gumroad to securely sell products on your site. I hope that you enjoyed this tutorial, and feel free to comment below!

Do you want to learn more?
If yes, join more than 1000 people who regularly receive information about running an online business & investing the profits. You will also receive a PDF with my 10 best tools to run an online business. Simply click on the button below!
Get Started!
  • Al McCullough

    Just tried this step by step, now I can’t login to my wp-admin and my site still isn’t “secure” with SSL (and it has propogated to CLoudFlare already).

    • Sorry to hear you’re having issues! It can take some time for the SSL redirection to be active, hopefully it’s working by now 🙂

    • FYI, what I had to do is to disable “Force SSL” then logged in to my Admin panel and Installed the Cloudflare Plug in ( and check where it says Rewrite SSL). Then re enable “force SSL”.

      I also had to create a rule in Cloudflare to EXCLUDE SSL from my WP-Admin page, since the text editor was not loading on the SSL version.

      Final Warning, On the latest wordpress update, for some reason, the images are not working when SSL is enabled ( it seems to me that the SSL Re write in the Cloudflare plug in is broken ). To make the images work I had to go to each image and manually change https instead of http in the HTML code for the image…. Cloudflare says they are working on it, but no ETA yet…

      I hope it works better for you,

      Jairo Levi

      • Thanks for the precisions Jaro! I didn’t have to do all of this for my sites, but good to know there is a solution for people who have issues.

        Also about the images, I actually thought it was coming from my theme. Good to hear CloudFlare is working on it!

        • If you want to manually fix the images, go to the editor, select “text view” and include https instead of http in the “ahref URL” and in “img scr= URL”


          Click on the image below to see it bigger

      • tareq hasan

        Try to add a new rules to avoid ssl on my wp admin page but … i cant .. can you show me the rules …
        I’m use “http://mysites.net/wp-admin/” and all setting are default …

        • Hello,

          Sure, here is a screenshot of my rules. Please remember that the order of the rules is important too, the first rule applies first, then the second, and so on. ( you can drag them and change the order from the 3 little lines at the left )

          Thank you,


          • tareq hasan

            @Jairo Levi thanks for quick reply.. such a nice thing learn from you.. .. i’m face another problem … is it country restricted ?… i am from Bangladesh. cant show https:// from my ip but its show from another ip like usa canada…is it possible to solve the issue

          • Hi Tareq,

            It is not country restricted, what could be happening is propagation issues, sometimes when I mess up with DNS and SSL changes it takes up to 24 hours to propagate globally.

            Funny thing, in my home network the changes take sometimes 24 hours, while in my office network I can see them almost instantly. I am not sure what the difference between those two ISPs is but it takes longer in my home network.

            Thank you,


          • tareq hasan

            Hi Jairo ….

            Sorry to disturb you again … https:// work only on my home page … not wok on inner pages like contact, category and others page….

          • Hi Tareq,

            Double check the rules, note that the rule that says “Always use HTTPS” has an asterisk “*” at the beginning and at the end.

            I think you might be missing that since https is working on your main page.

            Thank you,


          • Atul Sharma

            does it works fine ??

      • Areej Sadiq

        How to disable Force SSL. I cant access wp-login.

        • If you are having problems with SSL you can simply deactivate it from the CloudFlare admin panel.

  • George

    Why is not green and is yellow https?

    • What do you mean exactly? For me in Chrome it’s green everywhere 🙂

      • George

        Look :

        • George

          And device mobile and tablet is yelow

          • Atul Sharma

            issue resolved ?

  • Konstantin Voyt

    How can i remove https? i cant enter to my dashboard panel! Please help!

    • You can simply disable it again in the cloudflare interface. However, I guess you are having a problem because you activated it too fast, you need to wait until the cloudflare redirection is fully active before activate the WordPress HTTPS plugin 🙂

  • Sir89

    Hi Mark,

    Does this tool actually speed up your website?

    • It does! Basically CloudFlare serves a cached version to your visitors, using a server that’s as close as possible to the visitor so it reduces the loading time 🙂

      • Sir89

        That’s sounds good…I’ll gave it a shot…thanks much

  • i cant access my wp-admin dashboard after activating ssl plugin