Cloudflare just rolled out their Universal SSL enabling pretty much any site to use SSL without any associated costs – which is pretty awesome…
But when using it on one of my test-sites, it turned out the site looks pretty much broken. Apparently WordPress doesn’t yet use protocol relative URLs, so CSS, JS etc. may still have a http:// prefix, causing some browsers not to load that content over an insecure channel. Furthermore, trying to access the WordPress dashboard results in an infinite loop, since the request from Cloudflare to your server is still HTTP and handled accordingly by WordPress.
The quick way to fix this is to simply add a few lines to woud wp-config.php
define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true); if(isset($_SERVER['HTTP_CF_VISITOR']) && strpos($_SERVER['HTTP_CF_VISITOR'], 'https')) $_SERVER['HTTPS']='on';
And maybe install some kind of HTTPS plugin to get rid of the mixed-content warnings due to residual http:// content from other plugins.