I was recently asked to look into creating some secure http headers as well as forcing a website to load over TLS1.2+. Below are my “how to” instructions for updating these settings within WordPress and Cloudflare.
- Install & Configure the Cloudflare WordPress plugin.
- Make sure an SSL Certificate is installed on your host for your domain (I use LetsEncrypt, but you can use any SSL provider).
How to Set up Cloudflare SSL for WordPress
Under SSL/TLS->Overview, select “Full (strict)”, make sure to click the “Enable Universal SSL”, then:
Under SSL/TLS->Edge Certificate, choose the following options:
Click the “Change HSTS Settings” or “Enable HSTS” and select the following options:
How to Configure http Security Headers in WordPress
- Install the Redirection WordPress plugin and add the Security and CORS presets via the “Site” menu option in that plugin:
Also, make sure to change x-frame-options to “sameorigin” to make sure Gravity Forms (and other plugins?) work properly:
Further Reading:
- TLS In WordPress by WP Speed Matters
- WP Beginner article about TLS and Secure Headers
More posts from themightymo.com
My WordPress Maintenance Process
A few quick things: My WordPress Maintenance Process Demo, Part 1 Transcript: You’ll see immediately after logging in, you see the 11 updates needed as well as some messages. I’m just gonna quickly read. It looks like this. I don’t need to worry about. Are you enjoying Monster Insights? Not really <laugh>. What’s to enjoy…
How to style FacetWP checkbox hierarchy results using jQuery
I recently invested many hours trying to target and style a FacetWP taxonomy facet that uses hierarchy for display. It should be noted that you can use straight up CSS for some styling (and should use css wherever possible), but sometimes you need javascript to target parent elements and such. I thought I’d document the…
How to fix SpinupWP ballooning disk space issue
A site we host on Digital Ocean recently went down. It took me a lot of troubleshooting and digging before realizing that the issue was that our disk space was maxed out on Digital Ocean. The site in question needs ~20gb of space, so our 50gb server should be plenty. But alas, there it was…