How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers

I was recently asked to look into creating some secure http headers as well as forcing a website to load over TLS1.2+. Below are my “how to” instructions for updating these settings within WordPress and Cloudflare.

  1. Install & Configure the Cloudflare WordPress plugin.
  2. Make sure an SSL Certificate is installed on your host for your domain (I use LetsEncrypt, but you can use any SSL provider).

How to Set up Cloudflare SSL for WordPress

Under SSL/TLS->Overview, select “Full (strict)”, make sure to click the “Enable Universal SSL”, then:

cloudflare ssl full strict how to set up
Under SSL/TLS->Overview, select “Full (strict)”

Under SSL/TLS->Edge Certificate, choose the following options:

cloudflare ssl overview settings for wordpress 1
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 6

Click the “Change HSTS Settings” or “Enable HSTS” and select the following options:

change hsts settings cloudflare
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 7

How to Configure http Security Headers in WordPress

  1. Install the Redirection WordPress plugin and add the Security and CORS presets via the “Site” menu option in that plugin:
edit or delete content security headers
WordPress Redirection->Site settings

Also, make sure to change x-frame-options to “sameorigin” to make sure Gravity Forms (and other plugins?) work properly:

x frame options gravity forms fix
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 8

Further Reading:

Posted in

Toby Cryns

Toby Cryns is a freelance CTO, expert WordPress consultant, and teacher.

He offers free advice to improve your freelance biz.

He also publishes small droppings every now and then to twitter.com/tobycryns and twitter.com/themightymo

Follow Toby's contributions on Github and WP.org.