How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers

I was recently asked to look into creating some secure http headers as well as forcing a website to load over TLS1.2+. Below are my “how to” instructions for updating these settings within WordPress and Cloudflare.

  1. Install & Configure the Cloudflare WordPress plugin.
  2. Make sure an SSL Certificate is installed on your host for your domain (I use LetsEncrypt, but you can use any SSL provider).

How to Set up Cloudflare SSL for WordPress

Under SSL/TLS->Overview, select “Full (strict)”, make sure to click the “Enable Universal SSL”, then:

cloudflare ssl full strict how to set up
Under SSL/TLS->Overview, select “Full (strict)”

Under SSL/TLS->Edge Certificate, choose the following options:

cloudflare ssl overview settings for wordpress 1
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 6

Click the “Change HSTS Settings” or “Enable HSTS” and select the following options:

change hsts settings cloudflare
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 7

How to Configure http Security Headers in WordPress

  1. Install the Redirection WordPress plugin and add the Security and CORS presets via the “Site” menu option in that plugin:
edit or delete content security headers
WordPress Redirection->Site settings

Also, make sure to change x-frame-options to “sameorigin” to make sure Gravity Forms (and other plugins?) work properly:

x frame options gravity forms fix
How to Configure WordPress with Cloudflare, HSTS, TLS, and Secure Headers 8

Further Reading:

Posted in

The Mighty Mo! Design Co.

RSS From Toby’s Blog

  • Why We Don’t Automate Our WordPress Hosting Business
    There are some great platforms out there to automate your website hosting biz: But we don’t use any of them. Here’s why: Hosting companies only get worse over time. Over the years, I’ve hosted websites on a bunch of platforms: All of these hosting companies share one thing in common: Over time, they all got…
  • Fortify Your WordPress Site: Essential Security Steps
    Securing your WordPress site is a critical component of maintaining your online presence and safeguarding your data. Security is no longer a luxury, it has become a necessity in today’s digital world, where threats are lurking at every corner. This piece dives deep into WordPress security basics, giving you a comprehensive understanding of common vulnerabilities…
  • Master Your Site: Customizing WordPress Themes
    Just as a house is more than bricks and mortar, a WordPress site is much more than simple code. It’s a cohesive structure built with various layers such as PHP, HTML, CSS, and other key elements. Customizing WordPress themes involves gaining an in-depth understanding of this structure, learning to inspect and adjust design elements with…

More posts from themightymo.com

WordPress Support

The Ultimate Guide to WordPress Support: Why it’s Essential for Your Website’s Success

By The Mighty Mo! Design Co. | September 25, 2023

Whether you’re situated in Minneapolis, St. Paul, Illinois, New York, or any other corner of the globe, ensuring reliable WordPress Support is paramount for the continued success of your website. In this comprehensive guide, we will delve into the crucial role that WordPress support plays in your website’s journey to success.

sem rush log file analyzer

How to optimize your Google Crawl Budget using SEM Rush Log File Analyzer and Rank Math SEO

By The Mighty Mo! Design Co. | September 22, 2023

Today I ran the SEM Rush Log File Analyzer tool, and it showed some interesting things that are a complete waste of our Google Crawl Budget. Specifically, I learned that Google is wasting some of our crawl budget on the /wp-includes/ directory, certain plugin directories, and cache directories. I also noticed random files being crawled…

google analytics definitive guide

Where is the Google Analytics Measurement ID?

By Toby Cryns | August 16, 2023

In the vast, evolving world of web development and analytics, keeping up with terminologies and tools can sometimes feel like trying to chase a mischievous cat in a maze. You think you’ve got a grip, only for it to slip right through your fingers! Enter the mysterious “Measurement ID” from Google Analytics 4 (GA4), a…

RSS From Toby’s Blog

  • Why We Don’t Automate Our WordPress Hosting Business
    There are some great platforms out there to automate your website hosting biz: But we don’t use any of them. Here’s why: Hosting companies only get worse over time. Over the years, I’ve hosted websites on a bunch of platforms: All of these hosting companies share one thing in common: Over time, they all got…
  • Fortify Your WordPress Site: Essential Security Steps
    Securing your WordPress site is a critical component of maintaining your online presence and safeguarding your data. Security is no longer a luxury, it has become a necessity in today’s digital world, where threats are lurking at every corner. This piece dives deep into WordPress security basics, giving you a comprehensive understanding of common vulnerabilities…
  • Master Your Site: Customizing WordPress Themes
    Just as a house is more than bricks and mortar, a WordPress site is much more than simple code. It’s a cohesive structure built with various layers such as PHP, HTML, CSS, and other key elements. Customizing WordPress themes involves gaining an in-depth understanding of this structure, learning to inspect and adjust design elements with…