Cloudflare offers free SSL certificates that you can easily apply to your WordPress website at no cost. In this tutorial, I’ll walk you through integrating Cloudflare SSL with WordPress running on Nginx (as a web server).
What is Cloudflare
Cloudflare is a web infrastructure and security company, more like a toolbox for web developers. They provides many services to make your websites faster, more secure, and more reliable. It sits between your server and your visitors as a reverse proxy. Meaning all the traffic will be handled by Cloudflare before reaching your server.
And because of this, Cloudflare can provide you with many benefits, such as:
- Content Delivery Network (CDN): Stores cached copies of your website on servers around the world, making it load faster for global visitors.
- DDoS Protection: Blocks large-scale attacks that try to overwhelm your website with traffic.
- Web Application Firewall (WAF): Filters out malicious requests before they reach your server.
- Free SSL Certificates: Provides HTTPS encryption at no cost.
- DNS Services: Offers one of the fastest and most reliable DNS networks in the world.
- Performance Optimization: Features like image compression, caching, and smart routing improve speed.
All of the features mentioned above are completely free. Cloudflare also offers paid tiers, but those are designed for advanced and enterprise-level needs. You can explore more about them in the Cloudflare dashboard later.
Benefits of using Cloudflare SSL
- Automatic Renewal: Your SSL certificates are automatically renewed, with no action required on your part.
- Easy-to-Use Dashboard: All settings and options can be managed directly from the Cloudflare dashboard, with documentation available for guidance.
- Multi-Level Protection: Cloudflare offers multiple levels of SSL/TLS protection — from Flexible to Full (Strict) and beyond — making it suitable for a wide range of use cases.
Preparing the SSL certificate
To use Cloudflare SSL, you need to create an account at Cloudflare, add your website domain to Cloudflare. And then you can set up the SSL.
1. Adding domain to Cloudflare
First, you need an account (free), go to https://dash.cloudflare.com/sign-up and complete the steps to sign up.
After that, log in to your Cloudflare dashboard, on the left sidebar, choose Account Home → On the right, click the Onboard a domain button to begin adding your domain. Continue to follow the steps on the screen to complete. Remember to choose the Free plan.
In the last step, you will be prompted to change your domain nameservers to Cloudflare, such as:
holly.ns.cloudflare.com
lamar.ns.cloudflare.comCode language: plaintext (plaintext)To change this, log in to your domain registrar, open your domain settings and change its nameservers from there. If you need assistance, you can look for the documentation of your domain registrar or contact their Support for help.
The process of adding domain to Cloudflare usually takes about 5 minutes (after changing the nameservers), give or take.
2. Setting up Cloudflare SSL
After adding your domain to Cloudflare, proceed to these steps:
- From your Cloudflare dashboard (Account home) → Open your domain.
- On the left sidebar → Click SSL/TLS → Origin Server, click Create Certificate:
- Choose Generate private key and CSR with Cloudflare (default).
- Private key type: RSA 2048.
- In the Certificate Validity dropdown, make sure to select the 15 years (longest) option → Click Create buton.
You will receive two texts: Origin Certificate and Private Key.
Make a copy of them on your computer and don’t share with anyone, especially the Private Key. In the next step, you’ll need to copy these file to your server.
Setting up the Cloudflare SSL
1. Transfer the SSL certificate to your server
Now you have your SSL certificates, it’s time to put them on the server.
Let’s connect to your server via SSH, then type this command to create and open a new file for the Origin Certificate:
sudo touch /etc/ssl/certs/cloudflare.pemThe text editor will show up, paste the content of the Origin Certificate that you saved earlier to the editor. Then press Ctrl + X, then hit Y key on your keyboard to close and save the file.
Next, we do the same for the Private Key, type this command in your terminal:
sudo touch /etc/ssl/private/cloudflare.keyCode language: Bash (bash)Paste the content of the Private Key from earlier, then close and save the file.
And because those two files are sensitive, you need to secure them with ownership and permission in the Ubuntu environment. Lets type these commands separately:
sudo chown root:root /etc/ssl/private
sudo chmod 700 /etc/ssl/private
sudo chown root:www-data /etc/ssl/private/cloudflare.key
sudo chmod 440 /etc/ssl/private/cloudflare.key
Code language: Bash (bash)What it does: Secure the directory that contains the Private Key file and the file, by restricting the ownership and permission.
2. Configuring Nginx to use Cloudflare SSL
From your terminal, type this command to open the Nginx configuration file:
sudo nano /etc/nginx/sites-enabled/defaultCode language: Bash (bash)This is the default config file, you should check your /etc/nginx/sites-enabled/ directory to see what file you’re using, and then open it.
In the text editor, find the block that looks like this:
server {
listen 443 ssl;
...
}Code language: Nginx (nginx)If your file doesn’t have that block, you can write that block at the end of the file, and add two new lines for the certificate files, like this:
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/cloudflare.pem;
ssl_certificate_key /etc/ssl/private/cloudflare.key;
}Code language: Nginx (nginx)Press Ctrl + X, then Y to close and save the file.
Now, type this command to check all the syntax of Nginx configs:
sudo nginx -tNginx will let you know if the syntax is correct. Otherwise, they will show you which error that you have to fix.
After ensuring everything is correct, type this command to reload Nginx in your server:
sudo systemctl reload nginx3. Activating Cloudflare SSL
Last step, go to your Cloudflare dashboard → Open your domain → On the left sidebar, choose SSL/TLS → Overview. In the SSL/TLS encryption section, press the Configure button and switch to Full (Strict) mode, then Save.
Now your server is secured with Cloudflare SSL and have end-to-end encryption all the way from your server, through Cloudflare, to your visitors.
You can verify whether the SSL certificate is working by opening a new terminal on your computer and running the following command:
openssl s_client -connect yourdomain.com:443Code language: Bash (bash)If you see the output like this:
Connecting to xxx.xx.xx.xxx
CONNECTED(00000005)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R4
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WE1
...Code language: plaintext (plaintext)Then your SSL certificate is working as expected.
Done.