Cloudflare HTTPS and WAF Update
UPDATE
Since the launch of our own in-house built Content Delivery Network – SiteGround CDN, we are no longer providing Cloudflare services as part of our hosting plans.
Since we launched our integration with Cloudflare in 2012 we have seen thousands of our customers benefit from its CDN and the site security functionalities. Today we are happy to announce two improvements in the Cloudflare packages we provide. First, the SSL is now supported in the free plan of the service. Second, we have included a very cool security feature – the Cloudflare Web Application Firewall, in our Plus plan.
Free SSL support is now available in all plans
This has been the most requested feature by our Cloudflare users over the last year. We have been working actively to increase the SSL usage on our servers during the last months. That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. You only need to switch on the SSL option in our Cloudflare interface.
We recommend setting the SSL support to Flexible if you do not have SSL certificate issued for your domain, or to Full Strict if you have a SSL certificate issued. To learn more about the differences of the SSL settings you can refer to our Cloudflare tutorial.
Cloudflare WAF is now part of our Cloudflare Plus plan
Now our Cloudflare Plus users can benefit from the unique protection of the Cloudflare Web Application Firewall. Thus their websites will be protected by the rules added each day to react to all major recent vulnerabilities that affect applications such as WordPress, Magento, Drupal, PHP, Joomla, and others. Cloudflare WAF prevents automated attacks, SQL injection, XSS javascript injections, posts containing common spam words, cross-site scripting, etc. It provides protection against the Top 10 vulnerabilities identified by OWASP, leverages the collective intelligence of Cloudflare users, and also gives you the opportunity to supply your own WAF rules. It does not require any additional hardware or software installs. Being based on a really huge user base, Cloudflare WAF is an extremely effective protection tool that we highly recommend to any website owner.
You can switch on the WAF through your cPanel. To learn more about its settings visit our CloudFlare tutorial.
Comments ( 77 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Anonymous
Thank you for this.
Shah
In that case, is there any need to have a paid plans of CF or no more? Besides, a quick question as i have thousand of non https links all around in my website. If i enable SSL i get errors, how do i deal with this as finding and fixing one by one is a big big job?
Hristo Pandjarov Siteground Team
The Plus plan has many great features including the newly added Web Application Firewall which further improves the security of your website. In terms of SSL though, you get everything you need in the free version.
Muhammed Nagy
U can use search for and replace db tool if u are using MySQL and search for your domain name in http and replace it with ur domain name but in HTTPS U should use paths not URLs
Peter
Hope you can handle more compliments for what SG is demonstrating, day-in and day-out: Continuous upgrades, enhancements, often at no additional cost!!! - SG continues to exceed my expectations in quality of service and especially in customer support! Peter
Hristo Pandjarov Siteground Team
Thanks for the kind words!
Peter
As a beginner in SEO, does SG have some information in their KB about the https vs. http consequences for SEO? Thanks, Peter
Hristo Pandjarov Siteground Team
There isn't much to be said to be honest. For optimal ranking, all your traffic should go through https. Google is one of the organisations that's pushing towards a fully-encrypted web the most!
kenny
Thank you Hristo and Siteground. Will be looking at it for site without cloudflare tonight
Jyoti
Was waiting for this. Thank you. :)
peter ashford
Nice one! HTTPS and cloudfare now included :-)
Pieter Claesen
Heroes!
Jon
It seems I picked a great time to switch to SiteGround! Two technologies I wanted to explore this year were SSL and CloudFlare, now it seems I can do both! Thank you so much!
Chris Lovie-Tyler
Great news! Thank you!
Pietro Montagna
Was waiting for this. Thank you.
Paul
Does Cloudflare play nice with SuperCacher? And also with DNS being hosted at Cloudflare does WordPress staging still work? Thanks and keep up the awesome work!
Hristo Pandjarov Siteground Team
Yes, it works great with the SuperCacher but the staging tool does not work since it requires a subdomain creation to operate properly.
Scot Baston
is the staging tool something that Siteground can fix in the near future with regards to ssl & cloudflare?
Hristo Pandjarov Siteground Team
The way it works right now - no. Hopefully, the next major update of the staging will cover CloudFlare and other CDN users too.
Ian
Here is some recent first hand feedback with this. It definitely does not work. I'm on a cloud plan with a wildcard ssl and cloudflare direct. I recently opened to ticket for support to create a staging site. I did what they instructed and it broke the live site. To senior support's credit the did quickly fix but could not figure out what the issue was. I have not tried a staging site again. I wish this worked as it would make site changes so much easier.
Hristo Pandjarov Siteground Team
To be honest, that's a bit of an edge case. I understand the SSL part but since usually staging copies are password protected and password I don't see why you need a CDN on it?
Alex
Hristo, Why would you not create stage domains with your siteground.com domain? Like FlyWheel does? Their staging works almost with no problems. One click and you have something like berry-puppet.getflywheel.com stage site. That automatically protected with Basic Access Authentication. And if I want I can edit subdomain.
Hristo Pandjarov Siteground Team
We have different approach towards this. We're working on improving a lot our User Area and will definitelly take that suggestion into consideration.
Herbert
Siteground really does the work for its clients, i have been dreaming of this feature, ever since Let's Encrypt was enabled on siteground cpanels. I just enabled SSL for all my account and its running perfectly. Now this gives me the confidence to go for cloud hosting and stay with siteground forever. The greatest support team ever worked with. Hoping for the next big thing.
John Cope
This is great news. I have a lot of sites that I look after and had to choose either cloudflare or take advantage of the free let's encrypt certificates. Cloudflare always won but now I can have both. Many Thanks to the Siteground Team.
Chad Fullerton
Yes! Thank you SG. This is the missing piece to making your one click services complete. I have been manually setting up free https through Cloudflare for my clients up till now, and this is going to be a MASSIVE time saver to have one click ease. Thanks for continuing to make your services and control panel BEST IN CLASS.
William Carrington
When I selected "Activate Free" I got this message: "Failed reconfigure your application." What should I do? (I know almost nothing about website maintenance).
William Carrington
It seems to be OK, now.
Hristo Pandjarov Siteground Team
Glad to hear it worked!
William Carrington
Uh oh, now my page won't load and I get the message "redirected you too many times."
Hristo Pandjarov Siteground Team
Check if you have some rules forcing HTTP in your .htaccess file. If the issue persists, please post a ticket in your Help Desk.
William Carrington
I can't in to do that, so I posted a ticket. Thanks
Winston Lam
Thanks for the update! I followed the steps and I am glad that my site now has a "safety icon" under the wp-admin page. However, there is no "safety icon" under other pages. Do we need to do any other things to get this little safety icon? Thanks!
Hristo Pandjarov Siteground Team
Make sure you site is configured correctly. If you're on WordPress, you can check out the SG Optimizer functionality we've just added to enable HTTPS with one click: https://www.siteground.com/blog/https-wordpress/
Joe Williams
I think the reason I didn't use Cloudfare before was because you had to host your domain on www. and could not on non-www. Is that still the case?
Hristo Pandjarov Siteground Team
Yes, that's still a CloudFlare requirement.
Sarah
As excited as I was to hear about this feature, it would have been nice if there was some warning that activating CloudFlare with SSL is not as seamless as the tutorials would have you believe. After activating CloudFlare for our SSL site, none of our Wordpress plugins are working and Google can't access our site. We contacted support, only to be told that it would take 48 hours for the changes to take effect, and that we shouldn't do any work on the site until the changes were in effect. I definitely would have timed my activation of CloudFlare better had I been aware that it would halt all site work for 2 days. I really hope the CloudFlare functionality is worth the hassle.
Hristo Pandjarov Siteground Team
Usually, all DNS changes require propagation time. However, if you simply enable the HTTPS for your site there should be NO propagation time whatsoever. To speed-up the process, you can manually clear the CloudFlare cache from the Settings tab in the tool.
Sarah
This still doesn't solve the issue that activating CloudFlare with SSL disabled ALL the plugins on our site, and even after the propagation time, the plugins are still not registering.
Hristo Pandjarov Siteground Team
Enabling or disabling CloudFlare cannot in any way disable or activate plugins on your WordPress site. It must be something else that went wrong with your site. Please, post a ticket in your Help Desk to get additional assistance on that matter.
Amit
> That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. That is just such great news. Thats why we love you guys. Thank you!
Jason
I'm activated cloudflare last month on the plus package because ssl wasn't supported. Besides the firewall upgrade is there anything else I will be missing if I cancel the plus and go with the free version now?
Hristo Pandjarov Siteground Team
The firewall upgrade is the only new feature coming to the Plus package. If the SSL was the only thing that made you get the Plus, you can switch back but I would recommend you to take a look at all the other features you get with it because they are really, really useful.
Mark Pridham
Hi Hristo, The CloudFlare page is saying "If you have SSL on the domain(s), you will need to upgrade to a Pro account" (https://blog.cloudflare.com/cloudflare-tips-recommended-steps-after-activ/). Can you clarify? Thanks!
Hristo Pandjarov Siteground Team
That post is from April 2012. Just login to your cPanel -> CloudFlare tool and you will see the SSL options mentioned in the blog post.
Mark Pridham
Gotcha. Thanks!
Cristian
Thank you, this is a great improvement after you have increased the email accounts storage. Last year I have joined SG and opted for a GoGeek account for my personal websites. Brought a few of my clients with me, they left their old providers and joined as well. Siteground is my no.1 recommendation for small-medium websites. Keep it up!
Craig
Being a relatively new customer to Siteground - last week moved my main site over from my previous host. Previously this site was on SSL via a free Cloudflare account with their free issued certificate. During the transfer over this caused me issues. The site was encountering problems regards the certificate not working properly and issuing a security warning to visitors. I had to reinstall the site and point to Siteground instead of Cloudflare, meaning the site has reverted back to http. The speed of my site has plummeted since the transfer but I'm working through the problems via GT Metrix etc and inserting relevant code into .htaccess and things are improving. The website is for a local business based in the uk, the server location is in London whether the website is pointing to Siteground or Cloudflare. When I previously changed over to ssl I was undecided if it was the right thing to do, Yes Google say it helps ranking but then they also say speed matters and the transfer to ssl caused a 0.5 sec impact on speed due to the redirection with my previous host. Going forward I'm thinking should I implement ssl again? The speed loss should be minimum with a better host and with the ability to use http/2 I might well see a faster site. So to my question... Which is the best route to achieve a fast, secure site? 1. Use the free SSL certificate issued from SG and keep site pointing to SG, ignoring Cloudflare. 2. Use the free SSL certificate issued from SG and point site at Cloudflare. 3. Point site at Cloudflare and use their free certificate? Thanks
Hristo Pandjarov Siteground Team
I would recommend that you use the free Let's Encrypt certificate. It's free and automatically renewed so you will not forget about it and have problems in the future. Once you make sure your site works fine through https, you can enable CloudFlare. When you use a CDN you're using two certificates but that's handled automatically. First handles the connection between your SiteGround server and CloudFlare and the second one the connection between CloudFlare and your visitors.
Vivan Chawla
I love this feature. Thank you very much!
Nirav
Does it help in website speed?
Hristo Pandjarov Siteground Team
Yes, it should improve your site loading speeds.
Nirav
I activated on my site. But there's no any change in PageSpeed Insights and GTmetrix scores. They are same as they were before.
Hristo Pandjarov Siteground Team
It depends on the actual site how much it will be affected. In addition, note that having a CDN makes your site equally fast from all over the world and not only the particular continent where the data center is.
Jack
Hi, this is great =) I have a question though. I use a non www canonical address. Instead Cloudflare works only with www, if I'm not mistaken. Is it enough for me to set a forward page rule? And how can I do that?
Hristo Pandjarov Siteground Team
You need to configure your Analytics and Google Console profiles too. As to the redirect, you can use these lines in your .htaccess: RewriteEngine on RewriteCond %{HTTP_HOST} ^example.com [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
Martijn
Hi, It sounds really good, Just a question, if you say it supports SSL, does that mean it supports 3rd party EV SSL?
Hristo Pandjarov Siteground Team
Yes, it will work with any certificate.
Martijn
Yet, not in the free or plus version, just in the Business/Enterprise version?
Hristo Pandjarov Siteground Team
It's in the free version, just set it to Full and use your certificate. However, endpoints will still be using the CF certificates. If you want to have one for them too, you need an enterprise acocunt with CloudFlare.
Martijn
What do you mean by end points?
Hristo Pandjarov Siteground Team
There's one certificate handling the connection between our server and CloudFlare. Then, there's another, issued by CloudFlare for the connection between their servers across the world and your visitors. If you want the second one to be your certificate, you need to have an enterprise account with them.
techwebasia
Not sure on which end is a issue but al users should consider that activating Cloud Flare with Lets Encrypt certificate may set your site down for hours. CF not initialize SSL automatically. They reserved time is 24 hours for that service to begin.
Hristo Pandjarov Siteground Team
If you activate CF for the first time, it's a normal propagation period that takes place. If you just enable SSL on a site working through CF, it should work right away, I've done it on tens of sites personally and didn't experience any downtime whatsoever. Manually cleaning the cache usually helps with such issues.
Ben Tupper
Any recommendations for the Cloudflare memory leak / security issue recently written about on WP Tavern? The story is here: https://wptavern.com/cloudflare-memory-leak-exposes-private-data Thank you!
Hristo Pandjarov Siteground Team
No SiteGround customers are affected by this problem!
Ben Tupper
Thanks for the reply!
Ryan Rhoades
So does this mean that our sites were negatively affected by this recent Cloudflare leak?
Hristo Pandjarov Siteground Team
Your sites are not affected in any way by the issues CloudFlare were experiencing.
Rahul
Siteground is always on top of things. good just yall. Lifetime customer here
george
In the Cloudflare FAQ's and other places on their site they say that free plans don't support ssl on legacy browsers. Is this the case with Siteground's free or Plus Cloudlare plans? Will the older browsers work with ssl? Thanks...geo
Hristo Pandjarov Siteground Team
There aren't differences in the compatibility. However, only archacic browsers do not support SNI thus the certificate provided by CF. You shouldn't really be concerned about this.
george
Thanks for the reminder about the SNI. Unfortunately, I must be concerned with IE8 support which is only partial for SNI (see caniuse). The site needs the widest possible availability in the poorest areas of the US. IE8 use is still significant in these areas. Thanks for your help nudging me to the SNI caniuse.
Srini
Hi Team, Can Cloudfare WAF track http sessions and protect against cookie injection and cookie tampering attacks?
Hristo Pandjarov Siteground Team
I think they do but for the particular case I would advise you to ask them directly: https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/
Mo
Although this is an old blog post, it is worth mentioning in the article that this feature is no longer available. Please consider updating it to save confusion.
Gabriela Andonova Siteground Team
Thanks for the comment and your suggestion. That's definitely something we'll look into!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through