Cloudflare HTTPS and WAF Update

Since we launched our integration with Cloudflare in 2012 we have seen thousands of our customers benefit from its CDN and the site security functionalities. Today we are happy to announce two improvements in the Cloudflare packages we provide. First, the SSL is now supported in the free plan of the service. Second, we have included a very cool security feature – the Cloudflare Web Application Firewall, in our Plus plan.

Free SSL support is now available in all plans

This has been the most requested feature by our Cloudflare users over the last year. We have been working actively to increase the SSL usage on our servers during the last months. That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. You only need to switch on the SSL option in our Cloudflare interface.

We recommend setting the SSL support to Flexible if you do not have SSL certificate issued for your domain, or to Full Strict if you have a SSL certificate issued. To learn more about the differences of the SSL settings you can refer to our Cloudflare tutorial.

Cloudflare WAF is now part of our Cloudflare Plus plan

Now our Cloudflare Plus users can benefit from the unique protection of the Cloudflare Web Application Firewall. Thus their websites will be protected by the rules added each day to react to all major recent vulnerabilities that affect applications such as WordPress, Magento, Drupal, PHP, Joomla, and others. Cloudflare WAF prevents automated attacks, SQL injection, XSS javascript injections, posts containing common spam words, cross-site scripting, etc. It provides protection against the Top 10 vulnerabilities identified by OWASP, leverages the collective intelligence of Cloudflare users, and also gives you the opportunity to supply your own WAF rules. It does not require any additional hardware or software installs. Being based on a really huge user base, Cloudflare WAF is an extremely effective protection tool that we highly recommend to any website owner.

You can switch on the WAF through your cPanel. To learn more about its settings visit our CloudFlare tutorial.

Hristo Pandjarov

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

Security

Comments ( 75 )

Bernard Go

Feb 16, 2017

Thank you for this.

Reply

Shah

Feb 17, 2017

In that case, is there any need to have a paid plans of CF or no more? Besides, a quick question as i have thousand of non https links all around in my website. If i enable SSL i get errors, how do i deal with this as finding and fixing one by one is a big big job?

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

The Plus plan has many great features including the newly added Web Application Firewall which further improves the security of your website. In terms of SSL though, you get everything you need in the free version.

Reply

Muhammed Nagy

Feb 19, 2017

U can use search for and replace db tool if u are using MySQL and search for your domain name in http and replace it with ur domain name but in HTTPS U should use paths not URLs

Reply

Peter

Feb 16, 2017

Hope you can handle more compliments for what SG is demonstrating, day-in and day-out: Continuous upgrades, enhancements, often at no additional cost!!! - SG continues to exceed my expectations in quality of service and especially in customer support! Peter

Reply

Hristo Pandjarov Siteground Team

Feb 16, 2017

Thanks for the kind words!

Reply

Peter

Feb 16, 2017

As a beginner in SEO, does SG have some information in their KB about the https vs. http consequences for SEO? Thanks, Peter

Reply

Hristo Pandjarov Siteground Team

Feb 16, 2017

There isn't much to be said to be honest. For optimal ranking, all your traffic should go through https. Google is one of the organisations that's pushing towards a fully-encrypted web the most!

Reply

kenny

Feb 16, 2017

Thank you Hristo and Siteground. Will be looking at it for site without cloudflare tonight

Reply

Jyoti

Feb 16, 2017

Was waiting for this. Thank you. :)

Reply

peter ashford

Feb 16, 2017

Nice one! HTTPS and cloudfare now included :-)

Reply

Pieter Claesen

Feb 16, 2017

Heroes!

Reply

Jon

Feb 16, 2017

It seems I picked a great time to switch to SiteGround! Two technologies I wanted to explore this year were SSL and CloudFlare, now it seems I can do both! Thank you so much!

Reply

Chris Lovie-Tyler

Feb 16, 2017

Great news! Thank you!

Reply

Pietro Montagna

Feb 16, 2017

Was waiting for this. Thank you.

Reply

Paul

Feb 16, 2017

Does Cloudflare play nice with SuperCacher? And also with DNS being hosted at Cloudflare does WordPress staging still work? Thanks and keep up the awesome work!

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

Yes, it works great with the SuperCacher but the staging tool does not work since it requires a subdomain creation to operate properly.

Reply

Scot Baston

Feb 17, 2017

is the staging tool something that Siteground can fix in the near future with regards to ssl & cloudflare?

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

The way it works right now - no. Hopefully, the next major update of the staging will cover CloudFlare and other CDN users too.

Reply

Ian

Mar 20, 2017

Here is some recent first hand feedback with this. It definitely does not work. I'm on a cloud plan with a wildcard ssl and cloudflare direct. I recently opened to ticket for support to create a staging site. I did what they instructed and it broke the live site. To senior support's credit the did quickly fix but could not figure out what the issue was. I have not tried a staging site again. I wish this worked as it would make site changes so much easier.

Reply

Hristo Pandjarov Siteground Team

Mar 21, 2017

To be honest, that's a bit of an edge case. I understand the SSL part but since usually staging copies are password protected and password I don't see why you need a CDN on it?

Reply

Alex

May 11, 2017

Hristo, Why would you not create stage domains with your siteground.com domain? Like FlyWheel does? Their staging works almost with no problems. One click and you have something like berry-puppet.getflywheel.com stage site. That automatically protected with Basic Access Authentication. And if I want I can edit subdomain.

Reply

Hristo Pandjarov Siteground Team

May 12, 2017

We have different approach towards this. We're working on improving a lot our User Area and will definitelly take that suggestion into consideration.

Reply

Herbert

Feb 17, 2017

Siteground really does the work for its clients, i have been dreaming of this feature, ever since Let's Encrypt was enabled on siteground cpanels. I just enabled SSL for all my account and its running perfectly. Now this gives me the confidence to go for cloud hosting and stay with siteground forever. The greatest support team ever worked with. Hoping for the next big thing.

Reply

John Cope

Feb 17, 2017

This is great news. I have a lot of sites that I look after and had to choose either cloudflare or take advantage of the free let's encrypt certificates. Cloudflare always won but now I can have both. Many Thanks to the Siteground Team.

Reply

Chad Fullerton

Feb 17, 2017

Yes! Thank you SG. This is the missing piece to making your one click services complete. I have been manually setting up free https through Cloudflare for my clients up till now, and this is going to be a MASSIVE time saver to have one click ease. Thanks for continuing to make your services and control panel BEST IN CLASS.

Reply

William Carrington

Feb 17, 2017

When I selected "Activate Free" I got this message: "Failed reconfigure your application." What should I do? (I know almost nothing about website maintenance).

Reply

William Carrington

Feb 17, 2017

It seems to be OK, now.

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

Glad to hear it worked!

Reply

William Carrington

Feb 17, 2017

Uh oh, now my page won't load and I get the message "redirected you too many times."

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

Check if you have some rules forcing HTTP in your .htaccess file. If the issue persists, please post a ticket in your Help Desk.

Reply

William Carrington

Feb 17, 2017

I can't in to do that, so I posted a ticket. Thanks

Reply

Winston Lam

Feb 17, 2017

Thanks for the update! I followed the steps and I am glad that my site now has a "safety icon" under the wp-admin page. However, there is no "safety icon" under other pages. Do we need to do any other things to get this little safety icon? Thanks!

Reply

Hristo Pandjarov Siteground Team

Feb 17, 2017

Make sure you site is configured correctly. If you're on WordPress, you can check out the SG Optimizer functionality we've just added to enable HTTPS with one click: https://www.siteground.com/blog/https-wordpress/

Reply

Joe Williams

Feb 17, 2017

I think the reason I didn't use Cloudfare before was because you had to host your domain on www. and could not on non-www. Is that still the case?

Reply

Hristo Pandjarov Siteground Team

Feb 18, 2017

Yes, that's still a CloudFlare requirement.

Reply

Sarah

Feb 17, 2017

As excited as I was to hear about this feature, it would have been nice if there was some warning that activating CloudFlare with SSL is not as seamless as the tutorials would have you believe. After activating CloudFlare for our SSL site, none of our Wordpress plugins are working and Google can't access our site. We contacted support, only to be told that it would take 48 hours for the changes to take effect, and that we shouldn't do any work on the site until the changes were in effect. I definitely would have timed my activation of CloudFlare better had I been aware that it would halt all site work for 2 days. I really hope the CloudFlare functionality is worth the hassle.

Reply

Hristo Pandjarov Siteground Team

Feb 18, 2017

Usually, all DNS changes require propagation time. However, if you simply enable the HTTPS for your site there should be NO propagation time whatsoever. To speed-up the process, you can manually clear the CloudFlare cache from the Settings tab in the tool.

Reply

Sarah

Feb 18, 2017

This still doesn't solve the issue that activating CloudFlare with SSL disabled ALL the plugins on our site, and even after the propagation time, the plugins are still not registering.

Reply

Hristo Pandjarov Siteground Team

Feb 20, 2017

Enabling or disabling CloudFlare cannot in any way disable or activate plugins on your WordPress site. It must be something else that went wrong with your site. Please, post a ticket in your Help Desk to get additional assistance on that matter.

Reply

Amit

Feb 17, 2017

> That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. That is just such great news. Thats why we love you guys. Thank you!

Reply

Jason

Feb 18, 2017

I'm activated cloudflare last month on the plus package because ssl wasn't supported. Besides the firewall upgrade is there anything else I will be missing if I cancel the plus and go with the free version now?

Reply

Hristo Pandjarov Siteground Team

Feb 18, 2017

The firewall upgrade is the only new feature coming to the Plus package. If the SSL was the only thing that made you get the Plus, you can switch back but I would recommend you to take a look at all the other features you get with it because they are really, really useful.

Reply

Mark Pridham

Feb 18, 2017

Hi Hristo, The CloudFlare page is saying "If you have SSL on the domain(s), you will need to upgrade to a Pro account" (https://blog.cloudflare.com/cloudflare-tips-recommended-steps-after-activ/). Can you clarify? Thanks!

Reply

Hristo Pandjarov Siteground Team

Feb 18, 2017

That post is from April 2012. Just login to your cPanel -> CloudFlare tool and you will see the SSL options mentioned in the blog post.

Reply

Mark Pridham

Feb 19, 2017

Gotcha. Thanks!

Reply

Cristian

Feb 18, 2017

Thank you, this is a great improvement after you have increased the email accounts storage. Last year I have joined SG and opted for a GoGeek account for my personal websites. Brought a few of my clients with me, they left their old providers and joined as well. Siteground is my no.1 recommendation for small-medium websites. Keep it up!

Reply

Craig

Feb 19, 2017

Being a relatively new customer to Siteground - last week moved my main site over from my previous host. Previously this site was on SSL via a free Cloudflare account with their free issued certificate. During the transfer over this caused me issues. The site was encountering problems regards the certificate not working properly and issuing a security warning to visitors. I had to reinstall the site and point to Siteground instead of Cloudflare, meaning the site has reverted back to http. The speed of my site has plummeted since the transfer but I'm working through the problems via GT Metrix etc and inserting relevant code into .htaccess and things are improving. The website is for a local business based in the uk, the server location is in London whether the website is pointing to Siteground or Cloudflare. When I previously changed over to ssl I was undecided if it was the right thing to do, Yes Google say it helps ranking but then they also say speed matters and the transfer to ssl caused a 0.5 sec impact on speed due to the redirection with my previous host. Going forward I'm thinking should I implement ssl again? The speed loss should be minimum with a better host and with the ability to use http/2 I might well see a faster site. So to my question... Which is the best route to achieve a fast, secure site? 1. Use the free SSL certificate issued from SG and keep site pointing to SG, ignoring Cloudflare. 2. Use the free SSL certificate issued from SG and point site at Cloudflare. 3. Point site at Cloudflare and use their free certificate? Thanks

Reply

Hristo Pandjarov Siteground Team

Feb 20, 2017

I would recommend that you use the free Let's Encrypt certificate. It's free and automatically renewed so you will not forget about it and have problems in the future. Once you make sure your site works fine through https, you can enable CloudFlare. When you use a CDN you're using two certificates but that's handled automatically. First handles the connection between your SiteGround server and CloudFlare and the second one the connection between CloudFlare and your visitors.

Reply

Vivan Chawla

Feb 20, 2017

I love this feature. Thank you very much!

Reply

Nirav

Feb 20, 2017

Does it help in website speed?

Reply

Hristo Pandjarov Siteground Team

Feb 21, 2017

Yes, it should improve your site loading speeds.

Reply

Nirav

Feb 21, 2017

I activated on my site. But there's no any change in PageSpeed Insights and GTmetrix scores. They are same as they were before.

Reply

Hristo Pandjarov Siteground Team

Feb 21, 2017

It depends on the actual site how much it will be affected. In addition, note that having a CDN makes your site equally fast from all over the world and not only the particular continent where the data center is.

Reply

Jack

Feb 22, 2017

Hi, this is great =) I have a question though. I use a non www canonical address. Instead Cloudflare works only with www, if I'm not mistaken. Is it enough for me to set a forward page rule? And how can I do that?

Reply

Hristo Pandjarov Siteground Team

Feb 23, 2017

You need to configure your Analytics and Google Console profiles too. As to the redirect, you can use these lines in your .htaccess: RewriteEngine on RewriteCond %{HTTP_HOST} ^example.com [NC] RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

Reply

Martijn

Feb 23, 2017

Hi, It sounds really good, Just a question, if you say it supports SSL, does that mean it supports 3rd party EV SSL?

Reply

Hristo Pandjarov Siteground Team

Feb 24, 2017

Yes, it will work with any certificate.

Reply

Martijn

Mar 01, 2017

Yet, not in the free or plus version, just in the Business/Enterprise version?

Reply

Hristo Pandjarov Siteground Team

Mar 02, 2017

It's in the free version, just set it to Full and use your certificate. However, endpoints will still be using the CF certificates. If you want to have one for them too, you need an enterprise acocunt with CloudFlare.

Reply

Martijn

Mar 06, 2017

What do you mean by end points?

Reply

Hristo Pandjarov Siteground Team

Mar 07, 2017

There's one certificate handling the connection between our server and CloudFlare. Then, there's another, issued by CloudFlare for the connection between their servers across the world and your visitors. If you want the second one to be your certificate, you need to have an enterprise account with them.

Reply

techwebasia

Feb 24, 2017

Not sure on which end is a issue but al users should consider that activating Cloud Flare with Lets Encrypt certificate may set your site down for hours. CF not initialize SSL automatically. They reserved time is 24 hours for that service to begin.

Reply

Hristo Pandjarov Siteground Team

Feb 27, 2017

If you activate CF for the first time, it's a normal propagation period that takes place. If you just enable SSL on a site working through CF, it should work right away, I've done it on tens of sites personally and didn't experience any downtime whatsoever. Manually cleaning the cache usually helps with such issues.

Reply

Ben Tupper

Feb 25, 2017

Any recommendations for the Cloudflare memory leak / security issue recently written about on WP Tavern? The story is here: https://wptavern.com/cloudflare-memory-leak-exposes-private-data Thank you!

Reply

Hristo Pandjarov Siteground Team

Feb 27, 2017

No SiteGround customers are affected by this problem!

Reply

Ben Tupper

Feb 27, 2017

Thanks for the reply!

Reply

Ryan Rhoades

Feb 26, 2017

So does this mean that our sites were negatively affected by this recent Cloudflare leak?

Reply

Hristo Pandjarov Siteground Team

Feb 27, 2017

Your sites are not affected in any way by the issues CloudFlare were experiencing.

Reply

Rahul

Mar 08, 2017

Siteground is always on top of things. good just yall. Lifetime customer here

Reply

george

Mar 14, 2017

In the Cloudflare FAQ's and other places on their site they say that free plans don't support ssl on legacy browsers. Is this the case with Siteground's free or Plus Cloudlare plans? Will the older browsers work with ssl? Thanks...geo

Reply

Hristo Pandjarov Siteground Team

Mar 14, 2017

There aren't differences in the compatibility. However, only archacic browsers do not support SNI thus the certificate provided by CF. You shouldn't really be concerned about this.

Reply

george

Mar 14, 2017

Thanks for the reminder about the SNI. Unfortunately, I must be concerned with IE8 support which is only partial for SNI (see caniuse). The site needs the widest possible availability in the poorest areas of the US. IE8 use is still significant in these areas. Thanks for your help nudging me to the SNI caniuse.

Reply

Srini

Feb 19, 2019

Hi Team, Can Cloudfare WAF track http sessions and protect against cookie injection and cookie tampering attacks?

Reply

Hristo Pandjarov Siteground Team

Mar 01, 2019

I think they do but for the particular case I would advise you to ask them directly: https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/

Reply

Start discussion

Ready to get your website started?

Choose a hosting plan, start or migrate your site in a few clicks, and grow your online presence!

Get Started Chat with an expert