Cloudflare HTTPS and WAF Update

Since we launched our integration with Cloudflare in 2012 we have seen thousands of our customers benefit from its CDN and the site security functionalities. Today we are happy to announce two improvements in the Cloudflare packages we provide. First, the SSL is now supported in the free plan of the service. Second, we have included a very cool security feature - the Cloudflare Web Application Firewall, in our Plus plan.

Free SSL support is now available in all plans

This has been the most requested feature by our Cloudflare users over the last year. We have been working actively to increase the SSL usage on our servers during the last months. That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. You only need to switch on the SSL option in our Cloudflare interface.

We recommend setting the SSL support to Flexible if you do not have SSL certificate issued for your domain, or to Full Strict if you have a SSL certificate issued. To learn more about the differences of the SSL settings you can refer to our Cloudflare tutorial.

Cloudflare WAF is now part of our Cloudflare Plus plan

Now our Cloudflare Plus users can benefit from the unique protection of the Cloudflare Web Application Firewall. Thus their websites will be protected by the rules added each day to react to all major recent vulnerabilities that affect applications such as WordPress, Magento, Drupal, PHP, Joomla, and other. Cloudflare WAF prevents automated attacks, SQL injection, XSS javascript injections, posts containing common spam words, cross-site scripting, etc. It provides protection against the Top 10 vulnerabilities identified by OWASP, leverages the collective intelligence of Cloudflare users, and also gives you the opportunity to supply your own WAF rules. It does not require any additional hardware or software installs. Being based on a really huge user base, Cloudflare WAF is an extremely effective protection tool that we highly recommend to any website owner.

You can switch on the WAF through your cPanel. To learn more about its settings visit our CloudFlare tutorial.

Black Friday Promo!

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!


  1. Reply February 16, 2017 / 07:11 Bernard GoSiteGround Team

    Thank you for this.

    • Reply February 16, 2017 / 18:48 ShahSiteGround Team

      In that case, is there any need to have a paid plans of CF or no more? Besides, a quick question as i have thousand of non https links all around in my website. If i enable SSL i get errors, how do i deal with this as finding and fixing one by one is a big big job?

      • February 17, 2017 / 01:21 Hristo PandjarovSiteGround Team

        The Plus plan has many great features including the newly added Web Application Firewall which further improves the security of your website. In terms of SSL though, you get everything you need in the free version.

      • February 19, 2017 / 11:52 Muhammed NagySiteGround Team

        U can use search for and replace db tool if u are using MySQL and search for your domain name in http and replace it with ur domain name but in HTTPS
        U should use paths not URLs

  2. Reply February 16, 2017 / 07:39 PeterSiteGround Team

    Hope you can handle more compliments for what SG is demonstrating, day-in and day-out: Continuous upgrades, enhancements, often at no additional cost!!! - SG continues to exceed my expectations in quality of service and especially in customer support!


    • Reply February 16, 2017 / 07:40 Hristo PandjarovSiteGround Team

      Thanks for the kind words!

  3. Reply February 16, 2017 / 07:41 PeterSiteGround Team

    As a beginner in SEO, does SG have some information in their KB about the https vs. http consequences for SEO?



    • Reply February 16, 2017 / 08:01 Hristo PandjarovSiteGround Team

      There isn't much to be said to be honest. For optimal ranking, all your traffic should go through https. Google is one of the organisations that's pushing towards a fully-encrypted web the most!

  4. Reply February 16, 2017 / 07:59 kennySiteGround Team

    Thank you Hristo and Siteground. Will be looking at it for site without cloudflare tonight

  5. Reply February 16, 2017 / 08:36 JyotiSiteGround Team

    Was waiting for this. Thank you. 🙂

  6. Reply February 16, 2017 / 08:50 peter ashfordSiteGround Team

    Nice one! HTTPS and cloudfare now included 🙂

  7. Reply February 16, 2017 / 09:11 Pieter ClaesenSiteGround Team


  8. Reply February 16, 2017 / 09:47 JonSiteGround Team

    It seems I picked a great time to switch to SiteGround! Two technologies I wanted to explore this year were SSL and CloudFlare, now it seems I can do both! Thank you so much!

  9. Reply February 16, 2017 / 11:54 Chris Lovie-TylerSiteGround Team

    Great news! Thank you!

  10. Reply February 16, 2017 / 14:09 Pietro MontagnaSiteGround Team

    Was waiting for this. Thank you.

  11. Reply February 16, 2017 / 17:23 PaulSiteGround Team

    Does Cloudflare play nice with SuperCacher? And also with DNS being hosted at Cloudflare does WordPress staging still work? Thanks and keep up the awesome work!

    • Reply February 17, 2017 / 01:19 Hristo PandjarovSiteGround Team

      Yes, it works great with the SuperCacher but the staging tool does not work since it requires a subdomain creation to operate properly.

      • February 17, 2017 / 05:23 Scot BastonSiteGround Team

        is the staging tool something that Siteground can fix in the near future with regards to ssl & cloudflare?

      • February 17, 2017 / 07:06 Hristo PandjarovSiteGround Team

        The way it works right now - no. Hopefully, the next major update of the staging will cover CloudFlare and other CDN users too.

      • March 20, 2017 / 11:40 IanSiteGround Team

        Here is some recent first hand feedback with this. It definitely does not work. I'm on a cloud plan with a wildcard ssl and cloudflare direct. I recently opened to ticket for support to create a staging site. I did what they instructed and it broke the live site. To senior support's credit the did quickly fix but could not figure out what the issue was. I have not tried a staging site again.

        I wish this worked as it would make site changes so much easier.

      • March 21, 2017 / 05:46 Hristo PandjarovSiteGround Team

        To be honest, that's a bit of an edge case. I understand the SSL part but since usually staging copies are password protected and password I don't see why you need a CDN on it?

      • May 11, 2017 / 13:19 AlexSiteGround Team


        Why would you not create stage domains with your domain? Like FlyWheel does?
        Their staging works almost with no problems. One click and you have something like stage site. That automatically protected with Basic Access Authentication. And if I want I can edit subdomain.

      • May 11, 2017 / 23:49 Hristo PandjarovSiteGround Team

        We have different approach towards this. We're working on improving a lot our User Area and will definitelly take that suggestion into consideration.

  12. Reply February 16, 2017 / 18:27 HerbertSiteGround Team

    Siteground really does the work for its clients, i have been dreaming of this feature, ever since Let's Encrypt was enabled on siteground cpanels. I just enabled SSL for all my account and its running perfectly. Now this gives me the confidence to go for cloud hosting and stay with siteground forever. The greatest support team ever worked with. Hoping for the next big thing.

  13. Reply February 16, 2017 / 18:45 John CopeSiteGround Team

    This is great news. I have a lot of sites that I look after and had to choose either cloudflare or take advantage of the free let's encrypt certificates. Cloudflare always won but now I can have both. Many Thanks to the Siteground Team.

  14. Reply February 16, 2017 / 20:24 Chad FullertonSiteGround Team

    Yes! Thank you SG. This is the missing piece to making your one click services complete. I have been manually setting up free https through Cloudflare for my clients up till now, and this is going to be a MASSIVE time saver to have one click ease. Thanks for continuing to make your services and control panel BEST IN CLASS.

  15. Reply February 16, 2017 / 22:33 William CarringtonSiteGround Team

    When I selected "Activate Free" I got this message: "Failed reconfigure your application."

    What should I do? (I know almost nothing about website maintenance).

    • Reply February 16, 2017 / 22:39 William CarringtonSiteGround Team

      It seems to be OK, now.

      • February 17, 2017 / 01:21 Hristo PandjarovSiteGround Team

        Glad to hear it worked!

  16. Reply February 17, 2017 / 03:32 William CarringtonSiteGround Team

    Uh oh, now my page won't load and I get the message "redirected you too many times."

    • Reply February 17, 2017 / 03:37 Hristo PandjarovSiteGround Team

      Check if you have some rules forcing HTTP in your .htaccess file. If the issue persists, please post a ticket in your Help Desk.

  17. Reply February 17, 2017 / 03:41 William CarringtonSiteGround Team

    I can't in to do that, so I posted a ticket. Thanks

  18. Reply February 17, 2017 / 03:50 Winston LamSiteGround Team

    Thanks for the update!
    I followed the steps and I am glad that my site now has a "safety icon" under the wp-admin page.
    However, there is no "safety icon" under other pages. Do we need to do any other things to get this little safety icon? Thanks!

    • Reply February 17, 2017 / 03:52 Hristo PandjarovSiteGround Team

      Make sure you site is configured correctly. If you're on WordPress, you can check out the SG Optimizer functionality we've just added to enable HTTPS with one click:

  19. Reply February 17, 2017 / 08:34 Joe WilliamsSiteGround Team

    I think the reason I didn't use Cloudfare before was because you had to host your domain on www. and could not on non-www. Is that still the case?

    • Reply February 18, 2017 / 02:36 Hristo PandjarovSiteGround Team

      Yes, that's still a CloudFlare requirement.

  20. Reply February 17, 2017 / 12:21 SarahSiteGround Team

    As excited as I was to hear about this feature, it would have been nice if there was some warning that activating CloudFlare with SSL is not as seamless as the tutorials would have you believe. After activating CloudFlare for our SSL site, none of our WordPress plugins are working and Google can't access our site. We contacted support, only to be told that it would take 48 hours for the changes to take effect, and that we shouldn't do any work on the site until the changes were in effect.

    I definitely would have timed my activation of CloudFlare better had I been aware that it would halt all site work for 2 days. I really hope the CloudFlare functionality is worth the hassle.

    • Reply February 18, 2017 / 02:43 Hristo PandjarovSiteGround Team

      Usually, all DNS changes require propagation time. However, if you simply enable the HTTPS for your site there should be NO propagation time whatsoever. To speed-up the process, you can manually clear the CloudFlare cache from the Settings tab in the tool.

      • February 18, 2017 / 16:43 SarahSiteGround Team

        This still doesn't solve the issue that activating CloudFlare with SSL disabled ALL the plugins on our site, and even after the propagation time, the plugins are still not registering.

      • February 20, 2017 / 01:03 Hristo PandjarovSiteGround Team

        Enabling or disabling CloudFlare cannot in any way disable or activate plugins on your WordPress site. It must be something else that went wrong with your site. Please, post a ticket in your Help Desk to get additional assistance on that matter.

  21. Reply February 17, 2017 / 15:43 AmitSiteGround Team

    > That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge.

    That is just such great news. Thats why we love you guys. Thank you!

  22. Reply February 17, 2017 / 21:49 JasonSiteGround Team

    I'm activated cloudflare last month on the plus package because ssl wasn't supported. Besides the firewall upgrade is there anything else I will be missing if I cancel the plus and go with the free version now?

    • Reply February 18, 2017 / 02:33 Hristo PandjarovSiteGround Team

      The firewall upgrade is the only new feature coming to the Plus package. If the SSL was the only thing that made you get the Plus, you can switch back but I would recommend you to take a look at all the other features you get with it because they are really, really useful.

  23. Reply February 18, 2017 / 05:39 Mark PridhamSiteGround Team

    Hi Hristo,

    The CloudFlare page is saying "If you have SSL on the domain(s), you will need to upgrade to a Pro account" ( Can you clarify? Thanks!

    • Reply February 18, 2017 / 06:40 Hristo PandjarovSiteGround Team

      That post is from April 2012. Just login to your cPanel -> CloudFlare tool and you will see the SSL options mentioned in the blog post.

      • February 19, 2017 / 14:00 Mark PridhamSiteGround Team

        Gotcha. Thanks!

  24. Reply February 18, 2017 / 10:09 CristianSiteGround Team

    Thank you, this is a great improvement after you have increased the email accounts storage.

    Last year I have joined SG and opted for a GoGeek account for my personal websites. Brought a few of my clients with me, they left their old providers and joined as well.

    Siteground is my no.1 recommendation for small-medium websites. Keep it up!

  25. Reply February 19, 2017 / 06:10 CraigSiteGround Team

    Being a relatively new customer to Siteground - last week moved my main site over from my previous host.

    Previously this site was on SSL via a free Cloudflare account with their free issued certificate. During the transfer over this caused me issues. The site was encountering problems regards the certificate not working properly and issuing a security warning to visitors. I had to reinstall the site and point to Siteground instead of Cloudflare, meaning the site has reverted back to http.

    The speed of my site has plummeted since the transfer but I'm working through the problems via GT Metrix etc and inserting relevant code into .htaccess and things are improving.

    The website is for a local business based in the uk, the server location is in London whether the website is pointing to Siteground or Cloudflare. When I previously changed over to ssl I was undecided if it was the right thing to do, Yes Google say it helps ranking but then they also say speed matters and the transfer to ssl caused a 0.5 sec impact on speed due to the redirection with my previous host.

    Going forward I'm thinking should I implement ssl again? The speed loss should be minimum with a better host and with the ability to use http/2 I might well see a faster site.

    So to my question...

    Which is the best route to achieve a fast, secure site?

    1. Use the free SSL certificate issued from SG and keep site pointing to SG, ignoring Cloudflare.
    2. Use the free SSL certificate issued from SG and point site at Cloudflare.
    3. Point site at Cloudflare and use their free certificate?


    • Reply February 20, 2017 / 01:37 Hristo PandjarovSiteGround Team

      I would recommend that you use the free Let's Encrypt certificate. It's free and automatically renewed so you will not forget about it and have problems in the future. Once you make sure your site works fine through https, you can enable CloudFlare. When you use a CDN you're using two certificates but that's handled automatically. First handles the connection between your SiteGround server and CloudFlare and the second one the connection between CloudFlare and your visitors.

  26. Reply February 20, 2017 / 02:24 Vivan ChawlaSiteGround Team

    I love this feature. Thank you very much!

  27. Reply February 20, 2017 / 07:34 NiravSiteGround Team

    Does it help in website speed?

    • Reply February 21, 2017 / 01:09 Hristo PandjarovSiteGround Team

      Yes, it should improve your site loading speeds.

      • February 21, 2017 / 08:19 NiravSiteGround Team

        I activated on my site. But there's no any change in PageSpeed Insights and GTmetrix scores. They are same as they were before.

      • February 21, 2017 / 10:48 Hristo PandjarovSiteGround Team

        It depends on the actual site how much it will be affected. In addition, note that having a CDN makes your site equally fast from all over the world and not only the particular continent where the data center is.

  28. Reply February 22, 2017 / 09:08 JackSiteGround Team

    Hi, this is great =)

    I have a question though. I use a non www canonical address. Instead Cloudflare works only with www, if I'm not mistaken. Is it enough for me to set a forward page rule? And how can I do that?

    • Reply February 23, 2017 / 07:07 Hristo PandjarovSiteGround Team

      You need to configure your Analytics and Google Console profiles too. As to the redirect, you can use these lines in your .htaccess:

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^ [NC]
      RewriteRule ^(.*)$$1 [L,R=301,NC]

  29. Reply February 23, 2017 / 17:39 MartijnSiteGround Team

    Hi, It sounds really good,
    Just a question, if you say it supports SSL, does that mean it supports 3rd party EV SSL?

    • Reply February 24, 2017 / 00:59 Hristo PandjarovSiteGround Team

      Yes, it will work with any certificate.

      • March 1, 2017 / 02:22 MartijnSiteGround Team

        Yet, not in the free or plus version, just in the Business/Enterprise version?

      • March 2, 2017 / 02:36 Hristo PandjarovSiteGround Team

        It's in the free version, just set it to Full and use your certificate. However, endpoints will still be using the CF certificates. If you want to have one for them too, you need an enterprise acocunt with CloudFlare.

      • March 6, 2017 / 16:57 MartijnSiteGround Team

        What do you mean by end points?

      • March 7, 2017 / 08:23 Hristo PandjarovSiteGround Team

        There's one certificate handling the connection between our server and CloudFlare. Then, there's another, issued by CloudFlare for the connection between their servers across the world and your visitors. If you want the second one to be your certificate, you need to have an enterprise account with them.

  30. Reply February 24, 2017 / 06:37 techwebasiaSiteGround Team

    Not sure on which end is a issue but al users should consider that activating Cloud Flare with Lets Encrypt certificate may set your site down for hours. CF not initialize SSL automatically. They reserved time is 24 hours for that service to begin.

    • Reply February 27, 2017 / 00:57 Hristo PandjarovSiteGround Team

      If you activate CF for the first time, it's a normal propagation period that takes place. If you just enable SSL on a site working through CF, it should work right away, I've done it on tens of sites personally and didn't experience any downtime whatsoever. Manually cleaning the cache usually helps with such issues.

  31. Reply February 25, 2017 / 07:59 Ben TupperSiteGround Team

    Any recommendations for the Cloudflare memory leak / security issue recently written about on WP Tavern? The story is here:

    Thank you!

    • Reply February 27, 2017 / 00:55 Hristo PandjarovSiteGround Team

      No SiteGround customers are affected by this problem!

      • February 27, 2017 / 08:01 Ben TupperSiteGround Team

        Thanks for the reply!

  32. Reply February 25, 2017 / 23:51 Ryan RhoadesSiteGround Team

    So does this mean that our sites were negatively affected by this recent Cloudflare leak?

    • Reply February 27, 2017 / 01:01 Hristo PandjarovSiteGround Team

      Your sites are not affected in any way by the issues CloudFlare were experiencing.

  33. Reply March 8, 2017 / 08:59 RahulSiteGround Team

    Siteground is always on top of things. good just yall. Lifetime customer here

  34. Reply March 13, 2017 / 21:51 georgeSiteGround Team

    In the Cloudflare FAQ's and other places on their site they say that free plans don't support ssl on legacy browsers. Is this the case with Siteground's free or Plus Cloudlare plans? Will the older browsers work with ssl?


    • Reply March 14, 2017 / 01:35 Hristo PandjarovSiteGround Team

      There aren't differences in the compatibility. However, only archacic browsers do not support SNI thus the certificate provided by CF. You shouldn't really be concerned about this.

  35. Reply March 14, 2017 / 15:30 georgeSiteGround Team

    Thanks for the reminder about the SNI. Unfortunately, I must be concerned with IE8 support which is only partial for SNI (see caniuse). The site needs the widest possible availability in the poorest areas of the US. IE8 use is still significant in these areas.
    Thanks for your help nudging me to the SNI caniuse.

  36. Reply February 19, 2019 / 16:07 SriniSiteGround Team

    Hi Team,
    Can Cloudfare WAF track http sessions and protect against cookie injection and cookie tampering attacks?


* (Required)