Categories: Hosting News

Cloudflare HTTPS and WAF Update

Since we launched our integration with Cloudflare in 2012 we have seen thousands of our customers benefit from its CDN and the site security functionalities. Today we are happy to announce two improvements in the Cloudflare packages we provide. First, the SSL is now supported in the free plan of the service. Second, we have included a very cool security feature - the Cloudflare Web Application Firewall, in our Plus plan.

Free SSL support is now available in all plans

This has been the most requested feature by our Cloudflare users over the last year. We have been working actively to increase the SSL usage on our servers during the last months. That is why we are very happy to provide the SSL support in our free Cloudflare plan. Now any customer of SiteGround can use both a SSL certificate and Cloudflare without additional charge. You only need to switch on the SSL option in our Cloudflare interface.

We recommend setting the SSL support to Flexible if you do not have SSL certificate issued for your domain, or to Full Strict if you have a SSL certificate issued. To learn more about the differences of the SSL settings you can refer to our Cloudflare tutorial.

Cloudflare WAF is now part of our Cloudflare Plus plan

Now our Cloudflare Plus users can benefit from the unique protection of the Cloudflare Web Application Firewall. Thus their websites will be protected by the rules added each day to react to all major recent vulnerabilities that affect applications such as WordPress, Magento, Drupal, PHP, Joomla, and other. Cloudflare WAF prevents automated attacks, SQL injection, XSS javascript injections, posts containing common spam words, cross-site scripting, etc. It provides protection against the Top 10 vulnerabilities identified by OWASP, leverages the collective intelligence of Cloudflare users, and also gives you the opportunity to supply your own WAF rules. It does not require any additional hardware or software installs. Being based on a really huge user base, Cloudflare WAF is an extremely effective protection tool that we highly recommend to any website owner.

You can switch on the WAF through your cPanel. To learn more about its settings visit our CloudFlare tutorial.

Hristo Pandjarov: Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

View Comments

      • I activated on my site. But there's no any change in PageSpeed Insights and GTmetrix scores. They are same as they were before.

        • It depends on the actual site how much it will be affected. In addition, note that having a CDN makes your site equally fast from all over the world and not only the particular continent where the data center is.

  • Hi, this is great =)

    I have a question though. I use a non www canonical address. Instead Cloudflare works only with www, if I'm not mistaken. Is it enough for me to set a forward page rule? And how can I do that?

    • You need to configure your Analytics and Google Console profiles too. As to the redirect, you can use these lines in your .htaccess:

      RewriteEngine on
      RewriteCond %{HTTP_HOST} ^example.com [NC]
      RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]

  • Hi, It sounds really good,
    Just a question, if you say it supports SSL, does that mean it supports 3rd party EV SSL?

        • There's one certificate handling the connection between our server and CloudFlare. Then, there's another, issued by CloudFlare for the connection between their servers across the world and your visitors. If you want the second one to be your certificate, you need to have an enterprise account with them.

        • It's in the free version, just set it to Full and use your certificate. However, endpoints will still be using the CF certificates. If you want to have one for them too, you need an enterprise acocunt with CloudFlare.

  • Not sure on which end is a issue but al users should consider that activating Cloud Flare with Lets Encrypt certificate may set your site down for hours. CF not initialize SSL automatically. They reserved time is 24 hours for that service to begin.

    • If you activate CF for the first time, it's a normal propagation period that takes place. If you just enable SSL on a site working through CF, it should work right away, I've done it on tens of sites personally and didn't experience any downtime whatsoever. Manually cleaning the cache usually helps with such issues.

  • In the Cloudflare FAQ's and other places on their site they say that free plans don't support ssl on legacy browsers. Is this the case with Siteground's free or Plus Cloudlare plans? Will the older browsers work with ssl?


    • There aren't differences in the compatibility. However, only archacic browsers do not support SNI thus the certificate provided by CF. You shouldn't really be concerned about this.

  • Thanks for the reminder about the SNI. Unfortunately, I must be concerned with IE8 support which is only partial for SNI (see caniuse). The site needs the widest possible availability in the poorest areas of the US. IE8 use is still significant in these areas.
    Thanks for your help nudging me to the SNI caniuse.