As I’m writing this, I’m sitting at SeaTac waiting for my flight back from PNWPHP to board. One talk there inspired me to get AMP up and running on this blog…but more on that in another post. As part of that process, I figured, “What the heck, I’ve got CloudFlare set up on my site, which gives me HTTPS for free. I should force HTTPS for my entire (WordPress) blog. Which means I’ll get HTTP/2 acceleration for free as well (because CloudFlare does that), which Davey Shafik said was pretty awesome.”

My site has been available over HTTPS for a bit, as I set up CloudFlare a few months back, but the default protocol was HTTP, hitting my host directly. No geo-acceleration, no HTTPS, no HTTP/2.

The process to fix that issue was as follows:

  1. Install and enable this plugin to get HTTP Strict Transport Security (HSTS) headers everywhere.
  2. Update WordPress Address and Site Address URLs at wp-admin/options-general.php with the correct schema.
  3. Wonder why my site was still loading insecure resources in a few places.
  4. Remove two 7+ year old plugins (a Creative Commons License widget and a favicon plugin) that didn’t use schema-independent (or plain old HTTPS) links for their resources.
  5. Done!

I actually backported schema-independent links to the Creative Commons widget, but then decided to remove the plugin entirely since it’s trivial and hasn’t been updated in years. Thought about doing the same for the favicon plugin but I don’t have an interesting enough favicon to justify having the plugin installed at all, so it went away as well.

By the way, the WP admin panel works perfectly fine in this configuration…CloudFlare proxy included.

Point being, switching to an HSTS-enabled, all-HTTPS site is dead simple, provided you don’t have…um…vintage plugins that assume HTTPS isn’t a thing, even if you’re starting from a web host that doesn’t support HTTPS itself:

  1. Set up CloudFlare.
  2. Install and enable the HSTS plugin.
  3. Update WordPress Address and Site Address URLs.

So, if you have a WordPress site that isn’t running 100% over HTTPS, what’s your excuse?