The Why

This Indonesian digital advertising company which is a sister company of big ISP provider in Indonesia implements a disgusting move: it injects a js-based ad to any site which is accessed using its parent company’s network1.

an ad in wikipedia. since when?
An ad in wikipedia. WTF?
here comes the unethical ad code
Here comes the unethical ad code

I don’t actually know the actual method of the ad-injecting code. My best guess is it’s a kind of man in the middle attack which injects a code instead of eavesdropping to your unencrypted request. While its unethical move to inject an ad to a paid internet connection has already disgusted me, what disgusts me to another level is knowing that this js-based code injection might cause failures to some of your site’s functionality. It costs me some hours for debugging recently.

With these incident in mind, I think it’s time to use https and SSL to prevent this disgusting ad injection practice. Theoretically, it’ll be hard for this unethical ISP and ad company to inject an ad code if the web page is transferred using https.

The How

I’m using CloudFlare and WordPress Multisite (It’s not this site, the use case for this tutorial is my employer’s site which I did earlier today). Apparently, wildcard SSL certificate is quite costly (USD 100-ish to USD 1,500-ish). Moreover, I don’t empirically know whether using https will stop the ad injection yet (at the moment). Hence I came up with a faster and cheaper solution: use Cloudflare’s free flexible SSL.

Assuming that you’ve already used CloudFlare for your WordPress site, here’s how I did it:

1. Activate Flexible SSL

Activate flexible SSL from my-websites > CloudFlare settings > Settings Overview tab > Scroll down to SSL option. Select Flexible SSL

CloudFlare SSL Setting
CloudFlare SSL Setting

2. Configure WordPress https plugin

I’m using WordPress multisite with small amount of sub-sites and intend to force all page to use https. Hence I install + activate WordPress https plugin on multisite level then thick the Force SSL Admin2:

WordPress HTTPS Plugin Setting
WordPress HTTPS Plugin Setting

This will force all dashboard pages to use https (all http request will be redirected to https automatically). To force all public-facing pages to use https, we need to filter the plugin’s setting a bit:

3. Install and Activate CloudFlare Flexible SSL Plugin

Everything works well until step no.2. However, minutes later my colleagues who has lower user roles account (basically below super admin role) reported that after they logged in, they couldn’t access the dashboard and greeted by you-don’t-have-permission-to-see-this-page message. I think this happens due to CloudFlare’s flexible SSL which actually access origin server using unencrypted request3. Fortunately, installing and activating CloudFlare Flexible SSL plugin fixes this bug.

4. The Result

After using https, the ad-code is no longer there:

BEFORE: Using http. There's an ad code injected
BEFORE: Using http. There’s an ad code injected
AFTER: Using https. No ad code found
AFTER: Using https. No ad code found

It works quite well, so far.


That’s basically how I implemented CloudFlare’s flexible SSL in WordPress Multisite. I hope it helps.

  1. See the site’s footer and you’ll know what the ISP company is 

  2. This will save lots of time instead of manually hack your settings 

  3. Actually, you can set https connection from CloudFlare to origin server, but that’s for another post 

3 thoughts on “Implementing CloudFlare’s Flexible SSL for WordPress Multisite

  1. Does this work with subdomain and domain mapping. Will i automatically get ssl on subdomains and mapped domains on multisite?

  2. […] Nginstall (free) SSL via Let’s Encrypt. Ngesetup Let’s Encrypt di Cloudways ini literally cuman klik doang. Setelah itu tinggal install WordPress plugin untuk nge-force redirect semua kunjungan HTTP ke HTTPS. It’s way safer to use HTTPS and screw you, Telco’s intrusive ads. Bye bye. […]

Share Your Thought