This Indonesian digital advertising company which is a sister company of big ISP provider in Indonesia implements a disgusting move: it injects a
js-based ad to any site which is accessed using its parent company’s network1.
I don’t actually know the actual method of the ad-injecting code. My best guess is it’s a kind of man in the middle attack which injects a code instead of eavesdropping to your unencrypted request. While its unethical move to inject an ad to a paid internet connection has already disgusted me, what disgusts me to another level is knowing that this js-based code injection might cause failures to some of your site’s functionality. It costs me some hours for debugging recently.
With these incident in mind, I think it’s time to use
SSL to prevent this disgusting ad injection practice. Theoretically, it’ll be hard for this unethical ISP and ad company to inject an ad code if the web page is transferred using
I’m using CloudFlare and WordPress Multisite (It’s not this site, the use case for this tutorial is my employer’s site which I did earlier today). Apparently, wildcard SSL certificate is quite costly (USD 100-ish to USD 1,500-ish). Moreover, I don’t empirically know whether using
https will stop the ad injection yet (at the moment). Hence I came up with a faster and cheaper solution: use Cloudflare’s free flexible SSL.
Assuming that you’ve already used CloudFlare for your WordPress site, here’s how I did it:
1. Activate Flexible SSL
Activate flexible SSL from
CloudFlare settings >
Settings Overview tab > Scroll down to
SSL option. Select Flexible SSL
2. Configure WordPress https plugin
I’m using WordPress multisite with small amount of sub-sites and intend to force all page to use https. Hence I install + activate WordPress https plugin on multisite level then thick the
Force SSL Admin2:
This will force all dashboard pages to use https (all
http request will be redirected to
https automatically). To force all public-facing pages to use https, we need to filter the plugin’s setting a bit:
3. Install and Activate CloudFlare Flexible SSL Plugin
Everything works well until step no.2. However, minutes later my colleagues who has lower user roles account (basically below super admin role) reported that after they logged in, they couldn’t access the dashboard and greeted by
you-don’t-have-permission-to-see-this-page message. I think this happens due to CloudFlare’s flexible SSL which actually access origin server using unencrypted request3. Fortunately, installing and activating CloudFlare Flexible SSL plugin fixes this bug.
4. The Result
After using https, the ad-code is no longer there:
It works quite well, so far.
That’s basically how I implemented CloudFlare’s flexible SSL in WordPress Multisite. I hope it helps.