CloudFlare provides integrations for several of the most popular hosting control panels and billing systems such as WHMCS, cPanel, and Plesk. Each of these integrations provide a simple interface for our partners’ customers to sign-up for CloudFlare and start adding domains almost immediately.

But what about partners that use more than one system? The best experience occurs when we can get our integrations talking to each other, as our recently updated WHMCS and cPanel plugins do.

All of our hosting integrations speak directly to CloudFlare through our host API. With just a single click, the integration passes the necessary information for CloudFlare to create an account and provision the domain. We respond when the provisioning completes, and the integration finishes the setup by making the necessary changes locally (adding and adjusting several DNS records) to route traffic to the domain through CloudFlare.

This makes signing up through a hosting partner integration even easier than signing up directly with CloudFlare. These proven systems make DNS changes accurately in order to save a lot of headaches.

Many hosting companies expose two different applications to their customers: a billing system and a hosting control panel. The former allows customers to manage their billing information and the products they have purchased; the latter is used to configure hosting products such as accessing files, managing DNS, adding email addresses, and setting up a database.

Hosting partners that use both WHMCS (billing) and cPanel (hosting), commonly ask, “Which integration should I use?” In the past, we have recommended the cPanel integration, because cPanel manages the DNS records for a domain. Domains added through cPanel can be set up in one click, whereas WHMCS required presenting instructions to the end-user on finishing the configuration.

WHMCS, as a billing system, handles auto-provisioning for a variety of hosting control panels, including cPanel. When configured, WHMCS will automatically set up new accounts in cPanel once the order is complete.

We join in this auto-provisioning, and immediately after CloudFlare is added, we send requests from WHMCS to the cPanel account to set up a CloudFlare account as well. The exact setup breaks down to a few easy steps:

1. Send a request from WHMCS to cPanel logging in as the cPanel user. This returns an access token for the user that we can use in subsequent requests to act as the user.

2. Send a second request with the access token simulating the action that a user would have performed if signing up through cPanel.

This action has the added benefit of not only setting the domain to run on CloudFlare, but it also sets up our cPanel plugin to show the domain as orange clouded and provides the options to manage many CloudFlare settings through cPanel.

Analogous to how CloudFlare stands between web servers and web visitors, we’re using cPanel between WHMCS and our API to make it easy for our partners’ customers to add CloudFlare to any new cPanel hosting account at the point of purchase!

(Note: only CNAME or partial setup added in WHMCS currently provisions through cPanel.)

The latest version of our WHMCS integration can be downloaded here. Installation requires a partner API key. New partners can apply at https://www.cloudflare.com/certified-partners.

For technical questions related to our integrations, please email us at partnersupport@cloudflare.com.

As many are aware, CloudFlare launched Universal SSL several months ago. We saw lots of customers sign up and start using these new, free SSL certificates. For many customers that didn’t already have an SSL certificate, they were able to use “Flexible SSL”.

Flexible SSL creates a secure (HTTPS) connection between the website visitor and CloudFlare and then an in-secure (HTTP) connection between CloudFlare and the origin server. For any site using absolute links to assets (i.e. javascript, css, and image files), this can lead to a “Mixed Content” error.

What is “Mixed Content”? This can be understood as mixed protocol. When the webpage is loaded over SSL (HTTPS protocol), most browsers expect all of the assets to be loaded over the same protocol. Some browsers will display an error about loading “insecure content” while others will just block the insecure content outright.

This error only applies to pages loaded over SSL, since the browser is working to make sure that secure pages only load equally secure assets.

The latest version of the CloudFlare plugin for Wordpress works to resolve a lot of these errors by altering the protocol within the links to assets. Where currently your Wordpress site may link to your stylesheet like this:

http://www.example.com/wp/wp-content/themes/twentyfifteen/style.css?ver=4.1

We’ll remove the “http:” part to make this into a relative protocol:

//www.example.com/wp/wp-content/themes/twentyfifteen/style.css?ver=4.1

A further update to this rewriting doesn’t enable this rewriting for canonical URLs, since Google and other search engines expect this to be an absolute URL. Google also recommends securing your site with SSL, and being able to enable Flexible SSL is a great way to achieve this SEO boost!

A relative protocol //www.example.com tells your browser to load the asset over the same protocol as the main page. If your site loads over HTTPS, then the browser will try to load the asset over HTTPS as well. (In other words, NOT mixed. Everything is over HTTPS!)

This approach has no negative side effects for customers who don’t enable SSL (or who have traffic visit over HTTP as well as HTTPS), since if the page is loaded over HTTP, the assets will be loaded on the same protocol.

Protocol rewriting is on by default in our current version of the Wordpress plugin, so you should be able to enable Flexible SSL on your account and have traffic go to https://www.yourdomain.com.

CloudFlare recommends also adding a page rule for http://www.yourdomain.com* that redirects all traffic to HTTPS (assuming that Wordpress is set up for the WWW subdomain and isn’t within a directory on your domain).

With these two changes we can secure all traffic to your Wordpress site between the customer and CloudFlare’s server.

While this improvement should allow many Wordpress users to enable Flexible SSL without any other changes to their website, there are a few items to consider:

If after upgrading to the latest version of the Wordpress plugin, you still get “Mixed Content” errors, it’s likely that a plugin you are using adds assets to the site though javascript. The ways and methods to do this vary greatly, so it’s not currently possible to catch all of these instances. Plugin developers are encouraged to link to assets relatively or use Wordpress’s built-in methods for adding assets to the page.

It’s also important to note the limitation of Flexible SSL. For websites that collect credit cards and other secure information, it’s important to secure this information from the customer all the way to your server, so we recommend using Full SSL and having an SSL certificate on your server because this also secures the traffic between CloudFlare and your origin.