In this page I will teach you to do something you should never do. But .. sometimes needs must and the insane reason you are doing it should never be asked about.
In the situation I needed to do this I had a client who:
-Did not want to move from their (very low cost) web hosting.
-Could not enable HTTPS on their low cost web hosting.
-Needed or wanted their website to be https / ssl.
The usual easy way to add SSL to a website where the hosting or server can’t have an SSL certificate is to… chuck Cloudflare in front of it and tell cloudflare to upgrade all connections to https and set the origin server policy to relaxed/flexible.
Anything other than wordpress will work great. BUT! WordPress will start doing never ending redirects and the admin page will start responding:
Error: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.
What happens is the origin server, your server without https, serves the request and tells wordpress that the request came in via http.. cloudflare upgrades the request to https to the visitors browser. BUT.. the “set-cookie” header sent by wordpress contains a “nonsecure” cookie which the browser will throw away as it’s now a secure website.
The solution is to find a way to force wordpress to add “secure” to the end of the set-cookie header.
wp-config.php may also need the following lines added (I know I need it as I set my “WordPress Address” and “Site Address” to not have http or https:
set-cookie
wordpress_test_cookie=WP%20Cookie%20check; path=//www.example-wordpress-site.com/
The set-cookie header is missing “; secure” at the end so the browser ignores the cookie. The only way I could find to override this behaviour was to directly edit one of the WordPress files. I expect my modification will get undone the next time WordPress updates but I’m also not skilled enough at WordPress to know how to make a persistent plugin or similar.
In “wp-includes” edit the file “load.php” and find the line “function is_ssl() {” and replace the function block with:
function is_ssl() {
return true;
}
This forces WordPress to always think it is in https / SSL mode even if the request came in to the server via http. This now causes WordPress to always do “secure” cookies!
set-cookie
wordpress_test_cookie=WP%20Cookie%20check; path=//www.example-wordpress-site.com/; secure
You might be fine at this point but my setup had one further problem…
You can see the “path” is corrupted, probably because wordpress doesn’t know how to handle a site url without http or https so puts the //www.example-wordpress-site.com/ as the path. This means the browser STILL throws away the cookie.
define('ADMIN_COOKIE_PATH', '/');
define('COOKIE_DOMAIN', '');
define('COOKIEPATH', '');
define('SITECOOKIEPATH', '');
This causes WordPress to instead send the set-cookie without the path:
set-cookie
wordpress_test_cookie=WP%20Cookie%20check; secure
Job done.. until something undoes my load.php modification.
The far better solution is to move to some better hosting which allows LetsEncrypt!