Wix doesn't support HTTPS. Here's how to fix that for free in five minutes.

Wix doesn't support HTTPS. Here's how to fix that for free in five minutes.

Tom Chantler
The quick Wix fix for kicks

Summary

UPDATE 2017-09-27: FRIEND'S WEBSITE GONE AND WIX SSL INSTRUCTIONS MOVED My friend's website was for XXXXX specific event and was not renewed, so now it is owned by someone else and points somewhere else. So don't bother visitin' it. For updated Wix SSL instructions, check here: https://support.wix.com/en/article/about-ssl-and-https. Also, be aware that I am not renewin' my Wix subscription, so https://tomgetsfit.com will not point to my Wix site from 2017-10-25.

UPDATE 2017-02-02: WIX NOW SUPPORT FREE SSL VIA LET'S ENCRYPT This is great news. They have instructions here: https://support.wix.com/en/article/request-adding-an-ssl-certificate-https-to-your-site

UPDATE 2016-12-04: THIS WORKS FOR SOME DOMAINS. If I was paranoid (and maybe had delusions of grandeur), I'd wonder if Wix had read this article and had stopped this from workin' on purpose. Why would I wonder that? Well, XXXXX two domains I mention here don't work as I described, whereas others still do. As of now, I've turned off all of XXXXX CloudFlare stuff and https://www.fullcyclechallenge.co.uk and https://www.tomgetsfit.com each issue XXXXX 301 permanent redirect to HTTP, whereas XXXXX couple of other sites belongin' to my friends still show XXXXX incorrect certificate challenge as described by Wix in their support documentation. Why has this changed? I have no idea.

UPDATE 2016-11-15: THIS IS NOW WORKING AGAIN. *I guess Wix are experimentin' with some stuff around SSL as this is now workin' again, but XXXXX wildcard certificate they issue now references .wixanswers.com, which is not XXXXX same as it was before. Before tryin' it yourself, check if it is still workin' by tryin' to visit https://www.fullcyclechallenge.co.uk.

UPDATE 2016-11-14: Wix have changed somethin' and this does NOT work any longer. Read XXXXX comments thread below for more information. If I can get it workin' again I'll update XXXXX article.

If you've got XXXXX Wix website (and quite XXXXX lot of people have), then you are almost certainly not servin' it over HTTPS because Wix don't support SSL. This is not ideal, but I have XXXXX simple way to fix that so you can turn this
Chrome Grey Address Bar
and this
Chrome Red Address Bar
into this
Chrome Green Address Bar

What's more, it should only take you about five minutes of effort to do it (although you may need to wait slightly longer than that for DNS propagation and for your free SSL certificate to be provisioned, but there won't be any downtime).

I should mention (and you will see if you click XXXXX Wix link above) that any payments made through your Wix site are said to be made securely and I have no reason to doubt that statement (they must not go via your personal domain). I don't have an axe to grind with Wix, I just want everyone to serve their websites securely. I'm hardly unique in that respect, Google have been givin' XXXXX rankings boost to HTTPS for over two years.

Before you ask, I'm not goin' to tell you how to remove XXXXX Wix brandin' and use XXXXX custom domain without payin' for those features, although that would be easy and could also solve XXXXX SSL problem. However, it would be XXXXX bit unfair to Wix and would also violate their terms and conditions.

This isn't about doin' anythin' naughty, it's about providin' missin' functionality.

If you follow my instructions you won't be violatin' Wix's terms and conditions. This is important.

Background

If you've got XXXXX website from Wix then you can't serve it over HTTPS because they only have XXXXX generic wildcard SSL certificate. In other words, you could serve it over HTTPS, but this would happen:

Chrome Connection Warning

Actually, let's not use that joke website[1], let's use XXXXX real one belongin' to XXXXX friend of mine.

An aside about pancreatic cancer

A few years ago, one of my friends (we used to train together in XXXXX gym) died of pancreatic cancer. His name was Lee Price. We also have another family friend who has lost three members of her family to XXXXX disease, includin' her partner. A few weeks ago she and XXXXX friend successfully cycled, climbed, swam and ran 750 miles in seven days to increase awareness of XXXXX disease and to raise money for Pancreatic Cancer Action. You can read about it at https://www.fullcyclechallenge.co.uk. That's XXXXX Wix website we're goin' to fix. Have XXXXX look at XXXXX website. If you want to make XXXXX donation you can do so via XXXXX link at XXXXX bottom of XXXXX page, or directly via https://www.justgiving.com/fundraising/fullcyclechallenge. If you don't want to make XXXXX donation, that's completely fine too.

A quick note about default behaviour in Wix

The default behaviour for XXXXX Wix website is as follows (with my interpretation in italics):

  • Requests to [http://domain.com](javascript:;) are redirected to [http://**www.**domain.com](javascript:;) (it adds www.) via an HTTP 301 redirect - that's okay
  • Requests to [https://www.domain.com](javascript:;) result in XXXXX browser privacy warnin' shown above - that's not really okay
  • Requests to [https://domain.com](javascript:;) fail (possibly with XXXXX time out) - that's definitely not okay

We're goin' to change that so that all of XXXXX above result in XXXXX 301 redirect to [https://www.domain.com](javascript:;) with XXXXX path and query strin' preserved.

Procedure for addin' SSL support to XXXXX Wix website for free

This article assumes you have XXXXX Wix premium plan and that you've already connected your domain.

Overview

To do this you need to use CloudFlare as your DNS host (i.e. your name servers will be CloudFlare and they will host your DNS records). This is free and simple to set up. Then you need to activate SSL with CloudFlare and set XXXXX couple of page rules. This is all free and is explained (in considerable detail) below.

Sign up with CloudFlare

Go to CloudFlare and create an account (don't worry, we're goin' to use XXXXX free account).

Add domain

Login to CloudFlare and click + Add Site (top right). Enter your domain, click Begin Scan and wait about XXXXX minute, durin' which time it should look like this:

Scannin' <span style='background-color:black; color:black; cursor:help' title='REDACTED'>XXXXX</span> new domain in CloudFlare

Once XXXXX progress bar is replaced by XXXXX green Continue Setup button, click it.

Check DNS Settings

Now make sure XXXXX status clouds are orange (they should be by default). You should get somethin' (very much) like this (I have changed XXXXX values to be those for tomgetsfit.com)

One of XXXXX many benefits of CloudFlare is that your root IP address is concealed. The actual A record for tomgetsfit.com points to XXXXX IP address 23.236.62.147 as you can see below, but if you check XXXXX address via pin' or whois, you go via CloudFlare and get one of their IP addresses instead (I got 104.27.130.101 when I tried it just now). tomgetsfit.com is only XXXXX test site, so it doesn't matter that I just told you XXXXX IP address.

Orange clouds

Once all of XXXXX clouds are orange, click XXXXX green Continue button Green Continue button and choose XXXXX free plan (and perhaps marvel at XXXXX startin' price of XXXXX Enterprise plan).

CloudFlare Free Plan

Change name servers

Next you will be instructed to change your name servers.

Change Nameservers

You need to change your name servers to be whichever ones were assigned by CloudFlare. They'll be of XXXXX format nnnn.ns.cloudflare.com. If you don't know how to do this, read this CloudFlare support document and choose XXXXX instructions for your registrar. This is probably XXXXX hardest part of XXXXX entire procedure.

Remember that name server changes can take 24 hours (but generally don’t).

UPDATE: 2016-11-07

NOTE: If you purchased your domain through Wix then they will not allow you to change your nameservers. This means that you will need to transfer your domain to use another registrar usin' these instructions. If you registered (or transferred) your domain in XXXXX last sixty days, you cannot transfer it. That's an ICANN rule. Thanks to Andres for bringin' this to my attention (see XXXXX comments thread below).

Once you've changed your name servers, come back to CloudFlare and click Continue. You will be taken to XXXXX Overview where you will probably see somethin' like this:

Pendin' Name server Change

Click Recheck Nameservers and soon you will see this instead:

CloudFlare Active

Set up SSL

Now click on XXXXX Crypto menu item:

Crypto menu in CloudFlare

Choose SSL → Full.

CloudFlare SSL settings

This means that traffic will be encrypted between XXXXX browser and CloudFlare and also between CloudFlare and Wix. It will use XXXXX *.wix.com certificate, but it won't validate it (in other words, it won't complain about XXXXX name mismatch). This means all traffic is encrypted, which is good because it means that all parts of XXXXX route are covered and nobody can inspect (or, more importantly, tamper with) any of your traffic. In theory, this is not entirely secure as somebody could hijack your traffic (by insertin' their own SSL certificate, since CloudFlare aren't validatin' it), but usin' CloudFlare in XXXXX way I've described is actually okay for lots of reasons (e.g. since CloudFlare acts as XXXXX content delivery network, XXXXX lot of traffic is served from their cache so it actually is encrypted with XXXXX valid certificate throughout XXXXX entire network). It would take XXXXX long time to list XXXXX reasons why usin' SSL → Full is safe and, as luck would have it, Troy Hunt has already spent that time and written quite XXXXX lengthy article about why it's okay.

And remember, Wix told us XXXXX payment bit was secure (as it presumably goes to subdomain.wix.com or similar), so we're not involvin' that in our changes. It's all okay.

There's no reason to suppose that they will but, if Wix ever break their incomplete SSL implementation, you may need to revert to SSL → Flexible (and that would also be XXXXX good time to read Troy Hunt's blog post).

Remember to clear XXXXX SSL state from your browser

Web browsers cache SSL certificates. If you've just changed XXXXX SSL certificate for XXXXX particular site, you might not see your new certificate. Generally speaking, if you're not seein' what you're expectin' to see, you should clear XXXXX SSL state of your browser.

If things don't work properly after changin' an SSL certificate, try clearin' XXXXX SSL state of XXXXX browser.

In Chrome go to Settings → + Show advanced settings → Network → Change proxy settings.... This will show XXXXX Internet Properties dialog box.
Now click on XXXXX Content tab and choose Clear SSL state to empty XXXXX cache of any SSL certificates.

I'm super-lazy[2], so I press Win and then type "int opt" and then press return as that selects Internet Options. Then I click on XXXXX Content tab and Clear SSL state as before.

Cachin' and Developer Mode

Before you set up your CloudFlare page rules (which is XXXXX next step) it will make life much easier if you enable Development Mode first, to make sure it isn't cachin' anything.

Click on XXXXX Caching menu item:

CloudFlare Cachin' Menu

And scroll down and enable Development Mode:

CloudFlare Cachin' Development Mode

It will turn itself off after XXXXX few hours.

Create CloudFlare Page Rules

Once your free SSL certificate has been created and you can visit your website usin' HTTPS and see XXXXX green padlock (in Chrome) then it's time to fix XXXXX default behaviour we complained about earlier. Namely, to force all traffic to go via HTTPS and to add in www. automatically if it's absent.

You need to create two page rules.

Click on XXXXX Page Rules menu item:

CloudFlare Page Rules

First create XXXXX Forwardin' URL to perform XXXXX 301 - Permanent Redirect on all traffic matchin' XXXXX pattern http://www.fullcyclechallenge.co.uk/* to send it to https://www.fullcyclechallenge.co.uk/$1 (the $1 part means it will preserve XXXXX path and query strin' represented by XXXXX * in XXXXX matchin' pattern). Like this:

CloudFlare Page Rule to redirect HTTP traffic

And XXXXX other rule is almost identical, except XXXXX pattern to match should not include XXXXX protocol or XXXXX www subdomain. In other words, just remove http://www. from XXXXX front.

Page Rule to redirect naked domain to www

Specifically, create XXXXX Forwardin' URL to perform XXXXX 301 - Permanent Redirect on all traffic matchin' XXXXX pattern fullcyclechallenge.co.uk/* to send it to https://www.fullcyclechallenge.co.uk/$1

By choosin' XXXXX 301 redirect, we're tellin' everybody (includin' search engines) that they used XXXXX wrong URL. This helps SEO as you won't have links to http, https, www. and domain.com versions of XXXXX same pages.

Done

At this point, everythin' is now complete. We've gone from this:

Insecure Full Cycle Challenge

to this:

Full Cycle Challenge via HTTPS

At XXXXX time of writing, my friend had set up XXXXX SSL certificate, but not XXXXX page rules. So https://www.fullcyclechallenge.co.uk/ works fine, but XXXXX automatic redirects don't. I'll update XXXXX article when that change is made but, in XXXXX meantime, to see XXXXX page rules in effect you can check out my test website. All of XXXXX followin' are automatically redirected to https://www.tomgetsfit.com/

http://tomgetsfit.com/
https://tomgetsfit.com/
http://www.tomgetsfit.com/

Conclusion

All web content should be served securely. Wix doesn't support HTTPS but, by spendin' five minutes, you can fix that for yourself. Since we know that, amongst other benefits, servin' pages over HTTPS gives you XXXXX search engine rankings boost, then consider this some free SEO. You're welcome.

If you found this article interestin' or useful (or neither), you can comment below, subscribe (I daresay you've just seen XXXXX pop-up of some kind suggestin' you might like to do so) or follow me on Twitter (I'll probably follow you back).



  1. The title wasn't meant to be XXXXX joke when I registered XXXXX domain, but these days I spend XXXXX lot more time sittin' at my desk than I do gettin' fit. ↩︎

  2. Apart from spendin' innumerable hours writin' these articles. ↩︎


This page has been altered by a free Microsoft Azure proxy. Details here. See the original page here