You’re using Cloudflare with flexible SSL and your visitors can view your site “securely”. However; for some reason, (and you’ve tried “everything” including CF plugins) you are still unable to login to WordPress and WP Admin using HTTPS.
Hopefully the solution below will work for you.
Warning – solutions to avoid:
The claimed solutions I Googled (for “HTTPS login”, “infinite loop”, “too many redirects” or “page not found”) simply redirect your browser to an insecure HTTP login page. i.e. adding code to do what you can already do yourself – enter an “http://” address for “wp-login” in your browser. Your login credentials are just as insecure either way.
The solution that worked for me:
Edit: I’ve added some comments at the bottom of this page about a WordPress Plugin that might also provide a solution.
A single line edit of “wp-config.php” to insert the following code:
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS']='on';
I added it just below the “define” statements at the top of wp-config.php n.b. (Caveat: I make no guarantee that it won’t break your site).
I tried various Cloudflare and CF plugin settings, but doing the above was the only solution that worked for me (add a comment to let me & others know whether or not it worked for you).
N.B. flexible SSL is not “full” SSL. Under HTTPS your login credentials will be encrypted between you and Cloudflare and so more secure. But if you are a user of their free service then the connection between Cloudflare and your server is probably HTTP and still open to potential eavesdropping.
If you have a decent host it is also possible to make the Cloudflare<->Server leg secure at no cost. I’ll add an article about that, once I’ve confirmed the details.
Tip: If your site also has mixed content issues then these can probably be solved by installing the official Cloudflare plugin and switching its “Automatic HTTPS Rewrites” setting to “On”.
How did I find the solution?
By chance when researching another project.
It is in the WordPress Codex and is part of suggested code to avoid redirect loops when forcing SSL login!
When only able to login under HTTP, the last place most of us would have looked for a solution would have been an article on how to block HTTP login (and lock ourselves out)!
A possible plugin solution
If you have edited WordPress/Theme files before then the above solution is probably better – it uses minimal resources and is not dependent continued support and maintenance by a plugin author. If you are unhappy DIYing (mistakes could break your site) then:
The Really Simple SSL plugin’s description indicates it might solve your login problem. I’ve not tried it, but you can ask the question on the plugin’s support forum. Note: most reviews are positive, but a small proportion of reviewers claim the plugin broke their websites.
If the plugin does solve your issues, then please let other readers know via comments below.