For me CloudFlare was a solution on WP 4.0.1 MU. It was a bit of a quest, so it’s hard to recapitulate exactly, but my best guess is the following:
- Add site to CloudFlare
- Install the CloudFlare WordPress Plugin.
- Install the WordPress HTTPS (SSL) plugin
- Install CloudFlare Flexible SSL plugin
- If you want to force SSL on your entire site you then can add the page rule ‘*yourdomain.tld/*’ to the settings of your domain in CloudFlare.
For more info, check the plugin pages (install/FAQ) and this tutorial.
I was able to solve this issue by forcing all logins and all admin sessions to happen over SSL.
See this section in the Codex: codex.wordpress.org/Administration_Over_SSL
I added this code to wp-config.php and it instantly worked:
define('FORCE_SSL_ADMIN', true);
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';