Thanks to a suggestion from a friend on social media, both the WordPress sites I installed are accessible, showing as secure and I can log in to the admin panels. The solution? Disabling Cloudflare. I could then redirect www to the bare domain, where the SSL certificate lives and all the redirect issues went away. The only reason I opted to use Cloudflare was habit: I run some other sites through it purely to pick up the free SSL certificate they provide, nothing else.
Step 1 of many seems to be complete. I now have a lot of reading to do - and a blog theme to select!