Last week, an unexpected bug made headlines as Cloudflare experienced a massive data leak. Cloudflare explained in great detail what caused the problem and claimed that it is now fixed, but it left sensitive data from many websites exposed. If you own your own WordPress site, you might wonder if your data is safe. Here’s how to find out.

What is Cloudflare?

Recent security issues aside, Cloudflare is a handy tool that offers easy DNS (domain name system) management. DNS is essentially the Internet’s phone book, directing Internet traffic to the proper place. When you visit a website, your browser consults DNS entries to find out where the data for a particular web page is stored. When you send an email, your email client consults DNS entries to find out what mail server to use. If you use FTP to upload and download files, your FTP client consults DNS entries to find out where to send or retrieve data.

Cloudflare makes it easy to modify these entries, and it also provides a system to manage them. Some web hosts change DNS entries frequently, and Cloudflare can keep up with the changes so you don’t have to manually update your DNS settings every time your web host makes a change.

That might sound very technical and detailed, but the basic premise is if you purchase your domain from one company, your hosting from another company, and your email services from yet another, Cloudflare can make it easier for you to ensure all the traffic is going to the right place. Cloudflare can also help your website load faster.

Cloudflare email

Cloudflare emailed their customers to let them know if their data was safe. Some of our clients use Cloudflare, and we received this email informing us their data was safe.

Does your site use Cloudflare?

Now that you understand what Cloudflare does, do you use it for your website? If you’re not sure, the answer is likely no. Most all major web hosts manage DNS settings themselves, so it’s extremely unlikely that your web host would use Cloudflare without your knowledge.

If you use WP Engine for your hosting and use another company for your domain, however, you might be the exception. WP Engine uses Cloudflare and recommends its clients do the same (however, the site itself using Cloudflare shouldn’t affect your site if you didn’t sign up). In order to use Cloudflare with your site, you would have needed to create an account with them and enter your information there. It’s not something WP Engine would have done for you automatically.

If you’re unsure if your site uses Cloudflare, you can use the website to find out.

Were all Cloudflare sites affected?

If your website doesn’t use Cloudflare, your data is safe. However, if you do use Cloudflare, your data isn’t necessarily vulnerable. According to Cloudflare, only 1 in every 3 million requests was intercepted, meaning only a small portion of its data actually leaked. Cloudflare says that only 150 websites were affected, and they emailed customers to let them know whether or not their data was exposed. If you’re a Cloudflare customer, you should have received an email from them letting you know if your data is safe. It’s important to note that the above checker website is not alerting you to whether your data was exposed but only if your site uses Cloudflare.

If my data was leaked, what should I do?

If your WordPress site uses Cloudflare, you’ll need to change your wp-config.php salts. This will sign out any logged-in users and reset browser cookies. If you have a WordPress-specific hosting package, contact your hosting provider and see if they will reset your salts for you. If you installed WordPress on your site manually, you’ll need to edit the wp-config.php file on your site and make changes to 8 lines of code. Check out this tutorial from WordFence for details, or if the process confuses you, contact us and we can take care of the process for you.

Is there anything else I should know about the leak?

Even if your website’s data is safe, there’s a chance that your password to a site that uses Cloudflare was leaked. Yelp and Uber are the biggest sites affected, in addition to social media site Reddit, gaming site Discord, blogging site Medium, and dating site Okcupid. If you use one or more of these sites, you should change your password. For a more complete list of affected sites, check this list on Github to see if sites you use are affected. WARNING: Some of the affected sites contain pornographic or otherwise objectionable material. The list contains links to the sites themselves, so don’t visit a link to a site you don’t trust.