CloudFlare WordPress Plugin Disaster Breaks WordPress Admin Functions – And CloudFlare Support Was Clueless! This morning i couldn’t log in to this WordPress blog. It was the start of several hours of hell trying to diagnose the problem.
CloudFlare had a major security issue – and what they did to fix it was beyond logic!
I spent several hours trying to figure out what was wrong while having my morning coffee. I suspected a CloudFlare debacle right off the bat since i had updated their plugin last night before going to bed.
Today two WordPress sites were not accepting my login credentials. I wondered if my server had been hacked, but after logging into whm and going to mod security tools, i didn’t see any entries. Next i restored the previous days database dump and had the same problems. I’m saying to myself – WTF??
After setting Doc’s Place up for Google AMP i had experienced validation errors and had most corrected, but another plugin i use that was deactivated had been updated by it’s developer. This author of CleanTalk an excellent anti-spam plugin had emailed during the night with a fix. I needed to delete this plugin and reinstall a new version that had been pushed out during the night. Sounds easy enough right? Not with my luck! Selecting that plugin i clicked delete, WordPress prompted me “do you want to delete ALL These Plugins?? I thought i crapped my pants! 😆
I fired off a support question to CloudFlare and had problems logging into support, got a CloudFlare message the support site was offline. After trying a few more time i was able to login and open a ticket. Still scratching my head trying to come up with an idea what barfed, i decided to point my site back home away from CloudFlare. After waiting a few minutes i was able to verify the domain was no longer pointing to cf and logged back in again. Same problem, then i opened up my cPanel file manager and deleted CloudFlares WordPress Plugin. THAT WAS IT!!
Meanwhile a cf support person responded to my support ticket: “Hi, Thanks for contacting cloudflare support. That seems a bit odd. Could you include the URL’s you’re using when you get these errors and would you be able to send us the error in a screenshot? xxxx @ CloudFlare support.
Several replies went back and forth and it appeared this support agent didn’t have a clue. I mean, come on, the support site was running like a snail on a GoDaddy server. But they had no clue what was wrong?? After deleting the other sites WordPress CloudFlare plugin, the site that was still pointing to CloudFlare it was working fine too. So I’m sure it was their plugin causing the debacle but support would not admin it!
So I’m sitting at my doctors office and decided to search Twitter to see what came up on my smartphone. Well by-golly-geez lookie what came up on the 1st search:
From the-orbit.net: Yesterday, after a major vulnerability was discovered in the Cloudflare plugin for WordPress, which could allow sites to be cross-site scripted (a method that might allow you to inject bad code into a site “from the side”), it seems as though they panicked and decided to encode *all* POST and GET data, which caused a major set of problems. People trying to edit posts found every non-alphanumeric character turned into an HTML entity (“:” instead of “:” for instance). Then those entities were being reencoded again (“:”).
Over and over and on and on, the posts were getting more and more corrupted. And that wasn’t the only thing that was busted — admins were being told they didn’t have permissions to access certain pages, because the links to those pages were having parts of themselves converted to HTML entities as well. End users could see the site, but admins were fully hamstrung.