Protecting WordPress Sites After the Cloudflare Fiasco

Cloudflare is a CDN (content delivery network) service that is being used by millions of websites all over the world. In addition to their speedy CDN services they also provide an extra layer of security to their customers. For example, they have features that can easily mitigate DDoS (distributed denial of services) attacks originating even from large botnets. But in the last few days they had an embarrassing security failure when their servers started revealing login details of various websites that were using Cloudflare services. They have resolved the problem on their end. You can read more about it on Cloudflare blog at

Cloudflare is working with technology giants and other large websites that use Cloudflare and they have taken care of all the problems. If you are still paranoid, you can change the login passwords for any site that uses Cloudflare services. This is not really necessary, but you can also take the following steps to make sure that your WordPress based websites are also protected:

1. Change wp-config.php Salts

The salts (64-character long random strings composed of letters, numerals and special characters) are used to generate the cookies that are used to store the information in your web browser when you login to WordPress. By changing these salts, you basically log everyone out and terminate all the sessions. Older login cookies if captured/stored by anyone, will no longer work. You can download the wp-config.php file using FTP, replace the salt values, save the file and upload it back to your web server. You can generate new salt keys by visiting

Secure WordPress After Cloudflare Bug

2. Change WordPress User Passwords

This is not only because of Cloudflare bug, but frequently changing your login passwords is always a good idea. You should change the login passwords after every few months if not every month. Every WordPress user knows how to change the password. Just open Users section, choose to Edit any of the users and then click on Generate Password button. The important thing is to use a very strong login password.

Secure WordPress After Cloudflare Bug

3. Add/Update Apache .htpasswd Protection

If your web hosting service provider hosts your sites on Apache webserver, then you can easily add one more layer of password protection using the .htpasswd file. All hosting providers implement it in their own way, but you have to basically create .htpasswd file to store the users and hashed passwords. It is a good idea to change your .htpasswd passwords and update this file. Some hosting providers allow this to be done using FTP while other require that you use their web interface to alter this file.

Conclusion: While the Cloudflare bug has been taken care of in a very professional manner, you can always change your login passwords to make sure that your accounts and websites stay secure like before.