My domain boyan.press has been redirected to cloudflare and using flexible (shared) SSL , (7 months ago…) but my domain still is “not secured” in web browser.
And I found a domain named “loveyoubanana.com” is having the exact home page, and is actually pointed to my original IP (since mine is using Cloudflare-provided IP now)
Has it occured to someone too? By the way, my website is built with WordPress.
Let’s start at the bottom, having a shared IP with someone else is common and nothing to worry about.
That site is loading all it’s content from your website, but it’s not pointing to Cloudflare. The DNS is outside Cloudflare as well.
Ideas to solve the issues:
make sure your server (especially if the IP is the one the rogue domain is pointing at) is responding only to your domain name, add referrer rules, basically apply basic security practices for domains nowadays. You could also change IP, but it’s not really necessary.
to fix the HTTP issue, you are loading the site via HTTP. Enable first the Always Use HTTPS toggle in the Crypto settings of the Cloudflare dashboard and make sure all links (all resources: CSS, JS, images, videos, etc.) load from the HTTPS version (you can do so by forcing HTTPS on all links or making them relative). Automatic HTTPS Rewrites from the Cloudflare dashboard could help, but it’s not a fix everything every time solution.
Thanks a lot, Matteo,
About the IP, I thought I own it, as it was assigned by vultr.com as vps service ( $5 a month.)…
And I did tried the “page rule” option in Cloudflare to force http to https, then I found the page became text-only, the frames and pictures were gone… it seemed using many external sources… I guess it was because I used templates offered by WordPress plug-ins… (I used Elementor to build the pages, which is a popular WP plug-in too.)
You have the usage of the IP, but no one can prevent someone else adding it to their DNS settings. It could also be that the previous user that was assigned that IP was the owner of that website, then cancelled the VPS and kept the DNS pointing to it. You were assigned that IP after them and, having forgotten the security aspect of the web server, can access you site from there too.
There is an option outside page rules, that doesn’t use a page rule for only this. In the Crypto settings as I mentioned.
I quote from before, not having resource links to HTTPS will make them fail to load…