Cloudflare checking connection despite not subscribed to service

Hi, we have a client raising a complaint that all their domains under the same cPanel hosting is now subject to a Cloudflare secure connection check when accessing the site for the first time. It also has impacted their web app as the API received content from instead of the actual domain, rendering their app currently unusable.

What we couldn’t wrap our heads around this issue is we have never installed or enabled Cloudflare protection for this client’s hosting and domains; in fact we have never enabled Cloudflare at cPanel level for all our clients.

How we troubleshoot this so far:

  1. We confirmed with the domain registrars that the domains for this client has not underwent any nameserver changes.
  2. We confirmed that the affected domains do not have any Cloudflare related DNS records set.
  3. The web app developer sent us a screenshot of a GET request from their API confirming that the request returned content from instead of their domain.
  4. We tested the domains on several browsers. On Chrome a prompt requiring user to click “Allow” for the domain to send notifications with the message “need to review the security of your connection before proceeding” will appear for several seconds before automatically redirects to the domain landing page. On Edge the URL changes to during the message, but there is no prompt to click “Allow” and the redirection to the domain landing page happens automatically after a few seconds as well. On Firefox there is no message and the domain landing page loads as normal.

At this point to the best of our knowledge the only suspect left is the SSL certificate; these domains are using cPanel’s AutoSSL and the most recent renewal happened just a few days ago. While we are applying for a paid SSL to see if this is the main cause, would like to ask around here to see if there are any other inputs that we may have missed.

Do let me know if more information is needed to assist on this issue. Thanks again.

So it is only affecting one single customer, but all of that single customer’s domains?

Can you share that screenshot you refer to, and all other relevant material?

With all other relevant material, I mean, … at least one or more domain name(s) / actual website addresses, where this is happening, would be necessary, if you expect any third parties to be able to dig (further) in to the situation.

1 Like

Who is


Thanks for the input.

As @aj14 pointed out, the problem is as bright as day, we just selectively overcomplicated the situation.

After realizing is a suspicious domain we did a quick scan on the site and found it was indeed infected by a conditional redirect malware that impersonated Cloudflare. The sites are then redeployed and are now operational again.


wow, i didn’t know of such a thing being out there thank you

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.