Our corporate website displays Cloudflare DDoS page

At the moment we do not have any domains added to our account. I attempted to add a domain
the other day (not our corporate domain), but decided to back out of the process and deleted the website from the account.

Today, I am getting reports of our corporate website displaying the Cloudflare DDoS pages when trying to be accessed by our customers. The domain is cbesoftware.co.uk and this has never been added to Cloudflare. Why would we be seeing these DDoS pages if our websites are not being protected by Cloudflare? At one point the web developers for our site attempted to use Cloudflare, but after having issues with getting it secured, went with another provider.

The websites are built in WordPress. Could this possibly the Cloudflare DDoS hack?



Indeed it is. It is time to nuke and pave, or whatever your incident response plan calls for.


Thanks for the quick response. Is there any way of confirming that the website has been hacked? Any files that may have been modified by the attack?

Looking at an article on bleeping computer, it says to check the theme files. What specifically should I look for?

When you say “nuke and pave”, what exactly are you suggesting? Rebuild the hosting server and restore from a backup?


Simply to say: Wipe and reinstall.

Try these:

You can check for the backup files, if they are intact-place it
Look for infected files
Are you using any nulled themes or plugins? If so, stop using them
You can use Virus Total or other for help
If not possible, locally (by downloading), check for infections through malwarebytes

“Nuke and pave” is a slang term.

“Nuke” refers to removing all content from the server, both files and database contents, as you can no longer trust its integrity.

“Pave” means to rebuild, from verfied clean backups if possible, or from scratch if not.

Thank you for the clarification on that.

We have since discovered that the page appears malicious. Testing it in a safe environment and clicking on the ‘Check System’ link did indeed download a ZIP file. The web developers are now going through restoring the site.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.