What's going on in the world of Cloudflare?

My websites are not working as they should. is redirected to another spam site. When I change the dns records to “only dns”, everything gets better. but when I set it to “proxied” again, it is directed to other website :

instead of my own sites. The IPv4 address looks correct as it should. What’s going on in the world of Cloudflare?

Likely your account has been compromised. Review the audit log to check for new rules and re-secure your account.


I changed my password and i actived 2 factor security. After then i fixed the problem. but today the problem realised again.

Check the Audit Log page, to figure out who/what is making the changes:


Check the "Members page, to see if you’re letting others access your account:


Check the “API Tokens” page, to see if there are any tokens you don’t use or otherwise know about:



I checked.
on members page, only my email is there.
on Audit log, there is 2 members are changing sth.
first is me, second is “Cloudflare”. i dont know this member CLOUDFLARE is a fake name or not.
on api tokens, there is api tokens for wordpress, but i think i create them for my wordpress websites. i created api tokens to integrate with litespeed cache plugin.

if i delete api tokens, the problem will be fixed?

i deleted all api tokens. and i checked that member “cloudflare”. i think he is realizing that changes.

If you’re revoking API tokens that you either don’t use, or otherwise are unaware of, it will render them useless.

That would mean that any (illegitimate) person or system that previously (ab)used that token will no longer be able to do so.

You may however still need to clean up the acts that a such (illegitimate) person or system may have done, which is often done via Page Rules or Redirect Rules:


The one you see here, seems to be Cloudflare’s Universal SSL that have obtained a SSL/TLS certificate for your website.

The timestamp from your image, being “2023-11-04T04:14:25+01:00” seems very consistent with a Google Trust Services (GTS) certificate that was issued, according to the certificate information, on “Nov 4 02:17:09 2023 GMT”.

crt.sh | 10991121359

You would likely see a certificate matching that time, if you go to the “Edge Certificates” page:


However, it seems like another one have been issued yesterday, and right now, Cloudflare (primarily) uses two different certificates (issued through Google Trust Services (GTS) and Let’s Encrypt), for your website, with the records you have set to Proxied (:orange:):

Google Trust Services (GTS):

crt.sh | 11015623428

Let’s Encrypt (most likely backup certificate, on the Edge Certificates page):

crt.sh | 11018537167

Such certificate issuances that Cloudflare does on your behalf are showing up like in the screenshot you posted, with a couple of “Rec add” and “Rec del” actions, appearing as being made by the user “Cloudflare”, and would be nothing to worry about, assuming you can confirm that they are on your Edge Certificates page.

That said, -

If you, as you indicated above as a response to @sjr, have taken the proper steps to secure your account, and enabled 2FA authentication, as well as cleared any unknown API tokens, and account members from your account, (and cleared Page Rules / Redirect Rules and other things that may have been modified), I would go as far as to believe that everything should be all right now.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.