Joomla and Cloudflare

Recently it has been revealed that over the past 5 months Cloudflare, a popular CDN provider, has had a data leak allowing potentially sensitive data to become accessible to other users, and more importantly search engines.

Cloudflare has worked to resolve the issue on their systems, and the large search engines have been working hard over the last few days to try and remove this data from their caches; however, there is a chance that some data that was stored on some Joomla! sites that also use Cloudflare services may have been compromised.

Although this is not related to a specific Joomla! security issue, we would like to explain to Joomla! users exactly what you can do to help secure your site if you use Cloudflare and might be affected by this attack.

Who is affected by this?

This issue is NOT directly related to or caused by Joomla! so it does NOT affect all Joomla! websites.1

The ONLY Joomla! sites that are affected by this issue are ones that use Cloudflare services (free or paid). If you know that you do not use Cloudflare services you can safely ignore this notice as this ONLY affects those sites where Cloudflare is used.

Cloudflare is offered by many web server/hosting companies via cPanel as a free Content Delivery Network (CDN), as well as those hosting companies using other, non-cPanel management. If you are not sure if your site is using Cloudflare we encourage you to contact your hosting company to determine if Cloudflare is in use on your Joomla! site.

If you do not use Cloudflare, following the steps here will NOT aid in the safety of your site in any way. It only applies to those who have used Cloudflare with a Joomla! site.

How it works

Cloudflare is used in between your website server and the people who visit your site and provides two main functions - it protects websites by routing inbound web visitor traffic through Cloudflare’s own network, filtering out hack attacks in the process. It also offers a CDN and load balancing to help your website load faster.

What Happened

In the last 5 months (specifically between September 22nd, 2016 and February 18th, 2017), there was a bug in the Cloudflare software, which could potentially cause unencrypted private data, along with other 'junk' text, to be included along the bottom of the webpage.

What basically happened was that data for one site being ‘processed’ by Cloudflare may have been sent to a visitor viewing a completely different site that was also being ‘processed’ by Cloudflare. Additionally, that process was found to have been indexed by search engines. This happened to up to an estimated 3,438 affected websites.

The worst data leakage occurred between the dates of February 13th and February 18th when one in every 3.3 million requests to Cloudflare’s servers was leaked.

If you want to read a technical write up on the incident we recommend reading the official Cloudflare breakdown at:

Am I likely to be affected?

Although Cloudflare has indicated that the percentage of its clients that were affected is relatively small (compared to their total number of clients), there is some potential that ANY website using Cloudflare could be affected. If your site uses Cloudflare we recommend that you assume that your site was affected and take proper steps to mitigate the issue.

Is it serious?

We’ll leave this in the words of the Google researcher who found this vulnerability.

The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on.


Although it is highly unlikely that there was enough data leaked to be recoverable and usable it is possible that some is, so we recommend taking extra caution and taking actions for the worst.

What to do if you use Cloudflare with Joomla!

Before you begin any changes with your Joomla! site you should first make a full backup of your site and store it in a safe place.

Step 1 - Invalidate Users Sessions / Reset Site Secret Key

In order to help secure your site, you should invalidate all session ID's and cookies.

In order to do this the Joomla! Security Strike Team (JSST) is suggesting that all Cloudflare Joomla! Users change your sites secret key in the configuration.php file.

PLEASE NOTE: This will have the following additional effects which WILL impact your users:

  • Your Joomla! cache entries will be invalidated
  • Any pending password reset emails will be invalidated
  • Any pending user activation emails will be invalidated.

If you are concerned about the email links being invalid, you can check for users who have pending activation status or a password reset requested in the Joomla! User component.

How do I reset my site secret key?

This is a manual process which requires the ability to edit a file on your Joomla! site (called configuration.php).

  1. Use an FTP program, cPanel (or other means) to access files on your server
  2. Go to the main root of your Joomla! site on the server
  3. Edit the file configuration.php (you may need to change the permissions of this file first to allow editing)
    • Locate the line that begins:
      public $secret =
    • Change the text that appears in the single quotes with a string of random characters of equal length (be sure to keep this within the single quotes)
  4. Save the file back to your web server.

That resolves the main security issue; however, we encourage you to also complete steps 2 and 3 below.

Step 2 - Reset Passwords

It’s unlikely that there have been any password leaks, however it’s safer to assume the worst. We recommend that you advise your site users to reset their passwords and require administrators to reset their passwords to ensure full data security.

Step 3 - Report this data breach

Cloudflare is considering this a “data leak”; however, depending on the terms of your organisation or website this might be considered a “data breach”. Although no private, user, personally-identifiable information was stolen, private data related to your site users may have been leaked to public systems. This data may or may not have the ability to lead to any nefarious actions (i.e the data may not be complete or recognisable, but has the potential to be).
If you have PCI, HIPAA or other data breach reporting requirements you should consider getting advice to determine if you need to report this incident.

1. This issue has the potential of affecting all websites, including all CMSs (Content Management Systems) and APIs, etc. If you manage any other web sites using Cloudflare we encourage you to research proper means for securing those sites as well.