CloudFlare plugin breaks WordPress repeatedly

Cloudflare is a reverse proxy service that protects hundreds of thousands of websites, The Orbit included, from attacks like DDoS, spam, brute force, and various other exploits. Without it, in the adversarial environment that the Internet happens to be for social justice oriented folks, we would be crushed under the weight of people desiring to silence us. So, they’re doing us a great service, and we are indebted to them.


Yesterday, after a major vulnerability was discovered in the Cloudflare plugin for WordPress, which could allow sites to be cross-site scripted (a method that might allow you to inject bad code into a site “from the side”), it seems as though they panicked and decided to encode *all* POST and GET data, which caused a major set of problems. People trying to edit posts found every non-alphanumeric character turned into an HTML entity (“:” instead of “:” for instance). Then those entities were being reencoded again (“:”).

Over and over and on and on, the posts were getting more and more corrupted. And that wasn’t the only thing that was busted — admins were being told they didn’t have permissions to access certain pages, because the links to those pages were having parts of themselves converted to HTML entities as well. End users could see the site, but admins were fully hamstrung. Greta was working on Steven Universe episode 8 and got stopped short, emailed me to find out what broke, and to my horror, the auto-updated plugin for Cloudflare was actually hampering my ability to do anything in the WordPress admin. I thought we were in serious trouble, but I tracked it back to the plugin which had just updated to version 1.3.21. I pulled out an older version from Sunday’s backups, 1.3.20, and the problem was resolved. Then I found out WHY they’d updated it, and apparently there are such hacks in the wild right now.

So. Rather than risk getting us hacked, when they quickly released 1.3.22 to fix how they broke half of WordPress, I let it install that version.

Overnight, they’ve since updated to 1.3.23 to fix how they send things back to Cloudflare to pre-detect spam. So they made a giant mess and they’re clawing back at it right now.

There’s a problem that several people are reporting presently, that they can’t post comments while not logged in by submitting their email addresses — because the email address never validates. Clearly this is because the Cloudflare plugin is trying to sanitize that variable as well, incorrectly. Other blogs are also having this issue, as seen here: ERROR: The email address isn’t correct. (4 posts) and here: ERROR: The email address isn’t correct. (3 posts). This problem isn’t just impacting The Orbit, but any WordPress site that uses Cloudflare.

But because of the terrible nature of what they’re fixing here, we kind of have to ride out this storm. I could try to implement my own bugfix for this, e.g. by removing email address validation, but that would have other negative impacts on the rest of the site.

For now, please log in to make comments. Sorry for the inconvenience. Hopefully they’ll fix this issue too, as soon as possible.

This is a disaster and it was entirely avoidable through proper QA of the plugin before it being released. The rapid fire nature of the plugin updates speaks to a sort of panic to address the initial vulnerability, which is laudable, but a lack of foresight as to what kind of impact specific changes might make to the rest of the service. Those of us who rely on the plugin should not be stuck choosing between being hacked, being entirely unprotected against DDoS and spam, or having people be able to comment.

UPDATE: they released an update which properly namespaces their variables and only sanitizes those variables, so things should finally be under control. This is why you don’t release plugin updates into production without testing.

Try again to comment, please, folks.

CloudFlare plugin breaks WordPress repeatedly

Working on front page featured images

The front page may be a bit spartan while I try to work out how to force it to use a specific size of thumbnail, and how to go back in time and force regeneration of that size of thumbnail across all images. Sincere apologies, mea culpa and all that.

construction photo

Update 12:32am CST
Aaaand, we’re clear! Front page is now pushing out the 512×240 images wherever it can be found.

Also, RSS feed icons should be on the top bar of every blog, next to the Search and Login icons.

Working on front page featured images

On the reported RSS issues

Since launch, there’ve been several reported issues with RSS, which I’ve scrambled to try to fix before they did too much damage. But, we keep getting new requests, because the theme apparently doesn’t do a very good job of keeping track of the links, so here’s what’s wrong presently and what I’m working on to fix it.

RSS logo

  • Individual author feeds polluted with whole-network posts – originally, we had installed a plugin that served the feed from /feed for the whole network, but it turns out that it was too greedy and it also grabbed every author’s /feed URL as well. Caching RSS feed sites like Feedburner and Feedly grabbed what was in those lists, and kept them. Unfortunately, there’s not much we can do about this but wait for those to expire.
  • As a side effect of this, the theme’s expectation that the front page blog list should be accessible at, and WordPress treating that like its own blog, means that feed is empty. The whole-network feed is actually at and it serves content from every blog. I will set up an .htaccess rule to seamlessly redirect the top level feed to the network-feed URL.
  • Once I’ve done the above point, I can change the link in the header on the front page to /feed/, thus making it more apparent that that’s the RSS feed as the CSS that provides correct iconography only auto-senses that specific URL.
  • An SEO plugin was installed to help with Facebook linking not grabbing appropriate featured images. That plugin expects all the authors’ feeds to be at /feed too. Fixing the previous point will fix the front page.
  • Some browsers don’t even care about the auto-sense URLs, so putting a prominent RSS feed icon in the top bar of every blog would be preferable. I’ll be doing that as soon as possible, as soon as other fires are quenched.

If anything else comes up, feel free to leave a comment or contact us via the contact form here.
Photo by thewritingzone

On the reported RSS issues

So THAT’S what I’ve been up to.

I’ve sorta receded into the background lately, but with good reason. I’ve been doing the technical heavy-lifting for these new digs. They ain’t perfect, but a coat of spackle and primer and they’ll be fine.

Let me know if and when the seams start to show, either here or via the “Tech Issues?” link on every page. I’m especially interested in feedback from folks who use screen readers, because while I can sprinkle tags around and follow best-practices guides, I’m not exactly living in that mode and would love to hear from those of you who do.

There will be growing pains. There will be last-second alterations. There will be missing media, and stylistic problems, and edge cases we haven’t anticipated. But we’ve put a lot of effort into keeping all of that to an absolute bare minimum, and we’ll fix just about anything you point out as soon as possible.

It may be a while before I’m back to blogging regularly, mind you. I’ve got a lot on my plate most of the time anyway, and building and improving this place has kept me pretty occupied of late.

Welcome to The Orbit!

(Those of you visiting now because Hemant posted not an hour before I took the password box down — yeah. Greta accidentally posted her farewell post at FtB early but took it down almost immediately, but that was enough to tip someone to tip Hemant off. And the kickstarter isn’t live yet, but will be as soon as the video is complete. The social media blitz is actually scheduled for tomorrow morning, and I took the password box down early so I could get a few Jetpack and Google integrations complete before the REAL launch. Thanks for the advertising, Hemant. Wish he would have waited for the full launch, but hey. How was he supposed to know?)

We’re fully launched! Kickstarter is live! Welcome one and all!

So THAT’S what I’ve been up to.