Interesting ... and thank you for taking the challenge!
Well here's my nonexpert summary of what we've learned so far.
Bobocat guessed that I might have forgotten to remove or rename the 'direct' subdomain which Cloudflare supplies by default ... and he was right. He simply handed the string 'direct.whereisthisdomainhosted.co.cc' to one of his villainous Linux tools, and received back an IP number belonging to Dreamhost.
Actually, I had noticed, and unfortunately ignored, a remark in Cloudflare's website which says that users can edit the name 'direct' to something else. Now I understand that the reason why people might want to do this is to make it unguessable.
Anyway, now I've removed the 'direct' subdomain altogether from the Cloudflare dashboard. This is OK because I can still maintain the site at Dreamhost by doing 'psftp email@example.com'.
Also, I don't have any mail or ftp entries at Cloudflare; the only subdomain in the zone file there is 'www'. Presumably this means I can't use the domain for email.
By the way, I did remember to remove quickstart.html. If I hadn't done that, then anyone who guessed that the site was hosted at Dreamhost could have confirmed it easily by pointing their browser at whereisthisdomainhosted.co.cc/quickstart.html
Well, if anyone is still interested, the challenge is still open: is the new hardened version of the site host-hidden (short of legal intervention such as DMCA takedown requests)?
There are some remarks in bobocat's reply which I don't understand. For example, "Any changes to subdomains should be available in the publicly available DNS tables" ... does this mean that it's already too late, and there will always be a lingering reference somewhere to the 'direct' subdomain? Could I have avoided this by not letting Cloudflare create a 'direct' subdomain in the first place?