We accept Custom Theme and Login Orders. Contact Habs on store chat Go to store>>
Home
Themes
Code
Login Pages
Icon Pack
Emoji Pack
Cloudflare
Jun 27, 2025 06:48 AM

Basic CF Mitigation

Basic CF Mitigation

🛡️ Basic Anti-DDoS on Cloudflare (Free Plan)

Running a website and want to protect it from floods, bots, or denial-of-service attacks — without paying for premium tools? If you're using Cloudflare’s Free Plan, this guide walks you step-by-step through setting up basic anti-DDoS rules using free features only.

🌐 Step 1: Add Your Site to Cloudflare

If you haven’t already, sign up at https://dash.cloudflare.com, add your domain, and change your domain's nameservers to Cloudflare's (you’ll be guided through this).

Cloudflare DNS Overview 

🛡️ Step 2: Create a Basic WAF Firewall Rule

This rule blocks suspicious user agents, bots, and requests with known attack patterns. Here’s how to set it up:

  1. Log in to your Cloudflare dashboard
  2. Select your site → go to SecurityWAFCustom Rules
  3. Click Create firewall rule

Use this example:

(Field: URI Path) contains "/wp-login.php" OR (Field: User Agent) contains "python" OR (Field: Known Bots) equals "not known"

Action: Block or JS Challenge

WAF Rule Setup Example 

📈 Step 3: Rate Limit Access to Key Pages

While Cloudflare's advanced rate limiting is paid, you can still block excessive hits to sensitive URLs using WAF logic.

  1. Create another WAF rule for sensitive endpoints:

URI Path contains "/login" OR URI Path contains "/register"

Action: Managed Challenge — This slows down automated attacks without blocking real users.

Managed Challenge Example 

🤖 Step 4: Turn On Bot Fight Mode

Cloudflare’s free Bot Fight Mode is designed to stop basic bots and scripts instantly.

  1. Go to SecurityBots
  2. Toggle Bot Fight Mode to ON

Bot Fight Mode Setting 

🧠 Extra Tips (Optional But Recommended)

  • Always use JS Challenge instead of Block when unsure — it filters bots but lets humans in.
  • Block or challenge access from countries you don’t serve using “Country does not equal” condition.
  • Use IP Access Rules under Tools tab to block known bad IPs or ranges.

✅ You’re Protected

With these free settings, your website is now protected from most Layer 7 (application-level) attacks like:

  • Fake bot traffic
  • Login/register brute force
  • Scraping scripts

🔧 Go to Your Cloudflare Dashboard

Posted by Admin

Comments (0)
Login or create account to leave comments

We use cookies to personalize your experience. By continuing to visit this website you agree to our use of cookies

More