Security & Firewall

Cloudflare sits between your visitors and your server, filtering malicious traffic before it reaches your hosting account. Even the free plan includes DDoS protection, a web application firewall, bot management, and IP-based access controls.

DDoS Protection

Cloudflare automatically protects your site against Distributed Denial of Service (DDoS) attacks on all plans, including the free plan. DDoS attacks attempt to overwhelm your server with massive amounts of traffic, taking your site offline. Cloudflare absorbs this traffic across its global network and filters out the attack, allowing legitimate visitors through.

DDoS protection is always on and requires no configuration. Cloudflare detects and mitigates attacks in real time, typically within seconds.

Security Level

The Security Level setting controls how aggressively Cloudflare challenges visitors who are suspected of being malicious. Cloudflare assigns each visitor a threat score based on their IP reputation, and the Security Level determines the threshold at which visitors are challenged.

Essentially Off: Only challenges the most obviously malicious visitors. Use this only if you are seeing too many false positives.
Low: Challenges only visitors with a high threat score.
Medium (default): Challenges visitors with a moderate or high threat score. This is the recommended setting for most sites.
High: Challenges visitors with a low, moderate, or high threat score. Use this if your site is being targeted by attacks.
I'm Under Attack: Shows an interstitial JavaScript challenge page to every visitor for approximately 5 seconds before granting access. See below for details.

In your Cloudflare dashboard, go to Security → Settings.
Adjust the Security Level slider to your preferred setting.

I'm Under Attack Mode

If your website is actively being attacked and experiencing downtime or extreme slowness, enable I'm Under Attack mode. This displays a full-page JavaScript challenge to every visitor, which takes about 5 seconds to complete. Legitimate browsers pass the challenge automatically, while bots and attack scripts are blocked.

In your Cloudflare dashboard, look for the Under Attack Mode toggle on the overview page (or go to Security → Settings).
Toggle I'm Under Attack Mode on.

Warning Only enable I'm Under Attack mode during an active attack. The challenge page adds a delay for all visitors and can interfere with APIs, cron jobs, and automated services that access your site. Turn it off once the attack subsides.

WAF (Web Application Firewall)

Cloudflare's WAF protects your website against common web vulnerabilities such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. Cloudflare provides free managed rulesets that are automatically applied to your domain.

The free plan includes basic managed rules. Pro and higher plans include more advanced rulesets and the ability to create custom WAF rules. For most shared hosting sites, the free managed rules provide solid baseline protection.

In your Cloudflare dashboard, go to Security → WAF.
Review the Managed Rules section to see which rulesets are active.
You can toggle individual rule groups on or off if a rule is causing false positives.

Bot Fight Mode

Bot Fight Mode identifies and challenges automated bot traffic that attempts to access your site. This helps protect against credential stuffing, content scraping, spam form submissions, and other bot-driven attacks.

In your Cloudflare dashboard, go to Security → Bots.
Toggle Bot Fight Mode on.

Cloudflare uses machine learning and behavioral analysis to distinguish legitimate bots (like search engine crawlers) from malicious ones. Verified bots such as Googlebot are always allowed through.

Note If you use third-party services that make automated requests to your site (monitoring services, API integrations, etc.), Bot Fight Mode may occasionally block them. Check the Security Events log if a legitimate service reports connection issues.

IP Access Rules

IP Access Rules let you block, allow, or challenge traffic from specific IP addresses, IP ranges, countries, or ASNs (Autonomous System Numbers). This gives you granular control over who can access your site.

In your Cloudflare dashboard, go to Security → WAF → Tools.
Under IP Access Rules, enter an IP address, range (e.g., 192.0.2.0/24), country code (e.g., CN), or ASN.
Choose the action: Block, Allow, Managed Challenge, or JavaScript Challenge.
Add an optional note to remind yourself why you created the rule.
Click Add.

Common uses:

Blocking IP addresses that are spamming your contact form or attempting brute-force logins.
Blocking entire countries if your site only serves a specific region and you are receiving attacks from certain countries.
Allowing your own IP address to ensure you are never challenged or blocked by other security rules.

Rate Limiting

Rate Limiting lets you define rules that limit the number of requests a visitor can make to specific URLs within a time period. This is useful for protecting login pages and APIs against brute-force attacks.

For example, you can create a rule that blocks any IP address making more than 5 requests per minute to /wp-login.php, effectively stopping automated password-guessing attacks.

In your Cloudflare dashboard, go to Security → WAF → Rate limiting rules.
Click Create rule.
Define the URL pattern, request threshold, time period, and action (block or challenge).
Click Deploy.

Note The free Cloudflare plan includes one rate limiting rule with limited requests. Pro and higher plans include more rate limiting capacity. Even a single rule protecting your login page can significantly reduce brute-force attempts.

Hotlink Protection

Hotlink protection prevents other websites from embedding your images and files directly, which would use your bandwidth. Cloudflare offers hotlink protection as an alternative to cPanel's built-in hotlink protection.

In your Cloudflare dashboard, go to Scrape Shield.
Toggle Hotlink Protection on.

When enabled, Cloudflare checks the Referer header on requests for images. If the request comes from a different domain, Cloudflare blocks it. Requests from search engines and your own domain are always allowed.

Real Visitor IPs and cPanel

When your site uses Cloudflare, all traffic passes through Cloudflare's servers before reaching your hosting account. This means your server logs and cPanel tools see Cloudflare's IP addresses instead of your actual visitors' IP addresses. This has several important implications:

cPanel IP Blocker: If you try to block an abusive IP in cPanel's IP Blocker, you would actually be blocking a Cloudflare IP, which could block many legitimate visitors. This is why you should use Cloudflare's IP Access Rules instead of cPanel's IP Blocker when your site is behind Cloudflare.
Server access logs: The IPs shown in raw access logs will be Cloudflare IPs, not real visitor IPs. Cloudflare passes the real visitor IP in the CF-Connecting-IP header, but standard log analysis tools may not read this header by default.
Fail2ban and server-level blocks: Any server-side firewall rules that rely on IP addresses may inadvertently block Cloudflare IPs. Always manage IP blocks through Cloudflare's dashboard instead.

Warning Never block Cloudflare IP addresses in cPanel's IP Blocker. Doing so will make your site inaccessible to any visitors routed through that Cloudflare data center. If you need to block a specific visitor, use Cloudflare's IP Access Rules in the Cloudflare dashboard instead.

Monitoring Security Events

Cloudflare logs all security-related events, including blocked requests, challenges, and firewall rule matches. You can review these to understand what threats Cloudflare is protecting you from and to fine-tune your security settings.

In your Cloudflare dashboard, go to Security → Events.
Review the log of recent security events. You can filter by action (blocked, challenged, allowed), time range, country, IP, and more.
Click on any event to see details including the visitor's IP address, country, user agent, the rule that triggered, and the action taken.

Tip Check Security Events regularly, especially after enabling new rules. If you see legitimate traffic being blocked (for example, your own IP or a trusted service), add it to the IP Access Rules allow list. Security Events is also the fastest way to identify the source of an ongoing attack and create targeted block rules.