All users still getting Cloudflare challenge after reducing Security Level

Complete this information in order to ask your question.

Have you searched for an answer?

Please share your search results url:

When you tested your domain using the [Cloudflare Diagnostic Center](, what were the results?

Describe the issue you are having:
Cloudflare Security Level is set to Essentially Off, but all users are still getting a security challenge.

What error message or number are you receiving?

What steps have you taken to resolve the issue?

  1. Paused Cloudflare on website and it became unreachable for all users.

*What is the domain name?

Was the site working with SSL prior to adding it to Cloudflare?

What are the steps to reproduce the error:

  1. Just visit website and you will get a security challenge

Have you tried from another browser and/or incognito mode?
Yes and other PC’s

Please attach a screenshot of the error:


  1. Visit your website and perform the action that would normally result in a request being challenged…
  2. Wait a couple of minutes
  3. Go to Dashboard > Security > Events. If the request was in fact blocked by Cloudflare, you should find an event related to that challenge action. Depending on your site traffic, you may need to filter by IP address, User Agent, URI Path, etc. to find it. Check the “Service” that challenged it.
  4. If this was
    a) Bot Fight Mode, disable this feature.
    b) Super Block Fight Mode, create a WAF Custom Rule to Skip it for the specific situation, with relevant conditions such as the URI Path and the visitor’s IP, for example;
    c) WAF Managed Rule, you need to create a WAF Exception for that rule. See: Add a WAF exception in the dashboard · Cloudflare Web Application Firewall (WAF) docs
    d) WAF Custom Rule, you need to edit it accordingly.

Thanks for the pointers

I looked into the events and I could see that almost all traffic to the site was failing the OWASP score and thus getting a challenge. It was set to PL3. I’ve removed the OWASP check for now to see what happens and I can see that there are now very few UK challenges and those that are there seem to be genuine.

Not sure if I should turn OWASP back on at a lower PL level or if it’s better left off. I have kept the Managed Ruleset on?



This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.