Brute force attacks

My hosting company has required me to route my DNS through Cloudflare and set up a captcha to the front end of my site in order to prevent the server from being overloaded by brute force attacks to my site. The captcha is seriously affecting the number of visitors to my site, and it seems that Google is not able to access the site either. Is there another Cloudflare option that is not so obtrusive, that will prevent the server from being overloaded during a brute force attack?

Additionally, the captcha is supposed to be once-per-year, but I am getting it almost every time I access my site. In “Firewall Rules” I have “hostname equals”, then “Challenge (Captcha)”. In settings, the “Challenge Passage” is set to 1 year. Is there something I’m missing?

The domain I am referencing is

Thanks for any tips and advice.

For the Googlebot part, you can add to your firewall rule an exception to the Cloudflare “known bots” list. So:


If your ISP gives you dynamic IP address, you’ll be facing a Captcha every time your IP address changes. Also, you may face more captchas if you use certain privacy/adblocker extensions on your browser.

To fine tune your Firewall Rule, you need to study your origin server logs prior to your rule, when bots where attacking it. You could for instance conclude that most visitors come from a few countries, in which case you could Captcha only visitors from these countries.

Another approach, which I actually prefer, is to only let in without Captcha visitors from the countries where you expect most your visitors should come from. So instead of your rule challenging every visitor to your host, you’d have something like this:

You could then further refine the rule by adding exceptions to certain paths, such as /ads.txt and /robots.txt, and other bots not in Cloudflare’s list.

1 Like

This was very helpful, thank you.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.