Can Cloudflare help to block invalid traffic?

I got AdSense ads limit due to invalid traffic activity.

So I want to know that if I enable the I’m Under Attack Mode for my site, will Cloudflare block all the invalid traffic?

Or what thing I should do for blocking invalid traffic?

I feel very frustrated about this.

Under Attack mode will block most of what people don’t want, but it annoys visitors with the 5-second interstitial browser check.

What do you consider to be “Invalid Traffic”?

1 Like

Under Attack mode will block a small part of the mentioned invalid traffic!

I have the same issue.

I enabled Bot Fight and Under Attack plus the firewall rules that I already have before.

I didn’t pass the appeal.

Today I enabled again Wordfence to use there rate limiting tool.
But I didn’t find a tool that could show me which is the invalid traffic.

Is AdSense showing ads on your site?

Is there any other way to block all the invalid traffic?

I will list below what I am doing at the moment:

  • Using CF firewall rules block traffic with Threat Level above 5
  • on my platform ad codes are not served to specific countries (some dev required)
  • on my platform reCaptcha v3 is used to determine a threat score. I average threat score per browser fingerprint over the last seven days and if the score is less than or equal five then ad codes are not served (some dev required).

You would then need to have this in place for some time to see how traffic changes over a period before you could request a review (if your account is blocked). Obviously this may not work well if the country that you target with content is not deemed “valid” by Google.

1 Like

I am delivering AdSense ads, however my Ezoic account is paused.

Can yo please share the rule?

You can’t block all AdSense invalid traffic via cloudflare or any other service simply because invalid traffic can be generated in many ways, for example accidental clicks or many clicks from the same IPs that not generated conversions are considered invalid.

What you can do:

  1. Use cloudflare in normal mode (use under attack when you are under DDoS attack)
  2. Setup a Cloudflare Firewall Bypass Prevention in your .htaccess file
  3. Using firewall rules (I suggest to show captcha with threat level above 5)
  4. Change ads placement in order to prevent accidental clicks
  5. Don’t purchase low quality traffic

How to fix Ad Server Limit:

  1. remove all ad codes (except the header code)
  2. archive ad codes
  3. remove ads.txt
  4. wait until the notification will disappear (can take 1 or 2 weeks)
  5. now don’t rush, still wait for a couple of days
  6. in these 2 days check your analitycs…if you find pages with high CTR means are flagged by google
  7. now recreate ad codes, add the ads.txt file
  8. add codes in your website, but don’t place them on flagged urls for at least 2 weeks! (otherwise the notification will appear again and again until you will stop place ads on flagged urls)
1 Like

The rules is pretty simple - but it’s just one of the rules I use:

On a daily basis we can have anything between 20k to 50k blocked pages (including SQL injection attempts, undesirable bots, blocked ASN/IP addresses, blocked access to protected pages):

I have quite a few rules blocking undesirable bots (I have the rule listed in another topic in this community, although I constantly update the rule with new bots):

As I mentioned, using reCaptcha v3 in all pages you can have an idea of how is the traffic distribution from “suspicious” to “clean” on your website - note this might need to be over a month or more so you can have a baseline. This is not directly related to Google AdSense “invalid clicks” but if you see a very high level of “suspicious” traffic on reCaptcha v3, Google will see it too. Also remember most crawlers (indexing, SEO bots, etc) don’t trigger reCaptcha v3 as most don’t actually execute scripts.

When a page is blocked on my site Cloudflare serves a custom error page. I have Google reCaptcha v3 on that page too, with its own action name. What I’ve noticed is that compared to other “actions” on my site, “cferror” has a very high rate (96%) of suspicious traffic, compared to non-blocked traffic to other pages, meaning pages block by those rules are pretty up high in the suspicious range (for an idea, my main page “forums” has only a 0.63% of suspicious traffic after all filtering is done).


These rules plus the server-side code that averages reCaptcha score by browsers/block ads have helped reduce the Google AdSense clawback.

I hope this helps - more of lots of ideas than specifics as each website is different - audience, country, topic, technology stack all influence on how to deploy these ideas.


You enlighten me !! I am grateful!

I had setup Block threat score

I hope I don’t overwhelm you with questions.

These rules plus the server-side code that averages reCaptcha

Can you share how you include recaptcha?

Thanks for the list of bots! I replace mine with yours I hope this works.
By the way you have DomainStatsBot twice in the list.

Thanks again

Never mind I saw a solution but sounds complicated for me

If you just want to see what is the volume of suspicious traffic you can do it easily.

First register for a new reCaptcha account and create a v3 site on the dashboard.

Then add the following to the footer of all your pages. The code is explained in detail reCAPTCHA v3 | Google Developers under “Programmatically invoke the challenge”.

Copy the code from the documentation (do not type, to avoid errors). Make sure to replace the [[[REPLACE WITH YOUR SITE KEY]]] and [[[GROUP NAME]]] with your own (without the [[]]):

After a couple of days you will see the score in your reCaptcha dashboard.

If you want to separate score between page groups like “homepage”, “article”, “content” and even for Cloudflare Error pages, then you will need to make sure each different page group have their own [[[GROUP NAME]]].

Where it gets complicated is if you want to use the score. You can do things on the client side, for example submit buttons are disabled by default and enabled only if the reCaptcha is completed. Humans could change that using Dev Tools but a script usually wouldn’t.

Or you can go a bit further and fingerprint the browser and submit the score to the backend server so that you have records and take actions depending on scores. This would require development, database storage and support to implement - but small steps. Start with adding the reCaptcha code just to see what’s your overall suspicious traffic.

As I said, not one solution fits all, but lots of idea and people can get creative here.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.