CloudFlare can't stop attack on WordPress

Hi everyone.
We are facing a weird issue and wanted to share with the community.

Our website is under a mild DDoS attack. The attacker is using a method that makes them seem like a valid user/viewer of the website thus Cloudflare isn’t blocking the access.

The attacker is generating high active user on the website and since our server can’t process too many simultaneous connection it causes a high CPU load and outage.

At first we tried to use panic mode of Cloudflare to mitigate the attack but it didn’t work. So we turned of the CDN and used our own WAF and with couple of tweaks on rate limit feature we stopped the attack.

However whenever we turn on the CDN on Cloudflare our server goes down. Checking connection we see that most of the connections are made by Cloudflare itself.

Now the only way to stop the attack is only rely on our own WAF and miss out on Cloudflare’s CDN advantages.

I attached one hour attack on the website that our WAF blocked.

Do you have any suggestion for us?

Greetings,

I am sorry to hear you are experiencing an issue with Web traffic.

Moreover, I’ve used a few setups with Wordfence + Cloudflare and it worked perfectly fine.

Firstly, may I ask a few questions so we could try to troubleshoot and help you here:

  1. While using Wordfence and Cloudflare, did you configured your Wordfence settings to use “CF-Connecting-IP”?
  2. Are your domain name DNS record at the DNS tab of Cloudflare dashboard proxied and set to :orange:? (A www, A domain.com, or maybe a CNAME type if using that kind of a setup)
  3. Is Cloudflare allowed to connect to your origin host/server?
  4. Have you implemented a way to Restore Original Visitor IP at your origin host/server?
  5. Did you configured some Security options and Firewall Rules at Cloudflare dashboard for protection? (for example, country restriction, wp-login protection and Rate-Limit, Bot Fight Mode, Security Level, Browser Integrity Check, etc.)
  6. From above stated, it sounds to me like your origin host/server couldn’t handle so much web traffic. Are your PHP values tuned-up a bit for WordPress?
  7. Regarding the cache, may I ask if you are using some caching plugin for WordPress at your origin host/server? (cache can help you with a lot of traffic, be it regular or suddenly spread at your website)
  8. Is Wordfence Firewall configured to “Enabled and protecting” mode or rather “Learning mode”?
  9. Did you configured Wordfence security, firewall & blocking options?
  10. May I ask which Cloudflare plan are you using for your own domain?

I am using Cloudflare for a long time and on a lot of WordPress websites, even not using Wordfence and I do believe it can stops a lot of “bad” and “unwanted things” in terms of a traffic, at least what do I see per domain in my Firewall Events at Cloudflare dashboard and on my monthly digest of blocked requests :wink:

Quick tip: Tune-up your PHP values a bit:

memory_limit = 256M
max_execution_time = 300
max_input_time = 1000
max_input_vars = 5000 or 7000
post_max_size = 64M
upload_max_filesize = 32M

Nevertheless, you could try to install some caching plugin for webpage html cache like WP Super Cache:

In terms of how to properly setup Cloudflare security / Firewall Rules for better protection, kindly take a look at my below post as it includes very useful things and helpful information:

In case you are really under an DDoS, kindly provide us more feedback information, screenshots and check below articles:

Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:

2 Likes

What is panic mode? Do you mean Under Attack mode?

I don’t see many reasons to do this unless CF Pricing for rate limit is the issue. What is your WAF doing that CF doesn’t?

This makes sense if you have rate limit or wordfence enabled without restoring visitors addresses.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.