Cloudflare Free not stopping DDOS

Hello All,

One of the shared hosts has been facing a DDOS attack for the last 20 days, added Cloudflare to all the websites hosted on that server and enabled it Under attack mode but the still server does not work.

To temporarily solve the issue we have added a static HTML page with under maintenance status but if we try to move back to WordPress none of the website works and the server also stops working.

We are getting around 1.57M Unique visitor
225.16M requests through Cloudflare

Is there any solution for it?

Thanks in Advance

The Cloudflare Free Plan is intended for testing purpose. Not for the business site or DDoS mitigation.

Where did you see this?

Protecting a WordPress website in a shared hosting context is not easy, but the key element is caching. You need to cache as much as possible of your non-personalized content.

Also, you should create a WAF Custom Rule that challenges any request that is not for one of your existing pages. This is only feasible in small websites.

Another WAF rule could also challenge any request that contains query strings with non-standard values.

You need to familiarize yourself with WAF firewall rules, its fields and actions, and study your website’s sitemap as well as what query strings you should expect, as well as the patterns of the current attack. Then craft rules accordingly.


That’s absolutely not the case.

  • We faced ERR_CONNECTION_TIMED_OUT when our site under heavy DDoS attack. As soon we upgraded to Pro, the problem fixed. I have no problem in paying for the Pro. I highly recommend it.

  • The Free plan offers routing to MRS (off-country). While Pro offers routing to local PoP. A site that is business critical shall consider the Pro. Just my opinion.

  • I strictly condemn the decision that motivate someone to use free plan, and abuse 500 GB to 1TB bandwidth every day.

That could be because the pro plan has different features which can mitigate DDoS in different ways. However Cloudflare offers unmetered DDoS on every plan level.

Cloudflare has no problem with it when sites are operating within their established ToS. Heck they give away advanced Enterprise services to any number of organizations through programs like Project Athena & Galileo.


Another datapoint from a founder:


Thanks all for the suggestion

@cbrandt thank you for details.

I have added a few of the WAF rules and blocked the query string links they were using to attack but they are using random links to attack e.g. domaindotcom/abc123, domaindotcom/bca132 and as we have lots of pages and it is a news website we are not able to block those specific requests.

Is there any suggestion on how to block those?

Thank You! :slight_smile:

1 Like

As I said in my first reply, protecting a WordPress website is not easy, especially in the context of shared hosting.

Even though you may have thousands of URLs, your Analytics software should help you select which are the 50 most visited. You can then create a rule that challenges any path that is not one of them. Surely this will create some friction with a relatively few legit visitors, as nobody likes to be stopped by a challenge, but your mindset should be that of one with a house on fire.

When incoming requests match...
Known-Bots OFF
URI Full does not contain ""
URI Path is not in "/path-1" "/path-2"... "/path-50"
Managed Challenge

The number 50 is an arbitrary value. You should include as many as they fit in a WAF rule, which is limited in size to about 4kb. Make sure to include some essential website paths in this rule, such as /robots.txt and, if applicable, ads.txt.

Also, this is a quite rough rule, and you can certainly make it better with a careful study of your sitemap. If your Permalink structure starts with /YYYY/MM/ than you can exclude paths containing this pattern. The same goes for category and tags.

You can learn other, more advanced techniques here:


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.