I am on the free plan and as on the free plan, I don’t have the WAF. But, I set up my nginx origin webserver to block a list of bad bots, threats and bad IP. Then, my origin webserver connect to Cloudflare only exclusively. But, Of course, my webserver only see that it is serving Cloudflare request only from cloudflare IP only.
My website is new, no human visitors at all yet and only one page Wordpress default Hello as home page. Then, I left the project for a month.
Cloudflare is serving these spammy bots!!! I check on CF analytics, request number is freakingly high within a 24 hours (like 20k+). I got a bill of bandwith egress is about 1GB last month from my hosting. Sure, 1GB is only couple cents. But the point is cloudflare is serving these bots, chewing bandwith egress on a simple 1 page wordpress default homepage.
Imagine if it is a full working website with images and many pages. I will be doomed.
So currently, I use CF firewall to allow only my personal IP to connect to the site so that it showed the event log that it tried to block and yes, it’s blocking bots (mostly from US) and some Europe and Brazil IP trying to hack wp-login.
TLDR: I set up my origin webserver to block threats, connect to Cloudflare IP exclusively, Cloudflare is serving the threats…
So, is this a tactic to force free users to purchase at least PRO??