So seriously, what’s going on with Cloudflare?
There is nothing wrong with Cloudflare, if we summarize and simplify the situation “you get what you pay for”.
A proper anti bot system is an extremely expensive field for which enterprises spend easily hundreds of thousands of dollars per month, and still can’t achieve a 100% hit ratio.
Cloudflare I believe has something similar for the enterprise customers, however, for the lower tier plans we have to rely on captcha challenges and deploying our own rules.
As for the VPN/Proxies issue, the fact is that you can’t accurately detect them with full precision, you have to take risks and guess who is really behind a vpn/proxy.
Absolutely nothing guarantees you that certain ip block that today is used for proxies wont be sold tomorrow to an ISP. There are services who claim to have a precise solution to detect proxies/vpn’s, from my experience, they leave many holes open and usually affect legit customers as well.
Cloudflare already receives lots of criticism from users due to “forcing” challenges such as the 5s or Captcha, making it more strict would only bring more people complaining about the service.
I hope that you understand that, no matter what you are told, no service will accurately block all these bots, they will sell their product with the fanciest words when in reality, the service is not as complex as they make it seem.
Specially not with a budget under $1000 per month, I have tried most if not all the WAF providers that are in the range of $20-500 and I always found myself coming back to Cloudflare because the differences between providers that are not enterprise are minimal.