CloudFlare 'Under Attack Mode' is enabled, website stats have dropped since September


We moved a client’s DNS to Cloudflare back in September from checking a previous notes. (I have recently joined the company).
I have since noticed a drop in organic website traffic when comparing the website to the previous year, which appears to happen once the DNS was moved to Cloudflare.

After reading a few articles online, people have mentioned they too experienced a reduction in website impressions, clicks, hits, etc when Cloudflare was running.
This article does show a response from an engineer of Cloudflare.

After checking our Cloudflare account, it does indicate the firewall blocking requests from outside of the UK. Rules are setup to block any traffic outside of the UK, so that makes sense.
Comparing Google Analytics stats from the last 6 months in comparison to the previous year, overall the site is down around 45% of Users.

My questions are:

  1. Would anyone recommend me disabling ‘Under Attack Mode’ which present the human verification when the user arrives to the site and monitor to see if website stats increase?
  2. Is it common for website stats to be effected, or has anyone noticed this in the past?

Many Thanks,


Under Attack Mode is not supposed to be used on a permanent basis, but only to mitigate an attack, i.e., a large series of automated requests that could put too much pressure on the origin server if UAM was not set.

So the question here is, are the reasons why you’ve enable UAM in the first place still present? Couldn’t they be mitigated with more permanent solutions, such as WAF/Firewall Rules?

Blocking visits from outside a country, though apparently a popular solution many site administrators adopt, may also impact your viewership. Many social networks depend on servers located in different countries to operate properly, and limiting access to only one country may make it impossible for users to share your content. So perhaps expanding the list of countries allowed to visit your sit, or creating exceptions for certain social networks, could help as well.



Thank you for your reply really appreciate it. UAM has been disabled on Wednesday and the load on the server been impacted which is great. Will see how stats are pulled through over time.

Thanks for explaining social networks also.


I’m Under Attack Mode shows an interstitial page to all visitors for ~5 seconds while Cloudflare checks their browser to ensure they are a real human. If Cloudflare is still not certain the visitor is human, the user will be required to solve a challenge. This usually just requires clicking a button once.

Naturally this is a barrier of entry and will result in some users navigating away. Therefore, as cbrandt already mentioned, I’m Under Attack Mode is not supposed to be permanently enabled. It is meant as a effective - but intrusive - way of reducing origin server load during DDoS attacks or disruptive web crawling by bots.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.