How do I block bad bot traffic to my phpbb forum?

Hi, is there a way to have this recaptcha thing show up to every user who tries to access my phpbb forum’s domain name? Can I do that as part of the free cloudflare service?

I’ve been trying to figure this out, Googling, I don’t know if it’s the WAF Firewall thing, if it’s IP Access Rules, if there is some kind of app I can install on my Cloudflare to do it. If this is a paid-only functionality?

Every time I try to move to a new web host, I get a warning that my forum uses too many server resources, yet I know I get no “real” traffic, it’s probably only a bunch of search bots and I guess spam bots going around crawling my forum or something like that. I blocked for new registrations on the forum, I need to find a way how to block all the bad spam bot traffic through some kind of recatcha thing.

Thanks for any advice!

By searching the forum here, it seems a solutions is to activate this mode:

“Under Attack Mode
Show visitors a JavaScript challenge when visiting your site.”

I didn’t think to use that before, because I thought it might be extreme. But this is the way, right? Now every single user will get a recaptcha challenge if they’re not already trusted traffic according to cloudflare system? This is what I was looking for?

Is there a way that all trusted traffic from real gmail/facebook/twitter etc users can just be let through this check without having to fill out the recaptcha? Is there some kind of network of trusted verified traffic on the cloudflare network?

You can create a Firewall Rule, or a few, that will Challenge (present a Captcha) to visitors depending on parameters you set. For instance you can create a rule that challenges visitors that don’t come from a few countries, excluding known good bots (Googlebot, Twitter etc) from it.

You should familiarize yourself with Firewall Rules, then ask specific questions as you try to create your rules. There’s no readily available set of rules that will solve every website’s problems. You need to create the rules you feel you site needs.

A simple Firewall Rule for that would be something like:

( eq "" and not then Challenge.

Such rule would present a Captcha to every visitor to the specified domain except for known bots such as Googlebot.

1 Like

Thanks a lot!

I try now to set
( eq “” and not
set to Captcha on everybody…

Is there a way to allow in without need to captcha all the “trusted” users according to cloudflare, by that I would think people with cookies showing reliable gmail/youtube/facebook/twitter or other trusted “real user” activity anywhere on the web previously, those types of users could maybe enter without needing to do the captcha? Is there a way to modify the rule to let those users in more easily than then captcha’ing every single time?

Or else they can do the captcha once and then a cookie shows them as already visited and not needing to re-do the captcha again in the future, right?

This topic was automatically closed after 30 days. New replies are no longer allowed.