We are using Plesk to hosting WordPress website, the Plesk logs sometimes showing around 100 GET access with different IP in one sec, now the website sometimes cannot access with Error
521 of Cloudflare page.
If I first time to open the website, it will showing Error
521 of Cloudflare page, after refresh will be normal.
Now, we had enabled rate limiting.
Also, we had purchased business plan for the bots logs:
DDoS L7 ruleset opening
this rule does not protect you,
for example the attacker has 20k bots,
If 20k 1 socket connection sends 2 requests per second,
your rule doesn’t work and 20k*2req=40,000 requests hit the web server in 1 second.
Your web server or running code structure, for example, how many requests will respond in seconds, without destroying server loads.
My site is constantly attacked 24/7,
I think you should apply a different method, I am sharing the attack graphics below.
Despite the Cloudflare plan we are using, I’d say using multiple ways and different types of available features available to us at Cloudflare dashboard.
Ensure your hostname(s) are proxied
Lock down and allow only Cloudflare at your host origin:
If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare from my colleague
This guide is for those users of Cloudflare who experience medium-high level complexity DDoS attacks.
Continue reading if you want to accomplish the following:
Becoming more familiar with the Cloudflare Dashboard and crafting custom firewall rules.
Understanding the standard behavior of DDoS attacks and deploying effective firewall rules.
Realizing how powerful and valuable Cloudflare Firewall Rules are.
I initially thought of making a more complex guide (I will). However, I realized that no…
This tutorial covers some of the steps you can try to take to protect yourself from a DDoS attack. There is a
Cloudflare Support Article on this as well.
Sign up for Cloudflare - Cloudflare can provide a lot of helpful tools to help you overcome a DDoS attack, even on their free plan.
Make sure all your DNS records that can be are set to , anything that is will bypass most of what you set up.
Lock down your server to only accept connections from the Cloudflare IPs, this s…
Well, depending on the attack type, if user-agents, crawlers, ASNs, etc., there are few I would recommend to add to your
Firewall Rules, like the posted here:
Here’s a list from the
perishablepress.com 7G .htaccess firewall:
Good list, thanks. I have deployed that but removed python and demon (those seem to block some RSS feedreaders, YMMV).
What I also have in place is this:
(http.user_agent contains “SemrushBot”) or (http.user_agent contains “AhrefsBot”) or (http.user_agent contains “DotBot”) or (http.user_agent contains “WhatCMS”) or (http.user_agent contains “Rogerbot”) or (http.user_agent contains “trendictionbot”) or (http.user_agent contains “BLEXBot”) or (http.user_agent contains “linkfluence”) or (http.us…
There’s a list of ASN belongs to hosting providers:
herefore, some Firewall Tips are published here:
Using the search
Nevertheless, do not forget and properly setup the Cache for your website which can help leverage the load and tasks your server has to do for each request:
Make sure your site is fully secured (HTTPS) using Full (Strict) SSL:
Unencrypted & unverified connections
Imagine you open Paypal and suddenly get that warning
Would you continue? Probably not. For decades leaders in IT security have advocated that people upgrade their sites from unencrypted HTTP to secure HTTPS. And for a reason, everything you send via an HTTP connection is sent in plain text and can be intercepted at any point between you and the server.
Equally, you’d probably not proceed if you got such a warning, right?
That’s when th…
Make sure to protect your admin / login page using Cloudflare Zero Trust / Access:
Since you’re using WordPress, I’d suggest my post here as it contains a lot useful stuff:
That is a good question out there.
I would say it cannot be stated as a general rule of thumb, as far as some WordPress websites do not have to use like POST or PUT (WP REST API, wp-json, plugins etc.), while other have to - just an example.
You could try to block TRACE & TRACK for example.
Or, if you could for example, limit HEAD, GET and POST for some specific IP or some similar scenario, where you protect your Website from bad bots, possible attacks, etc. in terms of security measurements. …
While blocking bots is appealing, we often find in the community that people run into issues while using Super Bot Fight Mode (SBFM). Below you can find a quick summary of the most common questions.
How to create a bypass rule for SBFM?
In short, you can’t ; however, there is one workaround that might work for some setups.
IP Access Rules can allow you to exclude an IP or set of IPs from being challenged by SBFM; however, this carries a few issues:
IPs can chan…
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection measurements and available tools for us:
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.