Despite the Cloudflare plan we are using, I’d say using multiple ways and different types of available features available to us at Cloudflare dashboard.
Ensure your hostname(s) are proxied at first.
Lock down and allow only Cloudflare at your host origin:
If I may add here as a really good reference for further cases in terms of security and protection with Cloudflare from my colleague @jnperamo :
This guide is for those users of Cloudflare who experience medium-high level complexity DDoS attacks.
Continue reading if you want to accomplish the following:
Becoming more familiar with the Cloudflare Dashboard and crafting custom firewall rules.
Understanding the standard behavior of DDoS attacks and deploying effective firewall rules.
Realizing how powerful and valuable Cloudflare Firewall Rules are.
I initially thought of making a more complex guide (I will). However, I realized that no…
This tutorial is deprecated in favour of Get started · Cloudflare DDoS Protection docs
Related content:
Archive This tutorial covers some of the steps you can try to take to protect yourself from a DDoS attack. There is a <a href="https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-">Cloudflare Support Article</a> on this as well.
Sign up for Cloudflare - Cloudflare can provide a lot of helpful tools to help you overcome a DDoS…
Well, depending on the attack type, if user-agents, crawlers, ASNs, etc., there are few I would recommend to add to your Firewall Rules
, like the posted here:
Here’s a list from the perishablepress.com 7G .htaccess firewall:
(360Spider|acapbot|acoonbot|ahrefs|alexibot|asterias|attackbot|backdorbot|becomebot|binlar|blackwidow|blekkobot|blexbot|blowfish|bullseye|bunnys|butterfly|careerbot|casper|checkpriv|cheesebot|cherrypick|chinaclaw|choppy|clshttp|cmsworld|copernic|copyrightcheck|cosmos|crescent|cy_cho|datacha|demon|diavol|discobot|dittospyder|dotbot|dotnetdotcom|dumbot|emailcollector|emailsiphon|emailwolf|exabot|extract|eyenetie|feedfinder|flaming|…
Good list, thanks. I have deployed that but removed python and demon (those seem to block some RSS feedreaders, YMMV).
What I also have in place is this:
(http.user_agent contains “SemrushBot”) or (http.user_agent contains “AhrefsBot”) or (http.user_agent contains “DotBot”) or (http.user_agent contains “WhatCMS”) or (http.user_agent contains “Rogerbot”) or (http.user_agent contains “trendictionbot”) or (http.user_agent contains “BLEXBot”) or (http.user_agent contains “linkfluence”) or (http.us…
There’s a list of ASN belongs to hosting providers:
herefore, some Firewall Tips are published here:
Using the search :
Nevertheless, do not forget and properly setup the Cache for your website which can help leverage the load and tasks your server has to do for each request:
Make sure your site is fully secured (HTTPS) using Full (Strict) SSL:
Unencrypted & unverified connections
Imagine you open Paypal and suddenly get that warning
[image]
Would you continue? Probably not. For decades leaders in IT security have advocated that people upgrade their sites from unencrypted HTTP to secure HTTPS. And for a reason, everything you send via an HTTP connection is sent in plain text and can be intercepted at any point between you and the server.
Equally, you’d probably not proceed if you got such a warning, right?
[image]
That’s when th…
Make sure to protect your admin / login page using Cloudflare Zero Trust / Access:
https://www.tuonetti.fi/en/cloudflare-access-guide/
Since you’re using WordPress, I’d suggest my post here as it contains a lot useful stuff:
That is a good question out there.
I would say it cannot be stated as a general rule of thumb, as far as some WordPress websites do not have to use like POST or PUT (WP REST API, wp-json, plugins etc.), while other have to - just an example.
You could try to block TRACE & TRACK for example.
Or, if you could for example, limit HEAD, GET and POST for some specific IP or some similar scenario, where you protect your Website from bad bots, possible attacks, etc. in terms of security measurements. …
Regarding bots:
Introduction
While blocking bots is appealing, we often find in the community that people run into issues while using Super Bot Fight Mode (SBFM). Below you can find a quick summary of the most common questions.
How to create a bypass rule for SBFM?
In short, you can’t ; however, there is one workaround that might work for some setups.
IP Access Rules can allow you to exclude an IP or set of IPs from being challenged by SBFM; however, this carries a few issues:
IPs can chan…
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection measurements and available tools for us:
1 Like