I am looking forward the security best practices for Cloudflare configurations and found just some like DDOS best practices etc… We are feeling that there are a lot security hardening parts missing and so we want to setup security best practices on each of feature included in our subscription.
Really appreciate your kind support.
Thank you for asking.
in our subscription
May I ask which Cloudflare plan are you using?
Kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:
This guide is for those users of Cloudflare who experience medium-high level complexity DDoS attacks.
Continue reading if you want to accomplish the following:
Becoming more familiar with the Cloudflare Dashboard and crafting custom firewall rules.
Understanding the standard behavior of DDoS attacks and deploying effective firewall rules.
Realizing how powerful and valuable Cloudflare Firewall Rules are.
I initially thought of making a more complex guide (I will). However, I realized that no…
This tutorial covers some of the steps you can try to take to protect yourself from a DDoS attack. There is a
Cloudflare Support Article on this as well.
Sign up for Cloudflare - Cloudflare can provide a lot of helpful tools to help you overcome a DDoS attack, even on their free plan.
Make sure all your DNS records that can be are set to , anything that is will bypass most of what you set up.
Lock down your server to only accept connections from the Cloudflare IPs, this s…
Each Website is different, meaning not all apply for each, if so.
If using Pro plan or higher, with a single click you can enable Cloudflare WAF and configure the rules as needed which provide really good protection.
There is also Bot Fight Mode too and other tools like IP Access Rules, etc.
Rate Limiting is also a good feature to try out.
Here are few my posts which include external resources such as some specific Firewall Rules to protect WordPress,
# tips, bad bots “user-agents”, asn list, etc. firewall
That is a good question out there.
I would say it cannot be stated as a general rule of thumb, as far as some WordPress websites do not have to use like POST or PUT (WP REST API, wp-json, plugins etc.), while other have to - just an example.
You could try to block TRACE & TRACK for example.
Or, if you could for example, limit HEAD, GET and POST for some specific IP or some similar scenario, where you protect your Website from bad bots, possible attacks, etc. in terms of security measurements. …
Few like 1-10, or 100-500?
Are these maybe the crawlers or bots? Did you analyze your web traffic?
Are the naked domain and www DNS records proxied? (
Bypassing, does this mean like comming directly to your server IP address?
Make sure to protect your admin / login page, if you have one.
Well, depending on the attack type, if user-agents, crawlers, etc., there are few I would recommend to add to your Firewall Rules, like the posted here:
If you need to block requests…
We can lock down our web host and allow only the Cloudflare to connect and similar techniques:
We can use Cloudflare Access / Zero Trust (Teams):
Otherwise, you could use the search
menu to find out more examples here at the Community
Thanks for prompt response! We will look to your articles and it would really big helpful for us. We subscribed enterprise plan and so we want to utilized all the security best practices to protect our web resources as much as we can.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.