Settings close to under attack mode

Website, Application, Performance Security
1

Hello
Site is on Wordpress
Its under ddos attack right now
When “Under atack mode” is active I have NO problems with server load, so its working fine.
But some features like crossposting to social and scheduled posts are not working.

I know from which country attack is going

If I disable “Under attack” mode and make rule (country equals to “attacking country” to block that country, i have problems with server load. Like its not blocking anything

Can i make something like Under attack mode ? ,But not so strict, that my scheduled posts and crossposting plugins could work properly (because when under attack mode is active I have errors in wp site health - REST api error, and site could not complete loopback request)

2

You should check and make the URLs list that you will need to use and create FireWall’s rules that bypass UAM with your IP.
For example, the post scheduling feature, it is possible that your server itself is blocked when trying to access the website through Cloudflare.

3

Shouldn’t be active all the time. Set it at least to Medium.

I’d suggest and sharing my useful post about WordPress security, if that’s a concern:

I am afraid you should look for better web hosting provider, or at least troubleshoot your theme and plugins:

Therefore, tune-up your PHP values a bit at your server/hosting provider/cPanel if you can:

memory_limit = 256M
max_execution_time = 300
max_input_time = 1000
max_input_vars = 5000 or 7000
post_max_size = 64M
upload_max_filesize = 32M

You should install some of the WordPress caching plugin for cache like WP Super Cache:

Make sure Cloudflare is proxied and set to :orange: for your website (both www and non-www).

Regarding performance, you can try out Cloudflare APO for WordPress for a month and see how it goes:

Some useful multiple stuff linked inline here:

In that case, I’d suggest you to whiltelist/allow your server IP by navigating to the Security → Tools → IP Access Rules. Add your origin host / server / web hosting IP address in the input field and select the action “allow” from the dropdown for your website.

Furthermore, are you using any of the WordPress security plugins which could restrict WP JSON or it’s API, so maybe some of your plugin(s) might not work as expected? :thinking:

Can you share a screenshot of this Firewall rule? :thinking:

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.