Terrible flooding - Panic can't make it stop

ask your host, they will know

It would be good if you posted the actual Firewall Rule. Challenge Captcha is better then JS Challenge here, and you may even elevate it to Block until the attack is controlled.

Add more to the list as you identify more IPs. Don’t worry about the list getting big, the performance impact should be negligible.

Ideally, you should get help from your host to only allow connections from Cloudflare servers. You can try adding something like this to your htaccess, to check for a CF header before allowing anyone in.

Also, make sure the WordPress block on .htaccess is at the bottom of the .htaccess file.

1 Like