How to Enable Cloudflare Under Attack Mode to Mitigate DDoS Attacks

Stop DDoS Attacks with Cloudflare Under Attack Mode

A Distributed Denial-of-Service (DDoS) attack floods your server or website with malicious traffic from thousands of compromised devices (botnets), overwhelming resources and causing downtime. For WordPress sites, this can:

  • Trigger false auto-scaling costs on cloud platforms.
  • Crash databases (MySQL/MariaDB).
  • Spike CPU/memory usage on your hosting server.

Why Cloudflare’s Under Attack Mode Matters

When your site is under DDoS attack, Cloudflare Under Attack Mode acts as a virtual shield:

Buy Time: Gives you breathing room to analyze logs, adjust firewall rules, or contact your hosting provider.

Challenge Suspicious Visitors: Forces requests to pass a JavaScript/CAPTCHA check before accessing your site.

Block Botnets: Filters out automated traffic while allowing legitimate users to access it.

Consequences of Ignoring DDoS Protection:

  • SEO Damage: Downtime = lost rankings.
  • Revenue Loss: E-commerce sites can lose $100k+ per hour.
  • Reputation Harm: Users lose trust in your brand.

Step-by-Step: Enable Under Attack Mode

1. Log In to Cloudflare

2. Navigate to “Security” Settings

  • In the left menu, click Security > Settings.

3. Toggle “Under Attack Mode”

  • Locate “Security Level” (usually set to “Medium” by default).
  • Change the dropdown to “I’m Under Attack”

You can enable “Under Attack Mode” from either the Overview tab or the Security section, as mentioned below.

4. Verify Activation

  • Visit your site. New visitors will see a 5-second “Checking your browser” page.
  • Legitimate users: Automatically redirected after verification.
  • Bots/Attackers: Blocked at the edge.

5. Post-Activation Steps

  • Monitor Analytics: Go to Security > Events to track blocked requests.
  • Adjust Firewall Rules: Combine with Cloudflare’s WAF or Rate Limiting for layered defense.
  • Disable When Safe: Once the attack subsides, revert to your original security level to reduce user friction.

Best Practices for Hosting Engineers

  • Preemptive Setup: Enable “Auto-Enable Under Attack Mode” in Cloudflare’s cloudflare.conf (for advanced users).
  • Log Analysis: Use grep/awk on server logs to identify attack patterns. e.g,
grep "POST /" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nr
  • Rate Limiting: Set thresholds in Cloudflare to block excessive requests per IP.
  • Origin Protection: Ensure your server’s IP is hidden via Cloudflare’s proxy (gray cloud = danger!).

When NOT to Use Under Attack Mode

  • Low-Traffic Sites: The CAPTCHA page may deter real users.
  • API Endpoints: Can break mobile apps/third-party integrations. Use Rate Limiting instead.
  • Sustained Attacks: For prolonged attacks, contact Cloudflare Support or upgrade to Enterprise plans.

Conclusion

Cloudflare’s Under Attack Mode is a lifesaver during DDoS crises, but it’s not a “set and forget” solution. Pair it with robust firewall rules, real-time monitoring, and server hardening (e.g., tuning nginx.conf worker processes) for comprehensive protection.

Previous Article

What Is WP-CLI? Why WordPress Users Should Learn This Command Line Tool

Next Article

How to Set Up a Subdomain on Any DNS Registrar

Write a Comment

Leave a Comment

Your email address will not be published. Required fields are marked *