Using Cloudflare to Stomp the Bots

What’s wrong? 

The problem is a huge uptick in bot-driven website attacks in 2024 that have only increased in scale in the new year 2025. It’s digital siege warfare and many of you have seen this in action in increased contact form spam. Others have seen it in massively skewed Google Analytics data, and some others have had your sites slow down momentarily from DDoS attacks wherein the bots will try to pound the doors down.

So what’s all this about? What are these clowns after? Why are they hitting MY site — my business isn’t a huge global affair. Heck, I don’t even have eCommerce or stored credit cards for bots to come and steal…

Yeah, it’s not personal and in most cases these bots have no idea who you are or what’s inside your site. Some of these attacks are designed to break in and steal stuff – but honestly if a scam firm is trying to get updated credit card numbers they’ll focus on breaking into a credit card or department store database. They’ll go after Target, not us. What most of them want is to put as many people onto the Botnet as possible. I’m not going to get into that, but you learn more about it here if you’re interested. It’s fascinating and scary.

Botnet information here and here.

What are we going to do about this?

There are 2 major solutions to help out. I’ve already deployed one of these solutions on most of your sites. There’s a plugin called WPS Hide Login that hides the default WordPress login URL from /wp-login.php or /wp-admin/ to a different specified URL that bots won’t detect and can’t find. This keeps the bots from attempting brute force login attacks because it hides the default login page that the bot is expecting to find. 

This solution does not, however, prevent bots from filling out your contact forms multiple times in a row or from requesting your pages over and over again order to slow your site down and look for weaknesses.

All of these bot hit attempts slow down your site and count against your allotted visitation and load volume, as well as absolutely murdering your ability to use metrics software to accurately measure the volume of good traffic you’re receiving at your site. In some cases these bots come and hit your site multiple times per second with the intention of weakening protocols and exploiting those weaknesses.

This is where Cloudflare comes in.

Sure, we’ve already got a bunch of medicine and other protections installed and running at the server level, and should the bots take your site down or infect it we can always have it back up and running within the hour, usually less – but the best way to prevent any form of Siege Warfare is to make sure the approaching army simply can’t find you.

Cloudflare enables you to stop known bad-actor traffic at the domain level, before it even arrives at your website. Cloudflare keeps their bad-actor database up to date and will automatically protect you from traffic coming from known-bad IP blocks. It’s sort of like being detained at the airport, and the bot traffic never arrives on your shores. 

2 Good Pricing Options to Start With

Free is good. 

Cloudflare has a free plan and this plan carries their basic protections as well as gives us 5 Custom WAF (Web Application Firewall) rules to play with for when we want/need to block specific regions. I’ll say more about that in a moment.

Cloudflare Pro

Cloudflare’s next level up is $20/month, gives you some advanced bot protections, as well as 20 Custom WAF rules. This is the plan I’m on.

I’m using a few of these Custom WAF rules to block regional traffic. I’ve got one rule blocking all traffic coming from the Russian Federation states. This one rule handled most of my bot-driven contact form attack spam. I found that most of my brute force attack attempts were coming from Pakistan, so I blocked all traffic to my site coming from there. There are no real good reasons for me to be getting traffic from Pakistan as I don’t do business there and don’t outsource any of our work there. Additionally I was getting a lot of solicitation from Indian tech companies who want me to outsource to them. Since I’m not interested in doing that, and since I was getting 10+ such solicitations every day I simply added a WAF rule blocking traffic from India. Web life is a lot easier and more peaceful these days than it’s been in the past few years!

Most people will be able to get away with the free plan for a while and will need to buy into a higher plan as traffic grows and needs increase. I’m also thinking that the bots are going to be getting smarter and smarter over time and more pervasive.

I’m already seeing people weaponizing ChatGPT apps and attacks coming from Open.ai hosted services. Not cool.

Need Help With This?

Interested? The PXLPOD team can handle this for you. Heck, you can probably do it all yourself if you wanted to, it’s really easy. Our estimate is about 2 hours per domain to get everything up and running and configured properly. That’s an average. Be warned; if you’re using an outsourced IT team they might try to convince you that this is a $3k project. We saw this happen to one of our clients. It’s NOT a 30+ hour project.

CLICK HERE TO GET US STARTED on this for you. 

NOTE: Those of you on one of our Support Plans don’t have to worry about this; we’ll be in touch in the next couple of weeks to get this handled for you, inclusive of your support retainer. Don’t worry about it. In fact, most of you are already on Cloudflare as we started with our Support Plan customers.

If you want to handle it on your own, here are a couple of support documents to check out.

If you’re on our Flywheel hosting you can use this.

If you’re on our WPEngine server you can use this.

We’re not Cloudflare affiliates or partners and we don’t get a commission, a toaster, or a gift fruit basket when you sign up. What we do get is an increased sense of security and peace of mind for your website and your business. (I think I should get a commission for crafting that last sentence. Personally.)

Thanks y’all, and thanks for reading. If you want to talk about this, just reach out and let me know. Contact Form here, or hit the 15-minute call Calendly thingy. 

Chris