06 Sep
2025
You may often notice temporary traffic spikes on your website beyond normal levels, without any increase in orders or conversion rate.
This is often caused by malicious or unwanted bots that bombard your pages with dozens or even thousands of visits per minute.
These bots frequently generate excessive traffic, consume bandwidth, and drain server resources. In some cases, they can overload your server or dramatically increase your hosting and infrastructure costs.
One of the most effective ways to solve this issue is by using the Cloudflare Firewall (WAF).
Let’s walk through the step-by-step process of configuring it to prevent or limit uncontrolled access from bad bots and malicious crawlers.
First, make sure you have created a Cloudflare account on the free plan.
Then add your website and follow the standard activation steps.
Step 1: Enable the Cloudflare Firewall
First, make sure the Firewall / WAF is active in your Cloudflare account.
Depending on your plan (Free, Pro, Business, or Enterprise), you will have different levels of access to advanced rules.
Even with the free plan, Cloudflare gives you more than enough tools for essential traffic filtering.
Step 2: Create firewall rules
Inside Cloudflare, you can create custom firewall rules to block attacks and suspicious traffic.
- Go to Security → Security Rules
- Click Create Rule
Set criteria such as:
- User Agent contains (for example: “bot”, “crawler” for suspicious or low-quality bots)
- Country (if you detect suspicious traffic from specific countries)
- Request Rate (for unusually high request volumes in a short period)
Under Action, choose one of the following:
- Block – completely blocks access
- JS Challenge – displays a JavaScript challenge that most bots fail
- Managed Challenge
Using Bot Fight Mode
Cloudflare also offers a very useful feature called Bot Fight Mode.
This feature is especially effective for:
a. Detecting and slowing down malicious bots
b. Reducing unnecessary traffic
Most importantly, Bot Fight Mode does not affect trusted bots such as Googlebot or Bingbot that are essential for SEO.
Use rate limiting to reduce attacks
If you notice in your logs that a specific bot is sending too many requests within a short time, you can activate rate limiting rules.
For example, if a visitor sends more than 30 requests per minute, you can trigger a CAPTCHA challenge or temporarily block access.
This helps protect not only against bad bots, but also against common DDoS-style attacks.
Monitor logs & analytics
Cloudflare provides detailed statistics and logs that show:
- Where traffic is coming from
- Which user agents generate the most requests
- Which countries generate abnormal traffic volumes
By analyzing this data, you can continuously refine and improve your firewall rules.
Best practices
- Do not block all bots with aggressive blanket rules, because some are essential for your website SEO
- Start with JS Challenge or Managed Challenge before using full blocking
- Review your settings regularly, because bots constantly evolve
- Always compare Cloudflare analytics with hosting server logs to verify the effectiveness of your rules
Why Cloudflare WAF is the best long-term solution for bad traffic
Cloudflare WAF is a powerful FREE security tool that can eliminate the useless traffic generated by bad bots.
With a few properly configured rules, you can improve website speed, protect your hosting server, reduce infrastructure costs, and most importantly deliver a smooth browsing experience for real users.
After years of investigation and optimization for clients suffering from high traffic abuse and hosting overload issues, our team has designed a complete Cloudflare bot protection framework with advanced custom rules specifically built to solve this problem permanently.
If you need help, explore our professional bot protection solution.