Automated bots account for a large share of all web traffic, and a meaningful slice of it is malicious: credential stuffing, content scraping, inventory hoarding, and vulnerability scanning. For most small and medium businesses, the fastest way to push back is Cloudflare's Web Application Firewall (WAF) combined with its bot management features. This guide walks through a practical baseline you can deploy in an afternoon.
Step 1: Proxy your traffic through Cloudflare
Bot protection only works on traffic that actually passes through Cloudflare's edge. In your DNS settings, make sure the records for your web app show the orange cloud (proxied) rather than the grey cloud (DNS only). Without this, requests reach your origin directly and bypass every rule you configure.
Step 2: Enable the managed WAF rulesets
Under Security → WAF → Managed rules, turn on the Cloudflare Managed Ruleset and the OWASP Core Ruleset. Start both in "log" mode for a few days so you can review what would have been blocked, then switch the high-confidence rules to "block". This avoids accidentally breaking legitimate API clients on day one.
Step 3: Turn on Bot Fight Mode or Super Bot Fight Mode
Bot Fight Mode (free) issues challenges to obviously automated requests. On paid plans, Super Bot Fight Mode lets you treat verified bots (search engines), likely automated traffic, and definitely automated traffic differently. Allow verified bots, challenge "likely automated", and block "definitely automated" on sensitive paths like login and checkout.
Step 4: Add rate limiting on authentication endpoints
Credential stuffing relies on volume. Create a rate limiting rule that caps requests to /login and /api/auth to a sane threshold per IP, for example 10 requests per minute. When the limit is exceeded, return a managed challenge rather than an outright block so real users mistyping a password are not locked out.
Step 5: Monitor and tune
Open the Security Analytics dashboard weekly. Look at which rules are firing, which paths attract the most automated traffic, and whether any legitimate clients are being challenged. Bot protection is never "set and forget" — attackers rotate IPs and user agents, so your rules should evolve with the traffic you actually see.
With these five steps you have a defensible baseline. For higher-risk applications, layer in mTLS for internal APIs, Turnstile on public forms, and Cloudflare Access for admin panels.
Korur Security Team
Korur Security Team