Cloudflare Rate Limiting: Step-by-Step Setup & Best Practices

Uncategorized
By Azon Vault

If your website has ever been hit by a bot attack, brute force login attempts, or sudden traffic spikes that crashed your server, you know how disruptive unregulated traffic can be. Cloudflare Rate Limiting is one of the most effective tools to stop these threats before they even reach your origin server.

What Is Cloudflare Rate Limiting?

Cloudflare Rate Limiting is a security feature that lets you control the number of requests a single visitor (identified by IP address, API key, or other markers) can make to your site within a set time window. Because it runs on Cloudflare’s global edge network, malicious or excessive traffic is filtered out before it ever touches your origin server.

Free Cloudflare plans include 1 active rate limiting rule, while paid Pro, Business, and Enterprise plans offer more rules, advanced matching options, and higher traffic thresholds. As noted by Cloudflare’s official documentation, rate limiting rules are processed in priority order, with higher priority rules executing first.

Key Benefits of Using Cloudflare Rate Limiting

  • Block application-layer DDoS attacks and volumetric traffic spikes
  • Stop brute force login attempts on common endpoints like /wp-login.php or /api/login
  • Prevent public API abuse by capping unauthenticated request volumes
  • Reduce origin server load by filtering bad traffic at the edge
  • Customize rules for different site sections (login pages, APIs, public blogs)

How to Set Up Cloudflare Rate Limiting (Step-by-Step)

Follow these 7 steps to create your first working rate limiting rule:

Prerequisites

Before you start, make sure:

  • You have a Cloudflare account with your site added
  • Your domain’s nameservers are pointed to Cloudflare
  • You know which site sections you want to protect (e.g., login pages, API endpoints)

Step 1: Access Rate Limiting Settings

Log in to your Cloudflare dashboard, select the site you want to protect, then navigate to Security > Rate Limiting from the left sidebar.

Step 2: Create a New Rate Limiting Rule

Click the Create rule button in the top right corner. Give your rule a clear name (e.g., “WordPress Brute Force Protection” or “Public API Rate Limit”) so you can identify it later.

Step 3: Define Matching Conditions

Specify which traffic the rule applies to. You can match by:

  • Request URL (e.g., contains /wp-login.php or matches /api/*)
  • Request method (GET, POST, PUT, etc. – use POST for login forms)
  • Visitor IP, country, or ASN
  • Response status code (optional, e.g., target 404-heavy traffic from bots)

For a brute force rule, you might match POST requests to URLs containing /wp-login.php.

Step 4: Set Rate Limit Threshold

Define how many requests are allowed per time window. For example: 5 requests per 1 minute for login pages, or 100 requests per 1 hour for public API endpoints. If a single visitor exceeds this threshold, the enforcement action you set in Step 5 will trigger.

Step 5: Choose Enforcement Action

Select what happens when a visitor exceeds the rate limit:

  • Log only: No enforcement, ideal for testing to avoid false positives
  • Challenge: Serves a CAPTCHA or JS challenge to verify the visitor is human
  • Block: Returns a 429 Too Many Requests error, or a custom block page

For login protection, Challenge or Block are the most effective options.

Step 6: Configure Advanced Settings (Optional)

Adjust optional settings to fine-tune your rule:

  • Whitelist trusted IPs (your office, known partners) to avoid accidental blocks
  • Set rule priority (higher number = higher priority, runs first)
  • Apply the rule to specific subdomains if you have multiple

Step 7: Test and Activate

Always start with Log only mode for new rules. Check Cloudflare’s rate limiting analytics after 24-48 hours to confirm you’re not blocking legitimate users. Once verified, switch to your desired enforcement action and toggle the rule to active.

Best Practices for Cloudflare Rate Limiting

  • Never skip log-only testing for new rules – false positives can lock out real users
  • Set separate rules for different site sections (login pages need stricter limits than public blogs)
  • Whitelist your own IP address before testing rules to avoid locking yourself out
  • Review rate limiting analytics weekly to adjust thresholds based on traffic patterns
  • Use Cloudflare’s managed rate limiting rules (available on paid plans) for common threats like credential stuffing

Common Cloudflare Rate Limiting Mistakes to Avoid

  • Using a single rule for all traffic – a limit that works for public pages will break login functionality
  • Setting thresholds too low – power users or legitimate automated tools (like site scrapers with permission) may get blocked
  • Forgetting to monitor rule performance – you might be blocking real customers without realizing it
  • Using overly long time windows (e.g., 1 hour for login attempts) – attackers can spread requests out to avoid detection

Frequently Asked Questions

Is Cloudflare Rate Limiting free?
The free Cloudflare plan includes 1 active rate limiting rule. Paid Pro, Business, and Enterprise plans offer more rules, advanced matching, and higher request limits.
Will rate limiting block legitimate users?
It can if thresholds are set too low. Always start with log-only mode, review analytics, and adjust thresholds to match your actual traffic patterns.
Can I rate limit API traffic with Cloudflare?
Yes, create rules matching your API endpoints (e.g., /api/*) with stricter limits for unauthenticated requests, and higher limits for requests with valid API keys.
What happens when a user exceeds the rate limit?
By default, they receive a 429 Too Many Requests error. You can customize the block page or choose to challenge them with a CAPTCHA instead of blocking outright.

Conclusion

Cloudflare Rate Limiting is a low-effort, high-impact way to protect your site from malicious traffic without complex server-side configuration. Because it runs at the edge, your origin server stays protected even during large-scale attacks.

Start with a simple rule for your login page today, and adjust thresholds as you learn more about your traffic patterns. Small tweaks to your rate limiting setup can save you hours of downtime and debugging down the line.

Ready to secure your site? Log in to your Cloudflare dashboard and set up your first rate limiting rule in minutes. Have questions about custom configurations? Drop them in the comments below!

Azon Vault 3625 posts 0 comments
You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.