If Cloudflare didn’t automatically catch a credential stuffing or brute-force attack until someone manually enabled “Under Attack Mode,” that tells us a few important things — and it means the current setup can be tuned for faster, smarter protection.
This article breaks down what Under Attack Mode really does, why Cloudflare may not have reacted automatically, and outlines three essential steps to make your configuration more proactive in stopping these threats before they escalate.
What “Under Attack Mode” Actually Does
When activated, Cloudflare’s Under Attack Mode:
- Applies JavaScript challenges to every visitor
- Displays a 5-second interstitial screen to filter bots
- Temporarily increases inspection levels and filtering
This is useful in emergencies — but it’s a blunt-force approach. It can frustrate real users and slow down legitimate traffic, making it more of a reactive safety switch than a scalable defense.
Why Doesn’t Cloudflare Detect These Attacks Automatically?
By default, Cloudflare relies on:
- Known bad IP reputation
- Basic bot heuristics
- WAF (Web Application Firewall) rules, if configured
- Rate limiting, if manually set
Credential stuffing attacks can sneak past default protections if they:
- Come from IPs with no known history
- Use browser automation with realistic headers
- Keep requests under detection thresholds (e.g., 1000+ req/min/IP)
These subtle tactics allow attackers to mimic normal user behavior and avoid triggering automated defenses.
How to Make Cloudflare Respond Faster Next Time
To stay ahead of brute-force and credential stuffing attacks, consider implementing the following proactive defenses:
1. Enable Rate Limiting on Login Endpoints
Create a rule like:
If POST requests to /login or /api/auth exceed 10 per minute per IP, then block or challenge.
Steps:
- Go to Cloudflare Dashboard → Security → WAF → Rate Limiting Rules
- Set:
- URL:
/login*(or your actual endpoint) - Method: POST
- Threshold: e.g., 10 requests per minute
- Action: Block, Challenge, or JS Challenge
- URL:
Pro Tip: Be careful not to set the threshold too low; it might block legitimate login attempts during high-traffic periods.
2. Turn on Cloudflare Bot Management / Super Bot Fight Mode
- Under Security → Bots, you can enable Super Bot Fight Mode (on Pro plans).
- It classifies requests as verified bots, automated, or likely human.
- Set it to “Definitely Automated = Challenge or Block”.
This works better than generic WAF when bots are using browser automation tools.
3. Add Custom WAF Rules for Known Abuse Patterns
Go beyond rate limiting with WAF expressions that detect login abuse.
Example Rule:
(http.request.uri.path contains "/login") and (cf.threat_score > 20) and (ip.src ne known_good_ip)
Other filters to consider:
- Country-based blocks if your platform is region-specific
- Known headless user agents
- IPs with high Cloudflare threat scores
Bonus: Automate “Under Attack Mode” With API or Logs
Manually flipping Under Attack Mode is reactive. Instead:
- Use Cloudflare’s API to toggle the mode based on thresholds
- Use Logpush or a SIEM (Security Information and Event Management) tools like Datadog, wazuh, or ELK to detect login surges and auto-trigger protection rules
With the right automation in place, you can build an early-warning system that reacts within seconds, before your users even notice.
Final Thoughts
Under Attack Mode should be a last resort, not your first line of defense. With the right rate limiting, bot management, and WAF rules, Cloudflare can become an intelligent, proactive shield against credential-based attacks.
Don’t wait to be reactive. Tune your Cloudflare setup now, because attackers won’t wait for you to hit the switch.