Protect Your Website with Cloudflare: Complete Step-by-Step Setup Guide

Tweet

In today's digital landscape, website security and performance are more critical than ever. Cyber attacks, DDoS attempts, and malicious bots can severely impact your business operations and customer trust. That's why we're excited to share this comprehensive guide on setting up Cloudflare protection for your website.

Cloudflare offers enterprise-grade security features including Web Application Firewall (WAF), DDoS protection, and advanced bot management. In this guide, we'll walk you through the entire process of setting up Cloudflare protection, with a special focus on implementing targeted security rules for sensitive pages like login and registration forms.

What You'll Learn

• How to add and verify your domain in Cloudflare
• Setting up DNS configuration
• Enabling Web Application Firewall (WAF) rules
• Creating custom security rules for specific URIs
• Best practices for ongoing security management

Step 1: Creating Your Cloudflare Account and Adding Your Domain

1.1 Sign Up for Cloudflare

1. Visit cloudflare.com and click "Sign Up"
2. Enter your email address and create a strong password
3. Verify your email address through the confirmation link

1.2 Add Your Website

1. Once logged in, click "Add Site" from the dashboard
2. Enter your domain name (e.g., yourwebsite.com)
3. Click "Add Site" to continue
4. Cloudflare will scan your existing DNS records (this may take a few moments)

1.3 Choose Your Plan

Select the plan that best fits your needs:

• Free Plan: Basic DDoS protection and CDN (recommended)
• Pro Plan: Advanced security features and analytics
• Business Plan: Enhanced WAF rules and priority support
• Enterprise Plan: Custom security rules and dedicated support

For most businesses, the Pro Plan offers an excellent balance of features and cost.

Step 2: DNS Configuration and Domain Verification

2.1 Review DNS Records

1. Cloudflare will display all discovered DNS records
2. Review each record to ensure accuracy:
   • A Records: Point to your server's IP address
   • CNAME Records: For subdomains and services
   • MX Records: For email routing
   • TXT Records: For domain verification and SPF records
3. Make any necessary corrections by clicking the "Edit" button next to each record
4. Ensure the Proxy Status is enabled (orange cloud icon) for records you want protected

2.2 Update Nameservers

1. Cloudflare will provide you with two nameservers (e.g., nina.ns.cloudflare.com and walt.ns.cloudflare.com)
2. Log into your domain registrar's control panel
3. Navigate to the DNS or Nameserver settings
4. Replace your current nameservers with the Cloudflare nameservers
5. Save the changes

Note: Nameserver propagation can take up to 24 hours, though it's usually much faster.

2.3 Verify Domain Ownership

1. Return to your Cloudflare dashboard
2. Click "Check nameservers" to verify the change
3. Once verified, you'll see a "Great! Your site is now active on Cloudflare" message

Step 3: Enabling Web Application Firewall (WAF) Protection

3.1 Access WAF Settings

1. From your Cloudflare dashboard, select your domain
2. Navigate to Security → WAF
3. You'll see several tabs: Managed Rules, Rate Limiting, Custom Rules, and Tools

3.2 Enable Managed Rules

1. Click on the "Managed Rules" tab
2. Toggle "Enable" for the "Cloudflare Managed Ruleset"
3. Choose your sensitivity level:
   • Low: Minimal false positives, basic protection
   • Medium: Balanced protection (recommended)
   • High: Maximum protection, may require fine-tuning
4. Enable "Cloudflare OWASP Core Ruleset" for additional protection against OWASP Top 10 vulnerabilities

3.3 Configure Rule Actions

For each managed ruleset, you can configure actions:

• Block: Stop malicious requests
• Managed Challenge: Present an interactive challenge
• JS Challenge: Use JavaScript-based verification
• Log: Record events without blocking

Step 4: Creating Custom Security Rules for Specific Pages

This is where we'll implement targeted protection for sensitive areas like login, registration, and password reset pages.

4.1 Access Custom Rules

1. Go to Security → WAF → Custom Rules
2. Click "Create Custom Rule"

4.2 Create a Rule for Authentication Pages

Rule Name: Enhanced Protection for Auth Pages

Expression Builder:

(http.request.uri.path contains "/login" or http.request.uri.path contains "/register" or http.request.uri.path contains "/forgot-password" or http.request.uri.path contains "/reset-password")

Action: Managed Challenge or JS Challenge

4.3 Detailed Rule Configuration

1. Rule Name: Enter a descriptive name for easy identification
2. Field: Select URI Path
3. Operator: Choose contains
4. Value: Enter the specific path (e.g., /login)

To create a rule covering multiple paths:

1. Use the "Or" condition between different URI paths
2. Add each sensitive endpoint:
   • /login
   • /register
   • /signup
   • /forgot-password
   • /reset-password
   • /admin
   • /wp-admin (for WordPress sites)

4.4 Advanced Rule Configuration

For more sophisticated protection, you can combine multiple conditions:

(http.request.uri.path contains "/login" or http.request.uri.path contains "/register") and (cf.threat_score gt 10)

This rule triggers enhanced protection for auth pages only when the visitor has a threat score above 10.

4.5 Choose Your Challenge Type

Managed Challenge (Recommended):

• Adaptive challenge based on visitor behavior
• Better user experience
• Effective against bots and automated attacks

JS Challenge:

• Requires JavaScript execution
• Good for blocking simple bots
• May impact users with JavaScript disabled

4.6 Save and Deploy

1. Review your rule configuration
2. Click "Deploy" to activate the rule
3. The rule will be active within a few minutes globally

Step 5: Rate Limiting Configuration

5.1 Set Up Rate Limiting for Login Pages

1. Navigate to Security → WAF → Rate Limiting
2. Click "Create Rate Limiting Rule"
3. Configure the rule:

Rule Name: Login Attempt Limiting

Request Matching:

(http.request.uri.path eq "/login") and (http.request.method eq "POST")

Rate Limit Configuration:

• Requests: 5 requests
• Period: 60 seconds
• Action: Block for 1 hour

This prevents brute force attacks by limiting login attempts to 5 per minute per IP.

Step 6: Testing and Verification

6.1 Test Your Security Rules

1. Visit your protected pages (e.g., /login, /register)
2. Verify that challenges appear as expected
3. Test from different IP addresses and user agents
4. Use incognito/private browsing mode for accurate testing

6.2 Monitor Security Events

1. Go to Security → Events to view security activity
2. Review blocked requests and challenges issued
3. Look for patterns that might indicate attacks or false positives

6.3 Fine-tune Rules if Necessary

If you notice legitimate users being blocked:

1. Review the security events log
2. Identify common patterns in blocked requests
3. Create exception rules for legitimate traffic
4. Adjust challenge sensitivity if needed

Step 7: Additional Security Enhancements

7.1 Enable Bot Fight Mode

1. Navigate to Security → Bots
2. Enable "Bot Fight Mode" for additional bot protection
3. Consider upgrading to "Super Bot Fight Mode" for advanced features

7.2 Configure Security Level

1. Go to Security → Settings
2. Set your Security Level:
   • Essentially Off: Minimal protection
   • Low: Basic threat detection
   • Medium: Balanced protection (recommended)
   • High: Aggressive protection
   • I'm Under Attack: Emergency mode

7.3 Enable Browser Integrity Check

1. In Security → Settings
2. Toggle on "Browser Integrity Check"
3. This blocks requests from known malicious browsers and bots

Best Practices and Recommendations

Monitor Regularly

• Check your security dashboard weekly
• Review security events for new threat patterns
• Adjust rules based on observed attack trends

Keep Rules Updated

• Review and update custom rules quarterly
• Remove obsolete rules to maintain performance
• Test rules thoroughly before deploying to production

Create Exceptions When Needed

• Whitelist trusted IP addresses (office, data centers)
• Create bypass rules for legitimate automated tools
• Document all exceptions for security audits

Performance Considerations

• Too many complex rules can impact page load times
• Use specific URI matching instead of broad patterns
• Consider rule ordering for optimal performance

Troubleshooting Common Issues

Issue: Legitimate Users Being Blocked

Solution:

1. Review security events to identify the blocking rule
2. Create an exception rule for legitimate traffic patterns
3. Consider lowering the security sensitivity

Issue: Rules Not Triggering

Solution:

1. Verify the URI path syntax matches your website structure
2. Test rules using Cloudflare's rule expression editor
3. Check that the rule is deployed and active

Issue: False Positives

Solution:

1. Implement allowlist rules for known good traffic
2. Use "Log" action initially to test rule effectiveness
3. Gradually increase rule strictness based on observed patterns

Conclusion

Implementing Cloudflare protection with targeted WAF rules significantly enhances your website's security posture. By focusing enhanced protection on sensitive pages like login and registration forms, you can effectively block malicious attempts while maintaining a smooth experience for legitimate users.

The configuration we've outlined provides a robust foundation for website security. Remember that security is an ongoing process – regularly review your rules, monitor security events, and adjust your configuration as threats evolve.

Need Help?

Our support team is available 24/7 to assist with any questions about implementing these security measures. Don't hesitate to reach out if you need assistance with your Cloudflare configuration or have questions about protecting your specific use case.

Have questions about implementing these security measures? Contact our support team!