How do I use Rate Limiting to protect against brute-force attacks?

Brute-force attacks are a common means of attempting to compromise accounts by trying many password combinations rapidly. Because they require attempting to log in much more rapidly than a human user to be effective, they can be blocked by Rate Limiting rules.

To create a rule to protect against these attacks, navigate to Traffic > Create a Rate Limiting Rule. Then:

This rule applies to a login path only. You'll need to modify the URL to match your specific site.

In addition, the rule only triggers on POST requests that result in a 401 (Unauthorized) or 403 (Forbidden) response. While it is fairly common for login failures to match this pattern, not all sites will. You can confirm by attempting a login with incorrect credentials and reviewing the response in your browser's developer tools.

Lastly, the rule requires 5 requests in 30 seconds to trigger, which is more rapid than any human user is likely to send request. As such, it is unlikely to lock out any legitimate user who has simply mistyped their credentials.

You can adjust the block period as you wish.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk