A brute-force attack is a common attempt to log in to an account by trying many password combinations rapidly thus, compromising security. Because these attacks are sent at a much faster rate than a human being is able to, they can be blocked by Cloudflare's Rate Limiting rules.
Rate Limiting is an add-on service (available in all user plans) that when enabled, appears in the Firewall app of the Cloudflare dashboard. For subscription information, visit Cloudflare Pricing.
Create a Custom Rule
Rate Limiting features a one-click Protect Your Login tool that creates a rule to block the client for 15 minutes when sending more than 5 POST requests within 5 minutes. This is sufficient to block most brute-force attempts.
To protect against brute-force attacks:
1. In the Cloudflare dashboard, select the website to protect.
2. Click the Firewall tab.
3. Ensure your account is enabled for Rate Limiting.
4. Click Create a custom rule and enter the following details (see image below):
a. A rule name (for example, Brute-force Attack Mitigation)
b. A matching URL (this rule only applies to an actual login path; for example, www.example.com/login)
c. The number of attempts
d. The timeout period
e. The amount of time to block the request for
Note: For steps 4d and 4e, Enterprise Cloudflare users can enter additional values manually.
5. Click Deploy.
In the example above, the rule requires 2 requests in 1 second to trigger, which is faster than any human user is able to send requests. As such, it is unlikely to lock out a legitimate user who has simply mistyped their credentials.
How is this rule triggered?
This rule only triggers on POST requests that result in a 401 (Unauthorized) or 403 (Forbidden) response. While login failures often match this pattern, not all sites will send back these two common responses.
You can verify the response by logging in with incorrect credentials and reviewing the result in your browser's developer tools.