How do I use Rate Limiting to protect against brute-force attacks?

Brute-force attacks are a common means of attempting to compromise accounts by trying many password combinations rapidly. Because they require attempting to log in much more rapidly than a human user to be effective, they can be blocked by Rate Limiting rules.

Cloudflare provides a Protect Your Login tool that will create rule that blocks clients for 15 minutes if they send more than 5 POST requests in 5 minutes. This is sufficient to block most brute-force attempts.

If you wish to select your own thresholds and timeout periods, you can create a rule manually: navigate to the Firewall Tab > Create a Rate Limiting Rule. Then:

This rule applies to a login path only. You'll need to modify the URL to match your specific site.

In addition, the rule only triggers on POST requests that result in a 401 (Unauthorized) or 403 (Forbidden) response. While it is fairly common for login failures to match this pattern, not all sites will. You can confirm by attempting a login with incorrect credentials and reviewing the response in your browser's developer tools.

Lastly, the rule requires 5 requests in 30 seconds to trigger, which is more rapid than any human user is likely to send request. As such, it is unlikely to lock out any legitimate user who has simply mistyped their credentials.

You can adjust the block period as you wish.

Still not finding what you need?

The Cloudflare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk