When and How to Use Cloudflare Under Attack Mode for WordPress Sites

Cloudflare's Under Attack mode is your emergency shield when your WordPress site faces aggressive attacks. When enabled, every visitor must complete a JavaScript challenge before accessing your site, filtering out bots and basic attack traffic. Knowing when to use this powerful feature and how to activate it quickly can save your site during an attack.

What Under Attack Mode Does

Under Attack mode presents an interstitial page to all visitors showing the message "Checking your browser before accessing" followed by your domain. Visitors see a brief loading screen while their browser executes JavaScript to prove it is a real browser rather than a bot or script.

This challenge blocks most automated attacks because basic bots and DDoS scripts cannot execute JavaScript. The challenge typically completes in under five seconds for legitimate visitors with modern browsers, but stops thousands of malicious requests per second.

When to Enable Under Attack Mode

Under Attack mode should not be your default setting because it adds friction for legitimate visitors. Enable it when your site is experiencing active DDoS attack with high traffic volumes, brute force attacks that overwhelm normal rate limiting, bot attacks that bypass standard security measures, or application-layer attacks targeting specific WordPress endpoints.

The key indicator is that your normal security measures are not keeping up. If your server is struggling despite your WordPress firewall blocking attacks, Under Attack mode provides the additional protection needed.

Impact on User Experience

Legitimate visitors experience a 3-5 second delay on their first visit while the challenge completes. After passing, they receive a cookie and can browse normally for the session. However, there are some considerations.

Some users with JavaScript disabled will be blocked. Older browsers may fail the challenge. Screen readers and accessibility tools may have issues. API requests and webhooks will fail the challenge. Search engine crawlers may be delayed.

For these reasons, only enable Under Attack mode when genuinely under attack, and disable it as soon as the attack subsides.

Enabling Under Attack Mode via WP Folder Shield

WP Folder Shield integrates with Cloudflare's API to control Under Attack mode directly from your WordPress dashboard. Instead of logging into Cloudflare during an attack, you can enable protection with one click from wherever you manage your site.

The plugin also provides the option for automatic activation. If the WordPress firewall detects attack patterns exceeding configurable thresholds, it can automatically enable Under Attack mode without waiting for manual intervention.

Automatic Activation Triggers

Configure automatic Under Attack mode activation based on specific threat conditions. Reasonable triggers include more than 100 blocked requests per minute, more than 50 failed login attempts per minute, server response time exceeding 5 seconds, or PHP worker processes at capacity.

WP Folder Shield monitors these metrics and can trigger Cloudflare protection automatically when thresholds are exceeded. This provides protection even when you are not actively monitoring your site.

Disabling Under Attack Mode

Do not forget to disable Under Attack mode once the attack ends. Leaving it enabled permanently hurts user experience and may affect SEO as search crawlers struggle with the challenge pages.

WP Folder Shield can automatically disable Under Attack mode after a configurable quiet period with no attacks. Alternatively, set a maximum duration after which the mode automatically disables, reminding you to assess whether protection is still needed.

Alternative Security Levels

Under Attack mode is the most aggressive setting but Cloudflare offers intermediate options. Security Level Essentially Off provides no challenge to any visitors. Low challenges only the most threatening visitors. Medium challenges more visitors based on threat score. High challenges all suspicious visitors. I'm Under Attack challenges all visitors.

For chronic low-level attacks, High security level may provide sufficient protection without the user experience impact of full Under Attack mode. WP Folder Shield allows you to control security levels from WordPress without accessing the Cloudflare dashboard.

Handling False Positives

Some legitimate visitors may be incorrectly challenged or blocked. To minimize false positives, whitelist known good IP ranges like your office or VPN. Create page rules to bypass challenges for specific URLs like APIs. Monitor Cloudflare analytics for challenged visitors to identify legitimate traffic being blocked. Communicate with users through alternative channels if they report access issues during an attack.

Combining with WordPress Security

Under Attack mode works best as part of layered security. Cloudflare handles the volumetric attack at the edge while your WordPress security plugin handles application-specific threats. During an attack, the WordPress firewall continues blocking malicious requests that pass the JavaScript challenge, providing defense in depth.

Conclusion

Cloudflare's Under Attack mode is an essential tool for surviving DDoS attacks and aggressive bot assaults. Knowing when to activate it, how to automate activation, and when to disable it helps you balance security with user experience.

WP Folder Shield puts Under Attack mode control at your fingertips with one-click activation and optional automatic triggers. Combined with the plugin's comprehensive WordPress security, you get complete protection from network-level attacks to application-layer threats.