Website protection
Your company website is exposed to the internet 24/7. Every day it faces automated scans looking for vulnerabilities, bots trying to scrape content or brute-force logins, and occasionally targeted attacks. Most small company websites have zero protection beyond whatever the hosting provider offers — which is usually nothing.
Cloudflare sits between your website and the internet. All traffic flows through their network first, where threats get filtered before reaching your server. The remarkable part: the free tier includes protection that would cost thousands to implement yourself.
Setup takes about 30 minutes. You change your DNS nameservers, configure a few settings, and your site is protected.
What you get out of the box (free tier)
When you put your site behind Cloudflare, you immediately get:
DDoS mitigation
Traffic floods that would overwhelm your server get absorbed by Cloudflare's network. They handle attacks measured in terabits per second — your 1Gbps server link doesn't matter because the attack never reaches it. This protection is unmetered. No bandwidth limits, no extra charges during an attack.
SSL/TLS certificates
Free SSL certificate for your domain. Visitors see the padlock icon, traffic is encrypted. Cloudflare handles certificate issuance and renewal automatically. You can enforce HTTPS across your entire site with one toggle.
Web Application Firewall (WAF)
Basic protection against common web attacks:
- SQL injection attempts
- Cross-site scripting (XSS)
- Known vulnerability exploits
The free tier includes managed rulesets that Cloudflare updates as new threats emerge. You also get 5 custom firewall rules for your specific needs.
Bot protection
Bot Fight Mode challenges automated traffic. Scrapers, credential stuffing bots, and vulnerability scanners get blocked or challenged. Legitimate visitors and search engine crawlers pass through.
CDN and caching
Your static content (images, CSS, JavaScript) gets cached on Cloudflare's edge servers worldwide. A visitor in Singapore doesn't wait for your server in Frankfurt — they get cached content from a nearby Cloudflare location. Faster load times, less load on your server.
Security headers
Cloudflare can add security headers automatically:
- HSTS (force HTTPS)
- X-Content-Type-Options
- X-Frame-Options
These protect against common browser-based attacks without changing your application code.
Analytics and visibility
See who's visiting your site, where they're from, what threats are being blocked. The free dashboard shows traffic patterns, security events, and performance metrics.
Free tier vs paid: what's the real difference?
| Feature | Free | Pro ($20/mo) | Business ($200/mo) |
|---|---|---|---|
| DDoS mitigation | Unmetered | Unmetered | Unmetered |
| SSL certificates | Shared | Dedicated | Dedicated + custom |
| WAF managed rules | Basic | More rules | Full ruleset |
| Custom firewall rules | 5 | 20 | 100 |
| Rate limiting | — | 1 rule | 10 rules |
| Bot detection | Basic | Better | Advanced |
| Image optimization | — | ✓ | ✓ |
| Page rules | 3 | 20 | 50 |
| Support | Community | Priority | |
| Cache Analytics | Basic | Detailed | Advanced |
| API shield | — | — | ✓ |
For most small company websites, free is enough. Upgrade when you need:
- Rate limiting (brute force protection for logins)
- More custom firewall rules
- Better bot detection
- Email support
Setting up Cloudflare
Step 1: Add your site
- Create account at cloudflare.com
- Click "Add a Site"
- Enter your domain
- Select Free plan
Cloudflare scans your current DNS records automatically.
Step 2: Review DNS records
Cloudflare imports your existing DNS records. For each record, you choose:
Proxied (orange cloud) — Traffic goes through Cloudflare, gets protection and caching.
DNS only (gray cloud) — Just DNS resolution, no Cloudflare features.
Proxy these:
- Main website (A/AAAA records for @ and www)
- Web applications
- APIs that benefit from protection
Don't proxy:
- Email (MX records) — Cloudflare doesn't handle email
- SSH access — Use Cloudflare Access instead, or keep DNS-only
- Services requiring direct IP connection
Step 3: Change nameservers
Cloudflare provides two nameservers. Go to your domain registrar and replace your current nameservers with Cloudflare's.
| Registrar | Location |
|---|---|
| GoDaddy | My Products → DNS → Nameservers |
| Namecheap | Domain List → Manage → Nameservers |
| Google Domains | DNS → Custom nameservers |
| Cloudflare Registrar | Already set |
Propagation takes minutes to 48 hours (usually under 2 hours).
Step 4: Configure SSL
In SSL/TLS settings, choose encryption mode:
Off — No encryption. Don't use this.
Flexible — HTTPS from visitor to Cloudflare, HTTP from Cloudflare to your server. Use only if your server can't do HTTPS.
Full — HTTPS everywhere, but Cloudflare doesn't verify your server's certificate.
Full (Strict) — HTTPS everywhere with certificate verification. Use this. If your server has Let's Encrypt or any valid certificate, this is the right choice.
Step 5: Enable security features
Security → Settings:
- Security Level: Medium (challenges suspicious IPs)
- Challenge Passage: 30 minutes
- Browser Integrity Check: On
Security → Bots:
- Bot Fight Mode: On
SSL/TLS → Edge Certificates:
- Always Use HTTPS: On
- Automatic HTTPS Rewrites: On
- Minimum TLS Version: TLS 1.2
Recommended firewall rules
You get 5 custom rules on the free tier. Use them wisely:
Rule 1: Protect admin areas
(http.request.uri.path contains "/admin" or
http.request.uri.path contains "/wp-admin" or
http.request.uri.path contains "/login")
→ Action: Managed Challenge
Adds a CAPTCHA for admin access. Blocks automated attacks on login pages.
Rule 2: Block known bad actors (optional)
(ip.geoip.country in {"XX" "YY"})
→ Action: Block
Only if you genuinely have no users from certain countries. Be careful — this blocks real people too.
Rule 3: Challenge suspicious requests
(cf.threat_score gt 10)
→ Action: Managed Challenge
Cloudflare assigns threat scores to IPs. Challenge visitors from IPs with bad reputation.
Rule 4: Block empty user agents
(http.user_agent eq "")
→ Action: Block
Legitimate browsers always send user agent strings. Empty ones are usually bots.
Rule 5: Emergency slot
Keep one rule empty for emergencies. If you're under attack from specific IPs or patterns, you can respond immediately.
What happens during an attack
If your site gets attacked:
Automatic response: Cloudflare detects attack patterns and starts filtering automatically. Most attacks are stopped without you doing anything.
Manual response (severe attacks):
- Log into Cloudflare dashboard
- Go to Security → Settings
- Enable "I'm Under Attack Mode"
This adds a JavaScript challenge to all visitors. Takes 5 seconds for humans, blocks most bots.
Monitoring: Security → Events shows all blocked requests, attack sources, and patterns.
Beyond security: performance benefits
Cloudflare isn't just security. The CDN significantly improves performance:
Global edge network Content served from 300+ locations worldwide. Visitors get data from nearby servers instead of your origin.
Automatic caching Static files cached at the edge. Your server handles fewer requests.
Compression Brotli and gzip compression for text content, automatically.
HTTP/2 and HTTP/3 Modern protocols enabled by default, even if your origin server only supports HTTP/1.1.
Minification Automatic JavaScript, CSS, and HTML minification (can be enabled).
Typical improvement: 30-50% faster page loads, 50-70% reduction in server bandwidth.
Protecting your origin server
Cloudflare only protects traffic that goes through it. If attackers find your server's real IP, they can attack directly.
How origin IPs leak
- Old DNS records (before Cloudflare)
- Email headers (your MX records might point to the same server)
- Subdomains not proxied through Cloudflare
- Historical DNS databases (SecurityTrails, etc.)
- Application exposing IP in headers or error pages
How to protect
Firewall your server: Only accept web traffic from Cloudflare IPs. Block everything else on ports 80/443.
# iptables example - allow only Cloudflare
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
iptables -A INPUT -p tcp --dport 443 -s $ip -j ACCEPT
done
iptables -A INPUT -p tcp --dport 443 -j DROP
Change IP after enabling Cloudflare: If your IP was exposed before Cloudflare, request a new IP from your hosting provider.
Use separate IP for email: Don't host email on the same IP as your website. Use a dedicated email service.
Verify header security: Make sure your application doesn't expose the origin IP in responses.
Comparing website protection services
CDN + Security (like Cloudflare)
| Service | Free tier | Paid from | Best for |
|---|---|---|---|
| Cloudflare | Yes | $20/mo | Best free tier, most features |
| Fastly | Limited | ~$50/mo | Dynamic content, developers |
| AWS CloudFront + Shield | Basic Shield free | Pay per use + $3000/mo | AWS infrastructure |
| Akamai | No | Enterprise pricing | Large enterprises |
| Bunny CDN | No | $0.01/GB | Budget CDN |
WordPress-specific
| Service | Free tier | Paid from | Includes |
|---|---|---|---|
| Sucuri | No | $199/year | WAF + malware cleanup |
| Wordfence | Yes (plugin) | $119/year | WAF + scanning |
| Jetpack | Limited | $10/mo | CDN + basic security |
Self-hosted alternatives
| Solution | Cost | What it does |
|---|---|---|
| ModSecurity | Free | WAF rules for Apache/Nginx |
| Fail2ban | Free | IP blocking for repeated failures |
| CrowdSec | Free | Collaborative threat detection |
Recommendation: Start with Cloudflare free. It's the best value. Add specialized tools only if you have specific needs Cloudflare doesn't cover.
Cloudflare alternatives
Cloudflare is the default recommendation, but it's not the only option. Here's when to consider something else.
When you're already on a cloud provider
If most of your infrastructure lives on AWS, GCP, or Azure, their native protection tools integrate more tightly than Cloudflare and may already be partially covered by your spend.
AWS CloudFront + AWS WAF + AWS Shield
- CloudFront is the CDN; WAF adds rules-based filtering; Shield Standard is included free with all AWS accounts
- Shield Advanced ($3,000/month) adds dedicated DDoS response and cost protection — only makes sense for high-risk targets
- Best for: teams already running on AWS who want everything in one billing account
- Weakness: no free WAF tier (WAF costs ~$5/rule/month + traffic)
Azure Front Door
- Microsoft's combined CDN, WAF, and global load balancer
- Includes bot protection and DDoS mitigation
- Best for: companies on Microsoft 365 + Azure wanting a unified security boundary
- Weakness: more complex to configure than Cloudflare; pricing harder to predict
Google Cloud Armor
- WAF and DDoS protection for apps on GCP, integrated with Cloud Load Balancing
- Adaptive protection uses ML to detect and block attacks automatically
- Best for: teams deploying on GCP with Google-managed infrastructure
- Weakness: only protects traffic routed through GCP load balancers
When you need more control over WAF rules
Fastly — developer-friendly CDN and edge platform with a fully programmable WAF (powered by Signal Sciences). Popular with engineering teams that want to write custom logic at the edge. Free trial, then usage-based pricing. Good fit for APIs and dynamic applications.
Imperva (formerly Incapsula) — dedicated WAF and DDoS protection with strong compliance tooling (PCI DSS, GDPR). More expensive than Cloudflare but offers more granular rule control and SLA guarantees. Aimed at companies with compliance requirements.
When you run WordPress or another CMS
Sucuri — website security platform purpose-built for CMS sites. Includes a WAF, malware scanning, and malware cleanup service (you pay them to clean up if you get infected). $199+/year. Worth it if you've already been attacked or handle sensitive content on WordPress.
Wordfence — WordPress plugin with a built-in WAF, login protection, and malware scanner. Free version is functional. $119/year for real-time threat intelligence. Doesn't require changing your DNS or nameservers. Good for: teams that want protection without routing traffic through an external provider.
When you want self-hosted control
CrowdSec — open source, collaborative threat detection. Shares blocked IP data across all CrowdSec users (crowdsourced blocklist). Runs as an agent on your server and integrates with nginx, Apache, Traefik, and others. Free and actively maintained. Good complement to Cloudflare, not a replacement.
ModSecurity + OWASP Core Rule Set — the classic self-hosted WAF for Apache and nginx. Free, battle-tested, highly configurable. Requires meaningful time to tune — out-of-the-box rules generate false positives. Good for teams with a sysadmin who knows what they're doing.
Fail2ban — scans log files and bans IPs after repeated failed attempts (brute force, credential stuffing). Lightweight and effective for login attacks. Not a WAF — doesn't inspect HTTP payloads.
Quick comparison
| Option | Best for | Free tier | Effort |
|---|---|---|---|
| Cloudflare | Everyone as a starting point | Yes | Low |
| AWS CloudFront + WAF | AWS-native teams | Partial | Medium |
| Azure Front Door | Azure/Microsoft shops | No | Medium |
| Google Cloud Armor | GCP deployments | No | Medium |
| Fastly | API-heavy apps, developer teams | Trial | Medium |
| Imperva | Compliance-driven orgs | No | Medium |
| Sucuri | WordPress, post-incident | No | Low |
| Wordfence | WordPress, no DNS change | Yes | Low |
| CrowdSec | Self-hosted servers | Yes | Medium |
| ModSecurity | Full WAF control on own servers | Yes | High |
Common mistakes
Mistake 1: Leaving origin IP exposed
Your server is directly accessible on its public IP. Attackers bypass Cloudflare entirely.
Fix: Firewall to accept only Cloudflare IPs on web ports.
Mistake 2: Wrong SSL mode
Using Flexible when your server supports HTTPS. Traffic between Cloudflare and your origin is unencrypted.
Fix: Use Full (Strict) with a valid certificate on your server.
Mistake 3: Not proxying all subdomains
Main site is protected, but api.example.com or staging.example.com are DNS-only.
Fix: Proxy all public-facing subdomains. Keep DNS-only only for services that truly need it.
Mistake 4: Caching private content
Cloudflare caches a logged-in user's dashboard, serves it to other visitors.
Fix: Set Cache-Control headers properly. Use page rules to bypass cache for authenticated areas.
Mistake 5: Breaking legitimate bots
Bot protection blocks your API clients or monitoring services.
Fix: Create firewall rules to allow specific IPs or user agents. Or use DNS-only for API endpoints.
Workshop: protect your website
Block 30-45 minutes.
Part 1: Setup (15 minutes)
- Sign up at cloudflare.com
- Add your domain
- Review DNS records (enable proxy for web traffic)
- Change nameservers at registrar
Deliverable: Domain added, nameservers changed
Part 2: Security configuration (10 minutes)
- SSL/TLS → Set to Full (Strict)
- SSL/TLS → Edge Certificates → Always Use HTTPS: On
- Security → Bot Fight Mode: On
- Security → Settings → Security Level: Medium
Deliverable: Core security settings configured
Part 3: Firewall rules (10 minutes)
- Create rule to challenge admin area access
- Create rule to block empty user agents
- Save remaining slots for emergencies
Deliverable: Custom protection for your specific site
Part 4: Origin protection (10 minutes)
- Check if your origin IP is discoverable (use SecurityTrails)
- Configure server firewall if possible
- Document origin IP protection status
Deliverable: Origin exposure assessed and documented
Workshop checklist
- Cloudflare account created
- Domain added and active
- SSL set to Full (Strict)
- Always Use HTTPS enabled
- Bot Fight Mode on
- At least one firewall rule created
- Origin IP protection assessed
- Know how to enable "Under Attack Mode"
Self-check: is your site protected?
Basic setup
- Site is on Cloudflare
- Nameservers point to Cloudflare
- Status shows "Active"
- Main site is proxied (orange cloud)
Security configuration
- SSL mode is Full or Full (Strict)
- Always Use HTTPS is enabled
- Bot Fight Mode is on
- At least one custom firewall rule
Origin protection
- Server firewall limits web access to Cloudflare IPs (or documented why not)
- Origin IP is not easily discoverable
- Email uses separate IP/service
Monitoring
- Can access Cloudflare dashboard
- Know where "Under Attack Mode" is
- Someone reviews security events periodically
Check off at least 10 of 13 items before moving on.
Talking to leadership
"I set up website protection using Cloudflare. Our site now has DDoS protection, a web application firewall, automatic SSL, and bot blocking — all for free. Page loads are faster because of global CDN caching. Setup took 30 minutes. If we're ever attacked, I can enable emergency protection mode in two clicks."
Short version: "Our website is now protected from attacks and loads faster. Free, 30 minutes."
What's next
You've completed the Quick Wins module. Your company now has:
- Password management and MFA
- Centralized user directory with SSO
- SaaS inventory and access management
- Patch management and vulnerability scanning
- Email security (SPF, DKIM, DMARC)
- Phishing awareness training
- Data backup strategy
- Website protection
These fundamentals protect against the most common attacks. Next module: Security in Development — integrating security into your CI/CD pipelines and code.