The Limits of Cloudflare’s Free Rate Limiting Rule

In simple terms, rate limiting is a security and traffic management strategy that puts a cap on how often a user can repeat an action within a specific time-frame.

The Cloudflare Free rate limiting rule works remarkably well for simple, high-impact tasks:

• It is excellent at stopping bots trying thousands of passwords on /login or /wp-login.php. Because humans don’t log in 10 times in 10 seconds, this rule is safe and effective.

•  If you have a search feature that triggers heavy database queries, a rule on /search* prevents a single bot from crashing your database by making hundreds of requests.

•  It stops simple “volume” scrapers that try to download your entire site’s content as fast as possible.

However the free rate limiting rule struggles when an attacker gets “creative”

The “Slow and Steady” Strategy

The Free plan uses a fixed 10-second window. A bot can easily evade this by calculating the maximum “safe” speed.

The Result: The counter resets every 10 seconds, so as far as Cloudflare is concerned, that bot is only ever making “1 request.” It can crawl your entire site over a few hours without ever triggering an alert.

The Logic: If your rule is “5 requests per 10 seconds,” the bot is programmed to send one request every 11 seconds.

IP Rotation

Since the Free tier can only count by IP address, it cannot tell if 100 different IPs are actually one person.

The Logic: An attacker uses a “Proxy Rotation” service. Instead of one computer sending 100 requests, they use 100 different “zombie” computers (or residential proxies) to send 1 request each.

The Result: Each individual IP stays well below your limit, but your server still receives 100 hits. The bot remains invisible.

The “Collateral Damage” Strategy

Creative attackers know that most people protect their “obvious” endpoints. Instead, they hit the “public” parts of your site.

They might hit a page that requires a heavy database lookup or they repeatedly request large files.

Why do they want to do something like that?

Attackers want to:

• Force your database to work at 100% capacity and crash your server.
• Slow down your website.
• Fill up your logs with “noise.

Recommendations

These are some recommendation you might want to take into consideration:

• Convert your site into a static website and host it on Cloudflare for free means that there will be no database to crash. Cloudflare Pages distributes your files across hundreds of data centers. It is arguably the most secure way to host a website for free because the “attack surface” is almost zero.

• Create a cache everything rule for your static assets so when a bot hits your homepage, Cloudflare serves the cached HTML. Your database is never touched.

• Use a rate limiting app at the application level and reduce the chances for an “slow and steady” attack to succeed