Key Takeaways
- Turning this mode on forces a five-second browser check to block Layer 7 DDoS attacks, but it is a temporary fix that should never be left on permanently.
- Forcing real visitors to wait damages your conversion rates, and keeping the challenge screen active for days can cause crawl anomalies in Google Search Console.
- Instead of manually toggling the under attack mode, using the Cloudways Cloudflare Enterprise Add-on provides intelligent bot management and WAF rules that filter bad traffic silently.
Dealing with a traffic spike is usually straightforward until your server completely locks up. You log into your dashboard, see the CPU pinned at 100%, and notice a constant stream of 502 or 521 “Origin Down” errors. That is when you realize those visitors aren’t real. You are dealing with a botnet flood.
When an active Layer 7 attack hits, standard firewall rules fail. Unless your server is backed by something like the Cloudflare Enterprise Add-on, your origin server will quickly get overwhelmed by fake requests and crash.
That is exactly why Cloudflare under attack mode exists. It acts as a manual emergency brake. By forcing every visitor to pass a background security check before they ever reach your server, it filters out malicious bots and keeps your site online.
In this guide, we will look at what Under Attack Mode is, how to use it during an active threat, and how the Cloudflare Enterprise Add-on from Cloudways provides an automated solution to this problem.
What is Cloudflare Under Attack Mode?
Cloudflare Under Attack Mode (often called IUAM) is a manual security setting that applies a maximum defense posture across your entire domain.
Under normal conditions, a website runs on a Low or Medium security level. These standard settings rely on IP reputation and basic firewall rules to filter out bad traffic. But when a targeted Layer 7 DDoS attack hits, those basic filters fail to catch the flood of malicious requests.
Activating Under Attack Mode immediately overrides those standard settings.
The technical objective of this mode is strictly about protecting your origin server’s resources.
Layer 7 attacks are specifically designed to exhaust your server’s CPU and RAM. The bots flood your site with thousands of HTTP and HTTPS requests, forcing your server to process heavy tasks until it eventually crashes.
Under Attack Mode prevents this resource exhaustion by completely changing how traffic is handled. Instead of letting requests flow through to your server, the Cloudflare Edge network intercepts every single connection.
It forces a mandatory verification check before anything is allowed to reach your origin. Cloudflare’s global network absorbs the massive computational hit, effectively blocking the botnet at the edge while keeping your actual server online for verified traffic.
Stop Malicious Bots Without the 5-Second Loading Screen
Ditch the manual panic button. Deploy the Cloudflare Enterprise Add-on via Cloudways to automatically filter Layer 7 attacks in the background for just $4.99/mo per domain.
How the “Cloudflare Checking Your Browser” Challenge Works
When you enable Under Attack Mode, the immediate result is highly visible. Every visitor trying to access your site hits an interstitial page displaying a “Checking your browser before accessing…” message.
The Managed Challenge
That 5-second waiting screen is not just a simple delay. Behind the scenes, Cloudflare is running a Managed Challenge. The edge network sends a complex, JavaScript-based computational task directly to the visitor’s browser.
A standard web browser like Chrome, Firefox, or Safari, processes this math problem in the background and sends the correct answer back automatically.
A headless bot or a basic DDoS script usually fails here.
These malicious scripts are built to fire off HTTP requests as fast as possible to overwhelm your server, but they typically lack the actual JavaScript engine required to solve the computational puzzle.
Verification Requirements
Because this defense relies on browser capabilities, a visitor needs specific settings turned on to successfully bypass the wall:
- JavaScript enabled: Without it, the browser simply cannot execute the math challenge, and the user remains stuck on the checking screen.
- Cookies enabled: Once a user passes the test, Cloudflare drops a clearance cookie (specifically, the cf_clearance cookie) in their browser. This proves they are a verified human and lets them navigate the rest of your site without seeing the 5-second delay on every single page load.
Global vs. Selective Activation
Flipping the master Under Attack Mode switch in your security dashboard applies this challenge globally to your entire domain. That is necessary during a massive, unpredictable crisis.
However, you don’t always have to lock down the entire site. If a botnet is specifically hammering your database-heavy endpoints, you can apply this exact same Managed Challenge selectively.
Using Cloudflare WAF Custom Rules, you can trigger the browser check only on vulnerable URLs like your /login page, /xmlrpc.php, or a search bar, leaving your main public content completely frictionless for regular visitors.
When to Use (and When to Disable) Under Attack Mode
Deciding when to turn on this feature comes down to looking at your server health rather than just your traffic volume.
A successful marketing campaign might bring a huge wave of visitors, and your server should handle that normally. But if you already have rate limiting active and your CPU is still maxing out while visitors get 502 or 521 errors, your standard defenses are clearly overwhelmed.
That specific point of hardware failure is when you need to enable the mode.
The Trade-offs: UX and SEO
The reason you don’t leave this running all year is the friction it creates. You are essentially trading user experience for server stability, and doing so for too long causes real problems.
- User Friction: Forcing every visitor to sit through a five-second loading screen is terrible for UX. People hate waiting. Instead of staring at a browser check, a massive chunk of your audience will simply close the tab and leave. The result is a sudden spike in bounce rates and a huge hit to your conversions.
- Search Engine Visibility: Cloudflare officially allowlists known crawlers like Googlebot to bypass the JavaScript challenge. But in reality, leaving the wall up for weeks usually breaks things. Search engines struggle to access your site consistently. Before long, Google Search Console will flood with “crawl anomalies,” and your organic search rankings will start dropping.
Think of this setting strictly as a temporary bandage. Watch your server analytics while the attack plays out. Once that malicious request volume finally drops and your CPU usage recovers, open your dashboard and turn the feature off.
Lowering the security level back to Medium instantly kills the delay, allowing real users to browse your site normally.
How to Enable Cloudflare Under Attack Mode
Let’s look at how to actually turn this on. For this quick walkthrough, we are going to use the standard Cloudflare Free tier dashboard, as the manual toggle is built right into the baseline settings.
Here is exactly how you lock the site down:
- Log into your Cloudflare dashboard and click on the domain you need to protect.
- Look at the left-hand sidebar menu. Click on Security, and then click on Settings.
- Scroll down until you find the Security level section. You will see a note stating that Cloudflare’s security is now fully automated and set to ‘always protected‘ by default.
- Right below that message, under Configurations, look for I’m under attack mode: disabled. Click the pencil icon next to it.
- A side panel will slide out from the right. Flip the toggle to turn the mode on, and hit the Apply button at the bottom of that panel.
The change kicks in immediately across the network.
From that second forward, every single visitor will hit the five-second verification screen before reaching your server.
But here is the catch with this free, manual toggle: you have to actually be at your keyboard to trigger it. If a botnet hits at 3 AM, your server is going down while you sleep. And once you do wake up and turn it on, your real users pay the price with a terrible browsing experience.
That brings us to the real problem: how do you stop these attacks automatically without punishing your actual customers?
This is exactly where the Cloudways Cloudflare Enterprise Add-on comes in.
Automating DDoS and Bot Mitigation with Cloudways
Relying on a free Cloudflare account means you either have to build your own complex firewall rules from scratch, or rely entirely on that manual emergency switch. Cloudways fixes this by baking enterprise-grade, automated security directly into your hosting dashboard.
How you access this depends on your server architecture:
- Cloudways Flexible Plans: You can easily activate these features across your domains by enabling the Cloudflare Enterprise Add-on.
- Cloudways Autonomous: The entire Cloudflare Enterprise security suite—including the Under Attack Mode toggle—is natively built-in and available for free on all plans.
Instead of forcing you to act as a full-time security engineer, Cloudways pre-configures the exact defenses your server needs. Here is what runs in the background to stop attacks before you ever need to hit the panic button:
- Enterprise Web Application Firewall (WAF): This isn’t the basic free firewall. The Enterprise WAF uses live threat intelligence and machine learning from Cloudflare’s global network to identify and block emerging zero-day vulnerabilities. It neutralizes malicious payloads at the edge, long before they reach your server’s local firewall.
- Automated Rate Limiting: This is your primary shield against Layer 7 HTTP floods. The system monitors incoming traffic in 60-second windows. If a single IP address fires off more than 200 requests within a minute, Cloudflare automatically slaps that IP with a managed challenge. It resets every minute and actively excludes verified bots and cached content, ensuring real traffic flows smoothly.
- Browser Integrity Check: Malicious scripts and botnets often use fake or missing HTTP headers. This feature actively scans the headers of incoming requests and blocks or challenges anything using a non-standard or missing user agent.
- AI Crawler Blocking: If you don’t want artificial intelligence companies scraping your website to train their Large Language Models (LLMs), this automated toggle shuts them down at the edge.
A Built-in Last Resort
Even with all these automated defenses, extreme situations happen. That is why the add-on includes the Under Attack Mode toggle right inside the Cloudways panel.
If a massive, unpredictable botnet slips through, you can lock down the site directly from your hosting dashboard without needing to log into a separate Cloudflare account.
By layering the Enterprise WAF and strict rate limiting, the add-on filters out the junk traffic quietly. Your server stays online, and your real customers never have to stare at a five-second loading screen.
Secure Your Server Without Tanking Your SEO
Don’t let prolonged “Under Attack” screens block Googlebot. Filter bad actors silently with Cloudflare’s Enterprise WAF via Cloudways for automated, always-on traffic control.
Wrapping Up!
Cloudflare Under Attack Mode is a manual emergency setting built to protect your server from Layer 7 DDoS attacks. In this guide, we covered how the browser verification process works, exactly when you need to enable it, and why leaving it on for too long will damage both your user experience and search rankings.
While the free manual toggle works when you are actively monitoring an incident, it is not a sustainable long-term defense. That is where the Cloudways Cloudflare Enterprise Add-on helps.
It replaces the need for a manual switch by running an enterprise-grade WAF, rate limiting, and bot management quietly in the background. It filters out malicious traffic automatically, keeping your server stable without interrupting the browsing experience for your actual visitors.
Q. What does Cloudflare under attack mode do?
A. It acts as a manual emergency shield that forces every single visitor to pass a background browser check. This filters out automated botnets before they can reach your server and crash your hardware.
Q. What are some examples of “attack mode” scenarios?
A. You use this mode when a botnet spams heavy, database-driven endpoints, like hammering your /login page or flooding a checkout form, causing your server CPU to lock up at 100%.
Q. Did Cloudflare get attacked?
A. Yes, constantly. Because Cloudflare sits in front of millions of websites, its edge network regularly absorbs and mitigates record-breaking global DDoS attacks so the individual origin servers don’t have to.
Q. How do I stop Cloudflare from blocking me?
A. If you are a visitor, make sure your browser has JavaScript and cookies enabled, and try pausing strict ad-blockers. If you are the site owner and real users are getting blocked, lower your Cloudflare Security Level back to “Medium.”
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
