In addition to Cloudflare’s firewall rules, their rate limiting can also be effective at increasing your web store’s security. Note that Cloudflare rate limiting is not free, but it is very affordable if it is used on a limited, targeted basis.
For example, if you wish to use rate limiting, we might recommend it for the URL that processes web store payments, i.e. *.mywebstore.com/checkout/onepage/place_order*
.
You can enable Google reCAPTCHA on your payment pages by going to System > Features > B2C (Public) and toggling Enable Captcha at Checkout. reCAPTCHA is excellent, but not infallible.
Create a Custom Rate Limiting Rule
To get started, navigate to the Firewall section in your Cloudflare dashboard, then Tools, and finally click Create a custom rule.
Configure the Rate Limiting Rule
- Give your rule a name. This should be memorable in case you need to modify this rule in the future.
- Select both HTTP and HTTPS (secure vs. non-secure) traffic to be on the safe side, although no traffic to this URL will go over HTTP in the web store.
- Copy-paste
*.mywebstore.com/checkout/onepage/place_order*
, but modify it so thatmywebstore.com
is replaced with your domain name. The asterisks (*
) allow for this rule to be applied regardless of the subdomain, e.g.www.mywebstore.com
orshop.mywebstore.com
, as well as any parameters that might be appended to the URL string, e.g.shop.mywebstore.com/checkout/onepage/place_order/?code=323
. - Next, you want to determine when the rule should go into effect. In our example, it will trigger when there are more than 3 requests in one minute from a single IP address to
*.mywebstore.com/checkout/onepage/place_order*
. - Finally, you want to block the IP for a certain period of time. You can either block the IP for one minute or one hour. We recommend an hour.
- Save your changes and deploy the rate limiting rule.
Verifying the Rule
If you visit the URL more than three times in your browser in less than a minute, you should trigger the rule.
Additionally, you can monitor which IPs are being rate limited in the activity log.