Introduction

Cloudflare Under Attack Mode is meant to slow down abusive traffic, but it can also create friction for real users if it stays enabled too broadly or is layered on top of other aggressive protections. The site may remain online while visitors get stuck on interstitial challenges, failed sessions, or repeated access problems. The safest fix is to narrow where the protection applies instead of turning off security everywhere.

Symptoms

  • Real visitors get challenge pages before reaching the site
  • Login, checkout, or API-related flows fail more often after enabling Under Attack Mode
  • Some regions, devices, or networks are challenged more heavily than others
  • The issue began during a traffic spike, bot event, or emergency security response
  • Support requests increase even though the origin itself is healthy

Common Causes

  • Under Attack Mode is enabled zone-wide when only a few paths actually need extra protection
  • Other Cloudflare security controls stack on top of the challenge and block normal sessions
  • Critical app paths rely on request patterns that do not tolerate interstitial challenges well
  • Bot management, rate limits, or WAF rules are already strict enough without extra challenge layers
  • The site stayed in emergency mode after the original attack subsided

Step-by-Step Fix

  1. Confirm which paths and user flows are actually breaking, such as login, checkout, dashboards, or mobile sessions.
  2. Check Cloudflare analytics and security events to see whether the current attack still justifies broad Under Attack Mode.
  3. Narrow protection to the paths or traffic patterns that need it instead of keeping the whole zone under the same challenge level.
  4. Review overlapping WAF, bot, and rate-limit rules so legitimate visitors are not being hit by multiple controls at once.
  5. Exclude trusted networks, verified bots, or known application endpoints only where necessary and only as tightly as possible.
  6. Retest from affected devices and networks to confirm the target user flows now work while hostile traffic is still slowed or filtered.
  7. If pressure remains high, replace blanket mode with more specific rate limiting or firewall rules that match the abusive pattern better.
  8. Monitor challenge solves, abandonment, and blocked-request trends after the change so you can see whether protection is balanced properly.
  9. Document when emergency settings should be rolled back so temporary defense changes do not become long-term usability problems.