Bulk Redirects limit massively increased on self‑serve plans.
Free now supports 10,000 redirect items across lists (was ~20 before). This is in Cloudflare’s 2025 rules limits changelog. [developers...dflare.com]
DNS record quotas on Free depend on when the zone was created:
200 records per zone for domains added on/after Sep 1, 2024; 1,000 for older zones. Also confirms DNSSEC and CNAME flattening availability by plan. [developers...dflare.com]
WAF Custom Rules on Free are still available and capped at 5 per zone; no regex on Free/Pro. (Doc updated Sep 22, 2025.) [developers...dflare.com]
Rate Limiting stays unmetered (no per‑request fees) on Free/Pro/Biz, with plan‑based quotas for number of rules (historically: Free 1, Pro 2, Biz 5). The unmetered model is official; keep rule‑count expectations conservative. [blog.cloudflare.com]
Bot controls:
Bot Fight Mode (BFM) remains Free but not customizable or skippable via WAF; Super Bot Fight Mode (SBFM) requires Pro/Business. (Docs updated Sep 26, 2025.) [developers...dflare.com], [developers...dflare.com]
Zero Trust – Gateway & Access (Free): shows 10 user limit, up to 3 locations, 24‑hour log retention on the current product page. (Great add‑on if you want to include outbound filtering or ZTNA in your offer.) [cloudflare.com]
SSL/TLS features (TLS 1.3, HSTS, Always HTTPS, Automatic HTTPS Rewrites, Authenticated Origin Pull, Universal SSL) remain available as previously described. [developers...dflare.com], [cloudflare.com]
Scope: One public website (zone) on Cloudflare Free with traffic proxied (orange cloud).
Goal: Foundational app, DNS, and transport security aligned to best practices.
Path: Website → SSL/TLS
Universal SSL: ON (free HTTPS certs). [cloudflare.com]
TLS 1.3: ON; Minimum TLS version set appropriately (e.g., 1.2). [developers...dflare.com]
Always Use HTTPS & Automatic HTTPS Rewrites: ON (eliminate mixed content). [developers...dflare.com]
HSTS: enable with staged rollout (includeSubDomains + preload optional). [developers...dflare.com]
Authenticated Origin Pull: ON if origin supports client certs (stop direct‑to‑origin bypass). [developers...dflare.com]
Path: Website → DNS
DNSSEC: ON (prevents DNS spoofing/hijacking). [developers...dflare.com]
Anycast DNS + CNAME Flattening enabled by platform (performance + reliability). [developers...dflare.com], [cloudflare.com]
Record hygiene: audit MX/TXT/SPF/DMARC; respect Free plan quota (200 records for zones created ≥ 2024‑09‑01, 1,000 if older). [developers...dflare.com]
Path: Website → Security → WAF
Free Managed Ruleset: ON (cloud‑managed protections for high‑severity vulns). [developers...dflare.com]
Custom WAF Rules (Free allows 5):
Protect admin/login paths (e.g., /wp-login.php, /xmlrpc.php, /admin) with Managed Challenge.
Block obvious scraper UAs (python-requests, curl, non‑verified “bot” strings).
Skip for verified good bots (search engines, uptime monitors) where safe.
Geo/ASN gate for admin endpoints.
(Free: no regex; order matters; test via Security Events.) [developers...dflare.com], [developers...dflare.com]
Path: Website → Security → Bots
Bot Fight Mode: ON (free, domain‑wide; basic known bot challenges).
Note: Cannot be fine‑tuned or bypassed via WAF. If it impacts APIs or integrations, disable and rely on WAF + rate limiting; SBFM is a paid (Pro/Business) upgrade. [developers...dflare.com], [developers...dflare.com]
Path: Website → Security → WAF → Rate limiting rules
Create one rule (Free plan allowance) for high‑risk endpoints (/login, /api/*): per‑IP thresholds with Managed Challenge or Block.
Follow Cloudflare best practices: choose stable characteristics (per‑IP), set realistic thresholds (consider HTTP/2 burstiness), and exclude verified bots if necessary. [developers...dflare.com], [developers...dflare.com]
Unmetered: no per‑request fees on self‑serve plans; keep expectations at Free: ~1 rule (per 2022 announcement). [blog.cloudflare.com]
Path: Website → Rules → Bulk Redirects / Cache Rules
Bulk Redirects: up to 10,000 entries on Free (excellent for SEO hygiene, canonicalization, or country‑specific redirects). [developers...dflare.com]
Sensible cache rules and page rules (if used) for static content, admin bypass, and edge redirects. [cloudflare.com]
Path: Website → Security → Events / Security Analytics
Review Security Events & Security Analytics after go‑live; tune rules to reduce false positives and tighten gaps. (Monthly in care plan.) [developers...dflare.com]
Path: Zero Trust → Gateway / Access
Gateway (SWG): outbound DNS/HTTP category filtering for up to 10 users, 3 locations, 24‑hour logs—great for small teams. [cloudflare.com]
Access (ZTNA): protect one internal app with IdP SSO policies (clientless/browser SSH or mTLS optional). [cloudflare.com]
Where: Security → WAF → Custom rules → Create rule
Tip: Use Managed Challenge first; promote to Block once confident. Validate in Security Events. [developers...dflare.com]
1) Protect WordPress admin & login
Plain Text
(http.request.uri.path contains "/wp-login.php"
or http.request.uri.path contains "/xmlrpc.php"
or (http.request.uri.path starts_with "/wp-admin/"
and not http.request.uri.path contains "/admin-ajax.php"))
and not cf.client.bot
``
Show more lines
Action: Managed Challenge [developers...dflare.com]
2) Block obvious scrapers
Plain Text
(http.user_agent contains "python-requests"
or http.user_agent contains "curl"
or (http.user_agent contains "bot" and not cf.client.bot))
Show more lines
Action: Block [developers...dflare.com]
3) Allow verified good bots (skip selected features)
Plain Text
cf.client.bot and cf.verified_bot_category in {"Search Engine Crawler","Monitoring & Analytics"}
``
Show more lines
Action: Skip (choose feature(s) to skip) [developers...dflare.com]
4) Geo gate admin (example)
Plain Text
(http.request.uri.path starts_with "/admin") and (ip.geoip.country ne "IN")
Show more lines
Action: Managed Challenge [developers...dflare.com]
5) Rate limit login (Free → 1 rule)
Match: http.request.uri.path starts_with "/wp-login.php"
Counting: IP; Threshold: e.g., 20 requests / 60s; Mitigation: Managed Challenge; Timeout: 120s. [developers...dflare.com], [developers...dflare.com]
Super Bot Fight Mode (granular controls, analytics) → Pro/Business. [youtube.com]
Cloudflare Managed Ruleset & OWASP CRS (beyond Free ruleset) → Pro/Business+. [developers...dflare.com]
Advanced Rate Limiting (counting by headers/body, NAT support, request body fields) → Enterprise. [github.com]
Email Security (Area 1) → separate paid SKU (not Free). [comparitech.com]
If you share the domain(s), CMS/tech stack, and whether you want Zero Trust included, I can draft a branded proposal (deliverables, timelines, SLAs, and pricing tiers) and a one‑pager you can send to customers.
If you prefer, I can also log into your Cloudflare tenant and apply the exact configuration above (documenting each setting with screenshots).