Cloudflare provides several free security features that protect your website from attacks, bots, and spam.

Set your security level

1. Log in to https://dash.cloudflare.com and select your domain.
2. Go to Security → Settings.
3. Set Security Level to Medium. This challenges suspicious visitors (known bad IPs) with a browser check before allowing access.

Enable Bot Fight Mode

1. Go to Security → Bots.
2. Enable Bot Fight Mode. This blocks automated bot traffic from reaching your server.

Enable "I'm Under Attack" mode (for active attacks only)

If your website is under a DDoS attack and is slow or unreachable, you can enable maximum protection temporarily:

1. Go to Security → Settings.
2. Set Security Level to I'm Under Attack.
3. Every visitor will see a 5-second browser challenge before accessing your site.
4. Remember to set the security level back to Medium once the attack is over.

Block specific countries or IP addresses

1. Go to Security → WAF → Tools.
2. Under IP Access Rules, enter the IP address or country you want to block.
3. Select Block from the action dropdown and click Add.

Enable HTTPS-only (HSTS)

1. Go to SSL/TLS → Edge Certificates.
2. Scroll to HTTP Strict Transport Security (HSTS) and click Enable HSTS.
3. Set Max Age Header to 6 months and enable Include Subdomains.

Warning: Only enable HSTS if your site is fully running on HTTPS. It is very difficult to reverse once enabled.