Bots are still getting through site

bots are still getting through site even with I’m under attack mode on

Then maybe they are real people. Why don’t you check and see what Cloudflare has to say about it in your dashboard?


there isn’t supposed to be more than 74 ppl registered. rn there is 171

I can tell if there are bots or not from if they have an ava/profile picture

I don’t think there’s any need to put the whole domain under attack mode

If spam is your problem then you need to make some extra challenge at this address

Put the captcha inside that form

how? use plugin ReCaptcha Integration for WordPress – WordPress plugin |

Additionally, on Cloudflare - you can add a Firewall Rule with JS Challenge or a Page Rule with “I’m Under Attack” mode for the registration page.

example for path for page rule: **


you can add a Firewall Rule with JS Challenge

how can I do that?

Under WAF

what does WAF stand for?

Web Application Firewall, under the Security tab.


To really reduce spam your protection must be layered - there is no single magical act.
If someone breaks the first layer of protection, he is greeted by the second, then the third, and so on.

Smart spam know how to solve the captcha and also supports JS
so don’t just rely on those two.

You can simply add in your form
a field that requires… the user who wants to register
that he must write your domain address in a certain field
and then of course you need to check that entry when someone presses the register button and then either passes or doesn’t pass

It’s kind of like asking him 5 + 5 =? only more complex

You can have some picture of an animal in the form
and ask what is in the picture and that the user, among other things, must enter the name of the animal…

Be sure to do something listed here


don’t have the money for premium

You don’t need premium hosting, or any paid service. ReCaptcha is a free service that you can use with a free WordPress plugin. Cloudflare’s “I’m under attack” mode is also free, and so is the Page Rules feature that allows you to enable Under Attack mode only on login/registration pages.