Cloudflare WAF Redesign & Cache Recovery for a High-Traffic News Site

The job-submission form was taking 15,005 requests in 24 hours, all with crafted /wa.me/ WhatsApp paths appended. The spam used 7 distinct WhatsApp numbers that impersonated real local companies, supermarkets, a dairy brand, a transport company.

The Under Attack Mode response had backfired. In 24 hours it fired 752,707 times, challenged 680,904 legitimate readers (a 90.5% bypass rate), produced 63,222 abandoned sessions, and hard-blocked zero attackers. Googlebot mobile crawl dropped 38% under the verified-bot throttling, and Meta and WhatsApp link-preview bots were getting challenged, which broke shared-article previews. The Vivo ISP, Brazil's #1 carrier and 21% of the site's traffic, was the main victim: 37,162 challenges and 22,980 abandoned.

The cache side was just as broken. Memcached had been off since a prior Duplicator Pro restore. WordPress Popular Posts was writing directly to MySQL twice per pageview. JNews was persisting its query cache with no expiry (the 0-byte transient pattern). HTML cache hit rate at Cloudflare was only 3.4%, because a duplicate cache rule with a 7-day TTL was being overridden by a bypass_by_default rule. And the Cloudflare API token was broken (missing Zone:Read scope), which silently killed every LiteSpeed cache purge.

A few rule-level bugs were wasting resources. One firewall rule had a logic bug, an impossible AND condition on two ASN values, which gave it an 88% bypass rate across 206,822 wasted events. The global rate limit (40 req/10s) was firing on normal page loads because a single article triggers 30 to 60 sub-requests. xmlrpc.php was taking 61 brute-force hits a day, 38 of them POSTs. A legacy Joomla /component/mailto/ endpoint, still reachable, was taking 7,500 GETs and 1,273 POSTs of email-injection attempts.

The sister site had its own problems. Active web-shell scanning from a Korea-based IP was probing for idx_<timestamp>.php filenames that matched attack dates. Credential-harvesting probes hit .env, .aws/credentials, and .git/config from Netherlands, Singapore, and US IPs. Its Cloudflare SSL mode had been set to Flexible (unencrypted origin) since 2020. Barkrowler was consuming 10.9% of its traffic, 3,294 requests a day, with zero SEO value. And a malicious .htaccess with shell-allowlist patterns was sitting in a staging subdirectory.

I started by pulling 8 days of Cloudflare analytics, 50+ JSON files, to baseline attack versus legitimate traffic. I traced the server crashes back to a combination of things: a Memcached restart, WPP's direct DB writes, a Jetpack autoloader rebuild, and a cache-exclusion rule. Before I touched anything, I took a full database backup (201 MB gzipped), a settings snapshot, and a theme-mods backup.

The performance fixes went in first. I re-enabled Memcached object cache with wp litespeed-option set object 1. I added a WPP_CACHE_VIEWS define to wp-config.php so WPP batches its writes every 2 minutes instead of hammering MySQL. I cleared the slide-tag cache exclusion, disabled the duplicate /noticias/ rule that was overriding the 7-day TTL, and replaced the broken API token with a scoped one (Zone:Read + Cache Purge). To keep Cloudflare in sync, I deployed a small mu-plugin, cf-auto-purge-on-save.php, that purges on every post save.

The JNews cache needed its own diagnosis. I queried ModuleQuery::do_query directly inside Memcached, which surfaced the missing-expiry pattern. I disabled the JNews query cache and enabled flush-on-publish, so editor changes actually show up on the homepage.

Then IUAM came out. I designed 7 new WAF rules to replace it: a verified-bot bypass with anti-spoof guards, a scanner/crawler UA block covering 30+ patterns (nmap, masscan, zgrab, nikto, wpscan, sqlmap, acunetix, nuclei and more), a sensitive-endpoint block for wa.me paths, xmlrpc, and the Joomla legacy endpoint, admin and API protection, a threat-score challenge, a non-browser UA challenge, and a cloud/hosting ASN challenge. I added two rate-limit rules: RL1 on admin and login, RL2 site-wide at 500/60s with static assets excluded. I also fixed the logic-bug rule and killed the overly broad Vivo ASN rule.

Rollout went in three phases: immediate blocks first, then bot bypass and rate-limit fixes, then the IUAM revert and cache-rule cleanup. On the recommendations side, I suggested Turnstile CAPTCHA on the form with a wa.me content filter and editorial review enforcement, Zero Trust on /wp-admin and /wp-login via Cloudflare Access, and for the sister site, an SSL upgrade to Let's Encrypt plus switching from Flexible to Full (Strict).