Cloudflare Under Attack Mode Not Working — And You’ve Already Waited 24 Hours

You enabled Under Attack Mode.

You tested from another browser.

You tried mobile data.

You even used an online browser testing tool.

But Cloudflare Under Attack Mode is not working — and nothing changed.

No interstitial challenge page.
No “Checking your browser before accessing…” screen.
No visible increase in protection.

When Cloudflare Under Attack Mode is not working, most people assume:

  • It needs more time to propagate
  • Caching is interfering
  • The attack is too advanced
  • Cloudflare has a bug

But the real cause is usually much simpler — and much more fundamental.

Before we reveal it, let’s understand what Under Attack Mode actually does.

What Is Cloudflare Under Attack Mode?

Cloudflare’s official documentation describes Under Attack Mode as a security level that adds a JavaScript challenge page before visitors access your site.

You can read Cloudflare’s official explanation here

When enabled, Cloudflare:

  • Filters malicious HTTP requests
  • Blocks automated bot floods
  • Challenges suspicious visitors
  • Protects against Layer 7 attacks

It works at the Cloudflare edge network, meaning traffic flows like this:

Visitor → Cloudflare → Your Server

If Cloudflare Under Attack Mode is not working, something is interrupting that path.

Why Cloudflare Under Attack Mode Not Working Is Usually Not a Firewall Problem

When Cloudflare Under Attack Mode is not working, site owners typically check:

  • WAF rules
  • Security Level settings
  • Bot Fight Mode
  • Rate limiting rules
  • Browser cache

None of these fix the problem in most cases.

Because the issue isn’t about how strict your firewall is.

It’s about whether Cloudflare is even in the traffic path.

And that’s controlled by DNS.

The Real Reason Cloudflare Under Attack Mode Is Not Working

If Cloudflare Under Attack Mode is not working, your DNS is likely set to DNS Only (grey cloud) instead of Proxied (orange cloud).

Inside the Cloudflare DNS dashboard, every record has a proxy status:

🟠 Orange Cloud → Proxied (Protected)
⚪ Grey Cloud → DNS Only (Not Protected)

If your main domain is grey clouded, traffic goes directly to your hosting server.

That means:

  • Under Attack Mode does nothing
  • WAF rules do nothing
  • Bot Fight Mode does nothing
  • Rate limiting does nothing

Because Cloudflare never sees the request.

This is the most common reason Cloudflare Under Attack Mode is not working.

How DNS Proxying Controls All Cloudflare Protection

Cloudflare is a reverse proxy.

When proxying is enabled:

User → Cloudflare edge → Your origin server

When proxying is disabled:

User → Your origin server

If traffic bypasses Cloudflare, your security configuration is irrelevant.

This is why Cloudflare Under Attack Mode not working is almost always a DNS configuration issue.

You can verify proxying status inside:

Cloudflare Dashboard → DNS

How to Fix Cloudflare Under Attack Mode Not Working

Step 1: Turn the Cloud Orange
  1. Go to Cloudflare Dashboard
  2. Click DNS
  3. Find your main records:
    • A record for @
    • CNAME for www
  4. Click the grey cloud icon
  5. Ensure it turns orange

That’s it.

Now Cloudflare sits in front of your server.

Step 2: Confirm Traffic Is Going Through Cloudflare

After enabling proxy:

Open your site and check response headers.

Look for:

  • cf-ray
  • server: cloudflare
  • cf-cache-status

If you see these headers, traffic is properly routed.

If not, Cloudflare Under Attack Mode is still not working because traffic is bypassing Cloudflare.

Why This Misconfiguration Is Dangerous

If Cloudflare Under Attack Mode is not working due to DNS not being proxied:

  • Your origin IP is exposed
  • Attackers can hit your server directly
  • You are not benefiting from DDoS mitigation
  • Your WAF rules are ineffective

This is especially dangerous for WordPress sites.

For example:

  • /wp-login.php brute force attempts
  • /xmlrpc.php attacks
  • POST floods to forms
  • REST API abuse

If DNS is not proxied, attackers hit your server directly.

Locking Down Your Origin (Critical Security Step)

Even after fixing Cloudflare Under Attack Mode not working, you must protect your origin server.

Cloudflare publishes its IP ranges here

If you are on VPS or dedicated hosting, allow only Cloudflare IP ranges on ports:

  • 80
  • 443

Block all other traffic.

This ensures attackers cannot bypass Cloudflare even if they know your origin IP.

For advanced setups, you can also configure firewall-level protections similar to:

👉 https://kyraweb.ca/installing-and-understanding-bcmath-extension-on-ubuntu-and-centos/
👉 https://kyraweb.ca/5-steps-to-kill-a-process-on-a-port-in-ubuntu/

Common Variations of the Problem

When Cloudflare Under Attack Mode is not working, it may also be due to:

1. Only WWW Is Proxied

www.example.com → orange
example.com → grey

Attackers hit the root domain directly.

2. Subdomains Not Proxied
  • api.example.com
  • dev.example.com
  • staging.example.com

All grey.

Each one exposes your origin.

3. Temporary Debugging Left DNS Grey

Developers sometimes disable proxy to fix SSL or caching issues — and forget to turn it back on.

How to Properly Test If Cloudflare Under Attack Mode Is Working

After fixing DNS:

  1. Enable Under Attack Mode
  2. Open site in incognito
  3. Test from mobile data
  4. Check Security → Events inside Cloudflare

Cloudflare Security Events will show:

  • Managed Challenge
  • JS Challenge
  • Block
  • Allow

This is more reliable than visually checking for the interstitial page.

Final Security Checklist

If Cloudflare Under Attack Mode was not working, confirm the following:

✅ DNS records are orange cloud
✅ Headers show cf-ray
✅ Under Attack Mode challenge appears
✅ Origin locked to Cloudflare IP ranges
✅ No exposed grey-cloud subdomains
✅ WAF managed rules enabled

Once DNS is proxied, Cloudflare Under Attack Mode works exactly as intended.

Conclusion

If Cloudflare Under Attack Mode is not working, the problem is rarely propagation, caching, or firewall configuration.

It is almost always DNS not being proxied.

That small cloud icon determines whether your site is protected — or completely exposed.

Security does not start at the firewall.

It starts at DNS.

At Kyra Web Studio, we’re passionate about helping businesses build a strong brand identity that drives growth and success. Our team of experts specializes in website design, ecommerce solutions, real estate design, web overhaul, responsive design, custom development, UI/UX design, paid advertising, branding, SEO, social media, content marketing, email marketing, hosting, maintenance, security, CMS implementation, backup & recovery, domain management, performance optimization, and website accessibility. Let us help you create a brand that stands out in the crowd and resonates with your target audience. Contact us today to learn more about our services and how we can help you achieve your business goals.

Explore Our Services: Reach Out Today to Transform Your Vision into Reality!

Connect with our dedicated team for personalized assistance.

Get In Touch Today!Get In Touch Today!