Bandwidth Limit Exceeded? How I Used Cloudflare to Block 356,787 Malicious Requests

Bandwidth Limit Exceeded became a serious issue on one of my client’s USA-based news websites. The website focuses on worldwide news content and also accepts guest post publishing. At first, we thought the traffic increase was a good sign. But after checking the server and website analytics, I noticed something unusual.

The hosting bandwidth was being consumed very quickly. We even added 5 GB extra bandwidth, but after a few days, the same issue happened again. The website again showed a bandwidth limit exceeded warning.

At that point, I started investigating the issue.

Bandwidth Limit Exceeded: What I Noticed

During the investigation, I started checking the website traffic and server usage more closely. At first, the website looked healthy because it receives visitors from many countries. Since it is a worldwide news website, high traffic was expected.

But after checking analytics and request logs more deeply, I noticed unusual patterns.

Some countries generated a very large number of requests during the investigation period:

• • Bulgaria: 118,094 requests
  • Vietnam: 111,761 requests
  • China: 102,331 requests
  • USA: 42,120 requests

The USA traffic was expected because the client mainly targets readers and guest post buyers from the USA and other international markets.

However, the request numbers from some countries looked suspicious because the activity was much higher than expected. I also noticed many requests repeatedly targeting media paths such as:

• • /images/
  • /thumbs/
  • /files/

Another thing that caught my attention was the cache percentage. The Cloudflare cache ratio was only around 4%, which meant many requests were directly reaching the hosting server.

At that point, I started thinking that the problem was not only regular website visitors. There was likely a combination of scraper bots, spam traffic, and unnecessary crawler activity consuming resources.

Bandwidth Limit Exceeded: Creating a Fresh Cloudflare Free Account

To solve the problem, I created a fresh Cloudflare Free account and connected the client’s website.

I wanted a setup that could:

• Reduce bad bot traffic
• Protect website bandwidth
• Keep Google indexing safe
• Avoid affecting real users
• Improve caching

I did not want to use aggressive settings because the website depends on search traffic and guest post visibility.

Bandwidth Limit Exceeded: The Rules I Applied

After some testing, I applied multiple Cloudflare settings and custom rules.

Bot Fight Mode Enabled

I enabled Bot Fight Mode to stop common automated bots and suspicious traffic.

Browser Integrity Check Enabled

I enabled Browser Integrity Check to identify suspicious browser headers and requests.

Email Address Obfuscation Enabled

I enabled Email Address Obfuscation to reduce email scraping.

Hotlink Protection Enabled

Hotlink Protection was enabled because some websites can directly use images from another website. This can consume bandwidth without bringing real visitors.

Custom Rule: Challenge Non-Verified Bots

I created a custom rule:

• Condition:
  not cf.client.bot
• Action:
  Managed Challenge

This helps challenge unknown bots while allowing verified bots.

Custom Rule: Protect Media Paths

I created another rule for media folders:

• /images/
• /thumbs/
• /files/

Action:

• Managed Challenge

This helped reduce suspicious requests to media files.

Custom Cache Rule

I created a cache rule for media files:

• Cache eligibility enabled
• Edge TTL: 30 days
• Browser TTL: Respect existing headers

This helped serve images directly from Cloudflare instead of the hosting server.

AI Crawler Controls

I blocked several AI crawlers and unnecessary traffic sources.

Blocked examples:

• GPTBot
• Meta-ExternalAgent
• ByteSpider
• Amazonbot

Allowed:

• Googlebot
• BingBot

Bandwidth Limit Exceeded: What I Did Not Do

I avoided some actions intentionally.

I did not block Googlebot because search indexing is important.

I did not block BingBot because its bandwidth usage was small.

I did not use aggressive rate limiting because the website serves worldwide users.

I also avoided using Under Attack Mode permanently because it can affect real users.

Bandwidth Limit Exceeded: Results After One Month

After keeping the setup active for one month, I checked Cloudflare analytics.

The result surprised me.

Cloudflare blocked or challenged 356,787 malicious requests within one month.

The website also became more stable.

I noticed:

• Better protection against unwanted traffic
• Reduced pressure on the hosting server
• Better control over suspicious requests
• Improved website security
• Lower chances of bandwidth problems

I also started seeing Cloudflare handling many requests before they reached the hosting server.

For more information about Cloudflare security and CDN services, visit Cloudflare.

Conclusion

Bandwidth Limit Exceeded may look like a simple hosting issue, but sometimes the real problem can be hidden bot traffic, scrapers, and unnecessary requests.

In my case, using a fresh Cloudflare Free setup with smart rules and caching made a big difference. Instead of blocking everything, I focused on balancing security and user experience.

If you are facing similar issues on your website and need help with WordPress security, bot protection, malware cleanup, or performance optimization, you can hire me and I will help protect and optimize your website.