Good website protection requires a layered approach. We described the main settings in the "DDoS Protection Setup" article. Implement additional protective measures to minimize the website vulnerability.
Change your IP
An attacker can get your real IP using DNS History and attack it directly. Get a new IP and put it in the Original IP field in the Control panel. Don't mention/publish the IP anywhere else.
Check your DNS records
If you have subdomains or other records that point to the real IP, change them to another IP.
Check your HTML code
Ensure that your HTML code doesn't have references to your real IP.
Set IP access policy
Limit access to your server for all but our subnets and some trusted IPs. We mention ways to set the limits in the "Origin Access Restrictions" article.
Configure your mail service
Configure a separate email server. If you are running your mail server on the same server as your website, an attacker can find your origin server IP.
Restore users' IP addresses
Configure the X-Forwarded-For HTTP header to restore real visitors' IP addresses. Otherwise, you will see requests only from our subnets.
Reduce server load
By default, we protect only IPv4 addresses, so if your website is also available via IPv6 we recommend removing the A record for IPv6 address from your DNS settings or adding protection for it. The IPv6 protection can be added by request. For details, reach us via chat or email to email@example.com.