As website owners, we want to make our sites as accessible as possible to the right people. Unfortunately, there’s an inverse trade-off between strict security measures and the possibility of blocking real visitors. For example, I’d recently written a post on rate-limiting on Cloudflare, where we stop spammers from hammering our server with costly requests. But if a regular visitor were to accidentally trigger a rate-limiting rule, they would be locked out.
Fortunately, I’ve started using the “JS Challenge” tool to block visitors now. And it’s working great!
JS Challenge instead of Blocks
For a long time, I used to outright block requests to certain URLs. For example, I disable any access to PHP files from an outside server. Similarly, I used to block all “JSON” requests because I didn’t want any bots accessing details on my WordPress installation.
The problem with blocking JSON requests is that it prevents me from updating my WordPress posts! So every time I wanted to change something, I’d have to log into the Cloudflare firewall and disable the JSON rule, and then remember to re-enable it after I’m done. The same problem goes for disabling access to PHP files. Almost all WordPress admin work requires you to access PHP files.
That’s when I figured out that the “JS Challenge” system is much easier.
What is a JS Challenge?
When you enable a JS Challenge on Cloudflare instead of blocking, your visitor will see the following page for a few minutes:

For a real visitor, it’s not a big deal. After all, they’re not just viewing a page, but submitting a comment, or doing some serious work, which is why they need access to protected URLs in the first place. Bots should have no business accessing these pages either.
This page presents an expensive JS challenge when someone visits this page – humans and bots alike. And bots don’t have time for this – if they’re even capable of solving JavaScript, to begin with. For all the time I’ve tested this service, I haven’t seen even a single bot solve the Cloudflare JS Challenge. And the few human visitors that see it, are more than happy to wait a few seconds. Particularly if that human visitor is me!
How Effective is the JS Challenge?
Here’s a screenshot of my firewall rules that I set up for accessing PHP files that require a JS Challenge:

As you can see, the firewall has issued a challenge 523 times, and not one of them has been solved. So this means that all bots were blocked.
Further down, you can see that 97 challenges were issued for PHP file requests, and only one challenge was solved – and that was me. I’ve configured it so that my verification lasts for two hours. I’m usually done working on my site by then, so it’s fine. Though you can change this interval to be even longer if you want.
JS Challenges are Better than Captchas
One of the security measures that really annoys me is CAPTCHAS. They’re becoming so difficult to solve, that I often get them wrong, or break a sweat worrying about every little square that might or might not contain an image. To make matters worse, Cloudflare CAPTCHAS require you to solve two screens one after the other! It’s all a bit much.
While CAPTCHAS are a sure-shot way of stopping bots in their tracks, they’re incredibly annoying for human users. So I’m very happy to have found a JS Challenge solution that’s still fantastic for bots but barely registers on the annoyance factor for human visitors. The best of both worlds!

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply