Skip to main content

Understanding MODX Cloud's Web Application Firewall (WAF)

  • Updated

If you've seen a security screen when trying to access a MODX Cloud site, this article explains why that happens and what you can do about it. These measures protect sites from malicious traffic while allowing legitimate visitors through.

What is the WAF?

MODX Cloud uses a server-side Web Application Firewall (WAF) to protect your site from malicious traffic. It automatically filters out harmful bots, scrapers, vulnerability scanners, and other automated threats before they reach your site—with no configuration required from you.

For customers who want additional protection and greater control, Cloud Edge is available as an optional upgrade. Cloud Edge (powered by Cloudflare Enterprise) is managed directly by the MODX Cloud team and provides enhanced WAF capabilities, a content delivery network, and the option to run Cloud Edge in front of the server-side WAF—or to replace it entirely for sites that need more sophisticated, fine-grained control.

[INTERNAL LINK: Adding and Managing Cloud Edge in MODX Cloud]

Why we use a WAF

Modern web traffic includes a large volume of automated activity. According to recent industry research:

  • More than half of all internet traffic now comes from non-human sources—automated traffic accounted for 51% of all web traffic in 2024.[1]
  • Bad bots alone make up 37% of all internet traffic, up from 32% the previous year—marking the sixth consecutive year of growth.[1]
  • Account takeover attacks increased by 40% in 2024.[1]
  • 21% of bot attacks use residential proxies provided by ISPs, allowing bad actors to blend in with genuine user traffic.[2]
  • Non-AI bots generated approximately half of requests to HTML pages in 2025, running 7% above human traffic at times.[3]

Before we deployed the WAF, this kind of traffic caused frequent problems: server slowdowns, outages, increased error rates (502/504 errors), and reduced performance for legitimate visitors. The WAF addresses all of these.

How detection has become harder

Bots have become more sophisticated at evading detection. Common tactics include faking browser identities, using residential IP addresses, routing through VPNs, and adapting behaviour to mimic human patterns. These same techniques are also used by privacy-focused legitimate users, which creates challenges for detection systems.

What visitors might encounter

The majority of visitors—including legitimate users and search engine crawlers—pass through the WAF without any notice.

Browser verification screen

Some visitors may briefly see a verification screen before being redirected to the page they requested. This is a lightweight automated check that typically completes within a couple of seconds, though older browsers and slower mobile connections may take slightly longer.

What visitors see (text is below):

An image of a screen that says: Verifying Your Browser - We're performing a brief security check before loading [site]. This helps protect the site from automated traffic and malicious activity. You'll be redirected to the requested page shortly.

Verifying Your Browser

We're performing a brief security check before loading [site]. This helps protect the site from automated traffic and malicious activity. You'll be redirected to the requested page shortly.

No action is required. If you're not redirected after several seconds, try refreshing the page. If the problem persists, contact MODX Cloud support.

Security verification required (blocked access)

In some cases, a visitor may see a block screen. This happens when the IP address assigned to them has a history of malicious activity—most commonly when using a VPN service, a mobile network, or after a provider has reassigned an IP address previously used by someone else.

What visitors see (text is below)

An image of a screen that displays the following message (complete text follows the image): Security Verification Required...

Security Verification Required

example.com is hosted on a service that includes protection from malicious traffic and automated attacks.

Unfortunately, the IP address you've been assigned was previously used for malicious activity. This can happen when using VPN services, mobile networks, and sometimes when your provider issues you a new IP address.

You haven't done anything wrong. Just email support@modxcloud.com with your IP address or a screenshot of this page, and we'll resolve this right away.

When reported to us, we review each case and can restore access quickly—typically within minutes.

Common questions

Why would a VPN user be blocked?

VPN and proxy services share IP addresses among many users. When an IP address is shared between legitimate and malicious users, our systems may flag it based on its history. If you're blocked while using a VPN, try switching to a different exit node or temporarily disabling it. If you're still blocked, contact support.

What about SEO, site audit, and monitoring tools?

Tools like Screaming Frog, SEMrush, Ahrefs, and uptime monitors can trigger the WAF if they make requests too quickly, create many concurrent connections, or exhibit behaviour that resembles vulnerability scanning.

We've allowlisted many common tools and services, and we can often add others. If you use these tools regularly, we recommend contacting us before running scans to avoid interruptions. See our dedicated guides:

Will this affect my site's SEO?

No. Search engine crawlers from Google, Bing, and other legitimate services pass through the WAF without issues.

What if something critical to my site is blocked?

Contact MODX Cloud support immediately. We can review the situation, allowlist IP addresses where appropriate, and adjust settings for your site's needs.

For site owners

What to tell your visitors

If a visitor contacts you about being blocked or seeing a verification screen:

  • Let them know MODX Cloud includes protection against malicious and automated traffic
  • Explain that this affects only a small number of legitimate users
  • Ask them to email support@modxcloud.com with their IP address or a screenshot of the block screen
  • We can typically resolve it within minutes

Results since deployment

Since launching the enhanced WAF:

  • Traffic has decreased significantly, particularly bot and scraper traffic
  • 502/504 errors have dropped significantly
  • Platform stability and site performance have improved for legitimate visitors

False positives have been rare since launch. When reported, we review each case and can restore access within minutes.

References

[1] Imperva, "2025 Bad Bot Report: The Rapid Rise of Bots and the Unseen Risk for Business," accessed January 22, 2026. https://www.imperva.com/resources/resource-library/reports/2025-bad-bot-report/

[2] Imperva, "2025 Imperva Bad Bot Report: How AI is Supercharging the Bot Threat," April 15, 2025. https://www.imperva.com/blog/2025-imperva-bad-bot-report-how-ai-is-supercharging-the-bot-threat/

[3] David Belson, "Cloudflare 2024 Year in Review," Cloudflare Blog, December 9, 2024. https://blog.cloudflare.com/radar-2024-year-in-review/

Related articles