1.
I recommend enabling proxying for A and CNAME DNS records.
2.
I recommend hiding the real IP and blocking direct connections, allowing incoming traffic only from Cloudflare IPs.
3.
In the «Security» → «Overview» section in Cloudflare, I recommend temporarily enabling «I’m Under Attack Mode».
This will add JavaScript challenges for all new visitors.
4.
In the «Security» → «WAF» → «Rate Limiting» section, I recommend creating a rule that limits the number of requests per minute from a single IP or subnet.
For example: «If more than 100 requests come from a single IP within 1 minute, apply a block or a CAPTCHA challenge».
5.
In the «WAF» → «Managed Rulesets» section, I recommend enabling the OWASP Core ruleset.
6.
I recommend creating custom rules to filter traffic based on several criteria: IP address, geolocation, User-Agent, HTTP method, URI path, etc.
For example:
6.1) Block or issue a CAPTCHA for all requests from countries where your company does not operate.
6.2) Block requests with certain suspicious User-Agent strings.
6.3) Restrict access to the administrative URLs of the online store to a list of allowed IPs.
7.
I recommend enabling «Bot Fight Mode» (in the «Bots» section).
8.
Cloudflare has an additional «Bot Management» feature on the Pro, Business, and Enterprise plans.
8.1.
When the «Bot Management» feature is available, Cloudflare analyzes user behavior, headers, browser data, etc., to distinguish real browsers from bots.
In this case, Cloudflare analyzes user behavior, headers, browser data, etc., to distinguish real browsers from bots.
8.2.
Based on reports (Bot Analytics), I recommend creating custom rules: for example, if Bot Score < 30, issue a «JS Challenge» or «Block».