Foundgrove
← All posts

SEO · 8 min read

Cloudflare and SEO: What Helps, What Blocks Googlebot

Summary

Cloudflare speeds your site up and can quietly challenge Googlebot at the same time. Here is the settings-by-setting keep, kill, or audit list.

By Hyder Shah, Founder & CEO · Published July 13, 2026 · Updated July 13, 2026

Cloudflare sits in front of a huge share of US service-business websites. It usually got installed once, by a developer who has since moved on, and nobody has opened the dashboard since. It is free, it is fast, and nobody audits it.

That is fine right up until the day a security toggle starts serving a challenge page to Googlebot. From your browser the site looks perfect. In Search Console, impressions fall off a cliff and nobody can explain why.

Here is the settings-by-setting verdict, plus the check that tells you what Googlebot is actually receiving at the edge.

Does Cloudflare help or hurt your SEO?

Cloudflare helps by default and hurts only when someone flips a security toggle without understanding it. Out of the box you get edge caching, TLS and modern transport protocols, which cut server response time for users and for crawlers. Nothing about that is a ranking risk.

Speed matters, but keep it in proportion. Google states plainly that Core Web Vitals are used by its ranking systems, while also saying there is no single signal for page experience and that Search will still show the most relevant content even when page experience is sub-par. The current thresholds are an LCP of 2.5 seconds or less, an INP of 200ms or less and a CLS of 0.1 or less, measured at the 75th percentile of real page loads.

So a CDN nudges a supporting signal. What it can do is far more violent in the other direction: a misconfigured edge does not lower your rankings, it removes your pages from the index entirely. The upside is measured in milliseconds. The downside is measured in lost pages.

Which Cloudflare settings should stay on, and which should go?

Six settings account for essentially all of Cloudflare's SEO impact. Three are safe to leave alone forever, three deserve a decision.

SettingWhere it livesVerdictWhy
Caching and Tiered CacheCachingKeep onLower time to first byte for users and crawlers. No crawler downside.
TLS, Brotli, HTTP/3SSL/TLS and NetworkKeep onTransport-level only. Nothing here for a crawler to trip over.
Bot Fight ModeSecurity, bot trafficTurn offCannot be skipped with WAF rules, and forces JavaScript Detections on.
Super Bot Fight ModeSecurity, bot trafficAuditRuns on the Ruleset Engine, so you can write Skip rules for crawlers.
Rocket LoaderSpeed, optimizationTurn offDefers all of your JavaScript until after render.
Under Attack modeZone overviewEmergency onlyServes a JavaScript interstitial to every visitor, crawlers included.

Verdict: keep Cloudflare, kill Bot Fight Mode and Rocket Loader. The CDN and TLS layers earn their place. Those two toggles are where service-business sites lose indexation, and neither one is buying a plumbing company or a law firm meaningful protection. If you want the whole edge reviewed alongside your crawl and index data, that is exactly what a technical SEO audit is for.

Is Bot Fight Mode challenging Googlebot right now?

Possibly, and you cannot fix it with a rule. Cloudflare's own documentation says Bot Fight Mode cannot be customized, adjusted, or reconfigured via WAF custom rules, because it does not run on the Ruleset Engine. Skip, Bypass and Allow actions have no effect on it. You cannot allowlist your way out. You can only turn it off.

What it does when it fires is issue computationally expensive challenges that force the client to run CPU-intensive calculations. Cloudflare also notes it may challenge API or mobile app traffic. It automatically enables JavaScript Detections, which cannot be disabled while Bot Fight Mode is on.

Cloudflare maintains a Verified bots list, and search engine crawlers such as Googlebot and Bingbot are on it. Verified bots have historically been excluded from default bot configurations. That is a good safety net, but it is a safety net, not a guarantee: verification depends on the bot identifying itself honestly through Web Bot Auth, a published IP list with a stable user agent, or reverse DNS. If the request does not resolve cleanly, it is not verified.

For a service business with a brochure site and a contact form, Bot Fight Mode protects almost nothing and puts your crawl budget in a coin flip. Turn it off. If you genuinely have a scraping problem, use Super Bot Fight Mode instead, because it runs on the Ruleset Engine and does support Skip rules.

How do you check whether your WAF is serving a challenge page to a crawler?

Four checks, none of which involve your own browser. That is the whole trap here: a challenge page is invisible from a normal browser session, because your browser passes the challenge in under a second and you never see it.

  • Search Console URL Inspection, live test. Run the live test, then open the rendered HTML and screenshot. If you see a challenge interstitial or a block page instead of your content, the edge is stopping Google.
  • Search Console Crawl stats. Filter by response. A wall of non-200 responses where you used to see 200s is the fingerprint of an edge rule, not a CMS problem.
  • Cloudflare Security Events. Cloudflare labels challenged requests in the Service field, so filter for Bot Fight Mode and look for source IPs that reverse-resolve to googlebot.com.
  • Reverse-DNS the IPs you find. Google's method is a reverse DNS lookup that must resolve to googlebot.com, google.com or googleusercontent.com, then a forward lookup back to the same IP.

The last check is the one people skip. Faking a Googlebot user agent with curl from your laptop proves nothing, because Cloudflare does not verify crawlers by user-agent string. Google publishes the verification method and the IP ranges as JSON files. Match the IPs in your security events against those, and you know for certain whether a real Google crawler got challenged.

This is the same order of operations we use in any technical SEO audit for a service business: confirm what the crawler receives before touching content.

Does Rocket Loader break anything Google needs to see?

It can, and the reason is right in Cloudflare's description. Rocket Loader works by deferring the loading of all of your JavaScript until after rendering. All of it, inline and external, rewritten and re-ordered by the edge.

Cloudflare is candid about the cost: Rocket Loader uses non-standard tags that fail strict HTML validation, and its own docs tell you that if you see JavaScript or jQuery issues, disable Rocket Loader and retest. It also breaks Content Security Policy headers unless you update them.

The SEO risk is not theoretical. If any part of your page depends on JavaScript to appear, main content, internal links, structured data injected client-side, then rewriting how and when that JavaScript runs is a rendering change you did not test. The fix is boring: turn Rocket Loader off and solve speed at the source instead, with proper script loading and a build that ships less JavaScript. Our Core Web Vitals guide covers what that looks like when you do it properly.

One exception: if you are on an old WordPress build that no plugin can save, Rocket Loader can be a genuine crutch. Keep it only if you have verified the rendered HTML in Search Console still contains your content and your links.

What does 'Under Attack' mode do to your rankings?

It serves an interstitial page to every visitor and requires JavaScript to pass it. Cloudflare describes Under Attack mode as one of the last resorts when a zone is under attack, and states it will temporarily pause access to your site and impact your analytics. The Checking your browser interstitial decides whether to block or allow within five seconds.

Five seconds of interstitial, on every request, sitting between the crawler and your content. If it stays on for days, you are not showing Google a slow site. You are showing Google a site with no content on it.

Use it during an actual attack, then turn it off the moment the attack ends. If you need standing protection on one part of the site, apply it selectively with a configuration rule scoped to a path such as /admin, which Cloudflare documents, rather than putting the whole zone behind an interstitial.

Should you let Cloudflare block AI crawlers?

This is now a decision with a deadline, and most site owners have not noticed it. Cloudflare's docs state that on September 15, 2026 it will set updated defaults for new domains: bots classified as Training or Agent will be blocked on pages that display ads, while Search stays allowed. Customers can opt out of the new defaults before that date.

The part that should make you sit up is the next sentence in the same doc: mixed-purpose crawlers that combine Search and Training will be blocked by all configurations that block AI training, including the legacy Block AI bots option. Cloudflare separates bot behavior into Search, Agent and Training presets, each with block on all pages, block on ad pages, or allow.

Our stance is straightforward. If your business depends on being found, do not block Search or Agent crawlers. Those are the surfaces answering your customers' questions today, and an AI assistant that cannot fetch your page cannot cite your page. Blocking Training is a defensible business decision, but understand you may take mixed-purpose crawlers down with it. Read the presets, choose deliberately, and write the decision down somewhere your next developer will find it. That is the same argument we make for treating GEO as part of the core SEO program rather than a separate line item.

Whatever you choose, choose it. A default you never looked at is not a strategy.

What should you do this week?

Log in, check six toggles, run one live test in Search Console. That is a thirty-minute job and it is the highest-leverage half hour available to most service-business sites, because it protects everything else you spend money on. Content and links are worthless on a page a crawler cannot reach.

If you would rather not touch the dashboard yourself, our technical SEO service covers exactly this: the edge configuration, the crawl and render path, and the fixes ranked by what is actually costing you indexed pages. Get my free audit and we will tell you what Googlebot is seeing through your CDN right now.

Where does this fit in your stack?

If you're running a US service business, the playbook in this post pairs with our full services lineup and applies cleanly across our supported industries and US locations. If you want help implementing it, book a free strategy call — we'll review your current setup and prioritize the next three moves.

For the deeper engagement details, see our SEO service. New to the terminology here? Our SEO & marketing glossary defines every acronym in this post.

What are the most common questions about this topic?

Common questions readers send us about this topic.

Does Cloudflare improve Core Web Vitals?

It can improve time to first byte and load time by serving cached assets from an edge location near the user, which supports LCP. It does not fix a bloated page. Google's thresholds are an LCP of 2.5 seconds or less, an INP of 200ms or less and a CLS of 0.1 or less, measured at the 75th percentile of real page loads. A CDN helps with the first of those and does almost nothing for the other two.

Can Cloudflare's firewall block Googlebot?

Yes. A WAF custom rule, an IP access rule, a country block or a rate limit can all challenge or block a crawler, and the challenge page is invisible from a normal browser. Cloudflare maintains a Verified bots list that has historically been excluded from default bot configurations, which covers Googlebot in most setups, but a rule you wrote yourself can still catch it. Check Security Events for challenged requests from Google IP ranges.

Is Bot Fight Mode safe to leave on?

We would not leave it on. Cloudflare's docs say Bot Fight Mode cannot be customized or reconfigured via WAF custom rules, and that Skip, Bypass and Allow actions have no effect because it does not run on the Ruleset Engine. It issues computationally expensive challenges and may challenge API or mobile traffic. If you need bot protection with exceptions, Super Bot Fight Mode runs on the Ruleset Engine and supports Skip rules.

How do I test what Googlebot sees through Cloudflare?

Use Search Console URL Inspection, run a live test, and look at the rendered HTML and the screenshot. If a challenge or block page appears instead of your content, the edge is stopping Google. Then cross-check Crawl stats for a rise in non-200 responses, and Cloudflare Security Events for challenged requests. Spoofing a Googlebot user agent with curl proves nothing, because Cloudflare verifies crawlers by IP and reverse DNS, not by user-agent string.

Should I turn off Rocket Loader for SEO?

In most cases yes. Cloudflare says Rocket Loader defers the loading of all of your JavaScript until after rendering, and that it uses non-standard tags which fail strict HTML validation. Any page that depends on JavaScript for its main content, internal links or client-side structured data is now rendering in a way you have not tested. Fix speed at the source instead: ship less JavaScript and load what remains correctly.

Does a CDN change my server response time for Googlebot?

Yes, for cached responses. Googlebot crawls from Google's own infrastructure, and an edge cache hit returns from the nearest Cloudflare data center instead of your origin server, which cuts time to first byte. Uncached HTML still hits your origin, so a slow database or an overloaded host is still slow. A CDN in front of a slow origin gives you a fast cache and a slow site.

Should I block GPTBot and other AI crawlers at the edge?

Not if you want to be found. Cloudflare now splits AI bots into Search, Agent and Training behaviours with separate block settings. Blocking Search or Agent crawlers means AI assistants cannot fetch your pages, and a page that cannot be fetched cannot be cited. Blocking Training is a defensible business call, but Cloudflare's docs note that mixed-purpose crawlers doing both Search and Training get blocked by every AI-training block setting.

About the author

Hyder Shah

Founder & CEO, Foundgrove

Hyder Shah is the founder of Foundgrove, an SEO and GEO agency for US service businesses. See our editorial policy for how these guides are researched and reviewed.

Related reading

Other tactical pieces from the Foundgrove blog.

Want help applying this to your business?

Book a free 30-minute call. We'll review your current acquisition stack and show you the three highest-leverage moves for your industry and state. Or read how our SEO service works.

Free SEO & AI visibility auditGet my free audit