Back to Playbook
infrastructure

Cloudflare Recovery Guide

Hardening your edge network, DNS, and domain registry to prevent catastrophic infrastructure takeover.

Why Cloudflare Security is Non-Negotiable

Cloudflare is often the 'front door' for your digital presence. It manages your DNS, your domain registration, and your SSL certificates. A compromise of a Cloudflare account isn't just about data loss; it's about infrastructure hijacking. An attacker with access to your Cloudflare account can redirect your traffic, intercept sensitive data via Man-in-the-Middle (MITM) attacks, and effectively "disappear" your entire online existence in minutes.

1. Hardening Your Account

Mandatory Hardware MFA

Given the criticality of DNS, you should never use SMS or even a basic TOTP app for Cloudflare if you can avoid it. Cloudflare has robust support for FIDO2 Security Keys (YubiKey, Google Titan). Strategy: Require a physical security key for every login. This eliminates the risk of phishing, which is the primary vector for infrastructure attacks.

Action: Go to your Cloudflare Profile and enable Security Keys.

Domain Locking & Registry Security

If you use Cloudflare as your domain registrar, you must enable Domain Locking. This prevents unauthorized "transfers" where an attacker tries to move your domain to another registrar they control. For enterprise-level security, Cloudflare offers "Custom Registry Locking," which requires multiple human-verified approvals for any change to the domain's status.

API Token Scoping (Least Privilege)

Many developers use Cloudflare API keys to automate DNS or SSL management. A common mistake is using a "Global API Key" which has total control over the account. The Rule: Use Scoped API Tokens. If a script only needs to update one DNS record, create a token that only has permission for that specific record. If that token is leaked, the attacker cannot take over the entire account.

2. Recovery Preparation

Offline Recovery Codes

Cloudflare provides a set of recovery codes. These are your only backup if your hardware key is lost or fails. The Strategy: Treat these as a physical asset. Print them and store them in a fireproof safe. Do not store them on your computer or in a cloud-synced notes app.

Verified Recovery Email

Ensure the email address associated with your Cloudflare account is even more secure than the Cloudflare account itself. Ideally, this should be a hardware-secured account on a provider like Proton or a hardened Gmail account.

3. Monitoring for Anomalies

Security is a process of constant vigilance.

  • Enable Audit Logs: Cloudflare tracks every change made to your account. Periodically review these logs for any unrecognized IP addresses or modifications.
  • Login Alerts: Ensure you receive immediate email notifications for every login attempt, successful or otherwise.

For more information on the underlying principles, see our articles on MFA Fundamentals and Password Security.

Why This Matters

The Importance of MFA

Multi-Factor Authentication (MFA) is your strongest defense against account takeover. Even if a physical or digital attacker obtains your password, MFA provides a critical second layer of defense that is much harder to bypass. Learn more about MFA best practices.

Unique, Strong Passwords

Never reuse passwords across different services. If one service is breached, every other account using that same password becomes vulnerable to "credential stuffing" attacks. Every online service should have its own unique, long, and complex password managed by a reputable password manager. Learn why unique passwords are critical.

Need Help?

These guides are community-sourced. If you find an error or a platform has updated its interface, please let us know.