Lighthouse Gave My Site 100/100. The Site Was Down.

Yesterday I ran PageSpeed Insights on a site I manage. Performance: 100/100. Green circle, confetti, the works.

One problem: the screenshot in the report showed a Cloudflare block page — "Sorry, you have been blocked."

Lighthouse didn't measure my site. It measured the error page my WAF served to Google's crawler. And error pages are, of course, blazing fast.

How this happens

If you put Cloudflare in front of a site and turn the security dial up (Bot Fight Mode, aggressive WAF rules, country blocks), you'll eventually block more than bots:

• PageSpeed Insights / Lighthouse — measures a block page, reports nonsense
• Uptime monitors — see HTTP 403 with a 200-ish body, or vice versa, and lie to you either way
• Google's crawler itself — and that one quietly costs you rankings

The nasty part is the silence. Nothing looks broken from your own browser, because you're whitelisted by your own cookies, IP reputation, or login session. The tools just start telling you fairy tales.

The five-minute audit

1. Open Cloudflare → Security → Events. Filter the last 7 days. Look at what's actually being challenged or blocked — you'll usually find a legit service in there within a minute.
2. Check the user agents: Chrome-Lighthouse, GoogleOther, Googlebot, your uptime checker. If they show up here, that traffic never reached your site.
3. Verify bots properly: Cloudflare has a "Verified Bots" category — allow it instead of hand-maintaining user-agent allowlists (user agents are trivially faked; verified-bot checks aren't).
4. Re-run your measurement and look at the rendered screenshot, not just the score. The screenshot is the only part of a Lighthouse report that can't lie to you.

Rules I now follow

• Never trust a perfect score. 100/100 on a real WordPress/commerce site is a smell, not an achievement. Real sites have real images and real JavaScript.
• Check the screenshot first, score second.
• After every WAF change, re-test from outside: different network, curl with a Googlebot UA, or just PageSpeed Insights — and read the Events log after.
• Monitoring that runs behind your own allowlist isn't monitoring. It's a mirror.

Cloudflare is still the best free thing that ever happened to small sites — I run my own production behind it and it has eaten real attack waves for breakfast. But a security layer you configured and never audited is just a random traffic filter with good branding.

Five minutes in the Events log. That's the whole tip.