Recomended config cloudflare to prevent DDos Attacks?

if you are under huge attack turn on "im under attack mode", for firewall rules block/captcha vps providers like ovh,digitalocean, liteserver, aws, china, russia, germany, us etc that prevent L7 attacks if your on free plan elsewise cloudflare handles most L3/4 attacks (theres a tab for it in the firewall)
use a vps in most cases to host your site cus theres panel login links/mail headers that leaks backend server
you could set only cf ips could access ur site using some htaccess code (turn on ip geo location in the network tab in dashboard)
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]