Like SE56 mentioned, CF is great at blocking security threats. Just disable caching on your plex subdomain (as well as Rocket Loader and Browser Integritycheck).
If you don’t wanna use CF, you can step-up your game and setup a reverse proxy and implement a WAF (Web Application Firewall) and CSP (Content Security Policy)
