The Traffic Rate Limiting feature is a part of the Traffic Watch module. It helps you to put a stop to bots and visitors that abuse your website and your hosting resources.
Traffic rate limiting is where you restrict the number of requests a single visitor can make against your site, within a certain period of time.
Important: Use this feature with care. You could block legitimate visitors who load too many pages in quick succession on your site.
There are 2 important factors in Rate Limiting your WordPress site:
- How many requests are allowed in the time period.
- How long a time period will you count the number of requests.
The options available are as follows:
- Max Request Limit
This is the maximum number of requests that are allowed within the given request time limit.
Any visitor that exceeds this number of requests in the given time period will register an offense against their IP address.
Enough offenses will result in a ban of the IP address.
Important: Use a larger maximum request limit to reduce the risk of blocking legitimate visitors.
- Request Limit Time Interval
This is the time period within which to monitor for multiple requests that exceed the max request limit.
Interval is measured in seconds.
Important: Use a smaller interval to reduce the risk of blocking legitimate visitors.
How does the Traffic Rate Limiting feature work?
Let’s take the example where you limit to 10 requests within 60 seconds:
When a visitor loads a page on your site, attempts a login, or posts a comment, this will start a counter in the rate limiting system.
If they make another request, perhaps browse to another blog post, they’ll add 1 more request to that counter. If they continue to load pages and they reach 11 requests within a 60 seconds, they’ll trigger Shield’s defenses and an offense will be recorded against their IP address. This is best seen in the audit trail:
If they make a further request, still within the same 60 seconds, the offense limit will be incremented, again:
As always with Shield, when the number of offenses marked against an IP address reaches your threshold, the IP address will be blocked entirely from accessing the site.
So, with rate limiting activated, any visitors/bots that continue to send too many requests to your site, will be blacklisted.
Audit trail will show this (e.g. offense limit is 6):
Note: You can review your site traffic with the Traffic Watch Viewer.
There are a few things to bear in mind when you’re rate limiting your traffic.
- Ensure your visitor IP address source is correct
If Shield can’t detect the correct visitor IP address, this will cause lots of trouble, even before you try to limit traffic. You can’t properly rate limit traffic unless you’re sure Shield has the correct IP address for each visitor. Go to General Settings => IP Source and ensure that the visitor IP address source is correct.
- Rate limiting the WordPress API
If your WordPress site uses the WP REST API extensively, consider excluding the API from your Traffic Logging (and your rate limiting). Or, if you’re confident with how it works and what sort of API usage you expect or want to allow, Shield’s Rate Limiting feature will be highly effective in throttling REST API access.
- Start by being generous
If you’re unsure of how your traffic really looks, set your rate limiting options more generously than you might at-first think. To do this, you would set your ‘Max Request Limit’ higher and your ‘Time Interval’ lower. Doing both or either of these will reduce the chances that legitimate visitors don’t get blocked.
- Don’t forget about AJAX
AJAX requests, particularly in the WordPress admin areas can be quite frequent. Some plugin use AJAX on the frontend also, so your visitors might more requests to your site than you realise.
To learn more about Traffic Rate Limiting feature, read our blog article here.