100% Free & Open Source

Network Rate Limiter

Progressive, time-aware rate limiting for WordPress. Stop brute force attacks, API abuse, and bot traffic while allowing legitimate users and search engines.

Download on GitHubView DocumentationLearn more

Admin Interface Preview

Protection

What this plugin stops

Brute Force Login Attacks
Stops attackers from trying unlimited password combinations at high speed against your WordPress login.
XML-RPC Abuse
Prevents spam bots and attackers from overwhelming your XML-RPC interface with malicious requests.
REST API Flooding
Protects your WordPress REST API from being hammered by automated scripts causing performance issues.
Server Resource Exhaustion
Prevents rapid-fire requests from consuming all server resources and causing downtime or degraded performance.

Features

Enterprise-grade protection, completely free

Built with production environments in mind, featuring sophisticated rate limiting algorithms and intelligent bot detection.

Smart Request Monitoring

Automatically protects wp-login.php, xmlrpc.php, admin-ajax.php, and wp-json/* endpoints

Progressive Enforcement

First violations get short blocks (2 min), repeat offenses get exponentially longer blocks (up to 60 min)

Intelligent Exemptions

Automatically allows legitimate Google/Bing bots using reverse DNS verification

Time-Aware Limits

Enforces stricter limits during busy daytime hours, relaxes them at night

Multisite Support

Network-wide defaults with per-site overrides for WordPress Multisite installations

Redis/Memcached Support

Production-ready with atomic counters for high-traffic environments

Technical Overview

Sophisticated two-bucket counting system

Sliding Window Algorithm

Uses two overlapping 1-minute buckets (current and previous) to approximate a sliding window. This prevents the "reset spike" problem where attackers could send bursts of requests right after a fixed window resets.

Progressive Penalties

  • First offense: 2-minute block
  • Second offense: 4-minute block (2 × 2¹)
  • Third offense: 8-minute block (2 × 2²)
  • Continues doubling up to maximum of 60 minutes

Verified Bot Checking

A request is exempted only if the user agent contains known bot identifiers, reverse DNS ends with expected domains (e.g., .googlebot.com), and forward DNS resolves back to the same IP. Results are cached for 7 days.

Installation

Easy setup as a must-use plugin

  1. 1

    Download from GitHub

    Clone or download the repository from github.com/fuzzywalrus/wordpress-rate-limiter

  2. 2

    Place in mu-plugins directory

    Copy the plugin file to wp-content/mu-plugins/netrl.php

  3. 3

    Configure settings

    Access Settings → Rate Limiter in WordPress admin to configure thresholds, allowlists, and monitoring

Requirements

What you need

Minimum Requirements

  • WordPress 5.8+
  • PHP 7.4+

Recommended

  • Redis or Memcached
  • Persistent object cache

Ready to protect your WordPress site?

Join developers using Network Rate Limiter to stop attacks and keep their sites secure.

Download on GitHubView All Plugins