Network Rate Limiter

Progressive, time-aware rate limiting for WordPress. Stop brute force attacks, API abuse, and bot traffic.

Table of Contents

Installation

From GitHub

  1. Download the latest release from GitHub
  2. Upload to wp-content/plugins/
  3. Activate through the WordPress admin

Note: This plugin is completely free and open source. No license key required.

How It Works

Network Rate Limiter uses a progressive enforcement strategy that gets stricter as request patterns become more suspicious.

Progressive Enforcement Levels

Level 1: Monitor

Normal traffic patterns. No restrictions applied, just monitoring.

Level 2: Warning

Slightly elevated request rate. Headers added to responses warning of rate limit proximity.

Level 3: Throttle

High request rate detected. Responses delayed progressively (1-3 seconds).

Level 4: Block

Abuse threshold exceeded. Requests blocked with 429 status code for 15 minutes.

Time-Aware Protection

The plugin tracks request patterns over multiple time windows to identify both rapid bursts and sustained attacks:

  • 1-minute window: Catches rapid-fire attacks
  • 5-minute window: Identifies sustained abuse
  • 15-minute window: Detects low-and-slow attacks

Configuration

Access settings at Settings → Rate Limiter

Request Thresholds

Warning Threshold: Requests per minute before warning (default: 60)
Throttle Threshold: Requests per minute before throttling (default: 120)
Block Threshold: Requests per minute before blocking (default: 240)

Protected Endpoints

Choose which parts of your site to protect:

  • Login (wp-login.php): Recommended - prevents brute force
  • Admin (wp-admin): Protects dashboard access
  • REST API: Prevents API abuse
  • XML-RPC: Blocks XML-RPC attacks
  • All requests: Site-wide protection

Whitelist/Blacklist

IP Whitelist: IPs that bypass all rate limiting
IP Blacklist: IPs that are permanently blocked
Tip: Add your own IP to the whitelist during testing

Multisite Support

Network Rate Limiter fully supports WordPress Multisite with network-wide and per-site configuration options.

Network Activation

When network-activated, you can configure:

  • Network-wide defaults: Applied to all sites
  • Per-site overrides: Individual sites can customize thresholds
  • Shared blacklist: Block IPs across the entire network
  • Centralized monitoring: View stats for all sites

Performance Note: Multisite uses a shared request tracking table for better performance across the network.

Verified Bot Detection

The plugin automatically allows verified bots from major search engines and services to bypass rate limiting.

Verified Bot List

Search Engines:
  • • Googlebot
  • • Bingbot
  • • DuckDuckBot
Services:
  • • Pingdom
  • • UptimeRobot
  • • New Relic

Security: The plugin verifies bot claims by reverse DNS lookup to prevent spoofing.

Monitoring

Monitor rate limiting activity in real-time through the WordPress admin dashboard.

Dashboard Widget

View at a glance:

  • • Active blocks and throttles
  • • Top offending IPs
  • • Request volume trends
  • • Protection level distribution

Activity Log

Access at Settings → Rate Limiter → Activity

View detailed logs of all rate limiting events including timestamps, IPs, enforcement actions, and request details.

Troubleshooting

Locked out of admin?

If you accidentally lock yourself out, you can disable the plugin via FTP:

  1. Connect to your site via FTP
  2. Navigate to wp-content/plugins/
  3. Rename the wordpress-rate-limiter folder
  4. Access your admin and adjust settings
  5. Rename the folder back to re-enable

False positives?

  • Add legitimate user/bot IPs to whitelist
  • Increase thresholds if traffic patterns require it
  • Disable protection for specific endpoints
  • Review activity log to identify patterns

Performance concerns?

  • Plugin uses efficient database queries with proper indexing
  • Old tracking data is automatically purged after 30 days
  • Consider object caching for high-traffic sites
  • Protect only critical endpoints to reduce overhead

Need Help?

Found a bug or have a feature request? Open an issue on GitHub.

Back to PluginGitHub Issues