Rate limit wordpress

When I log in the cloudflare is very different, I want to put a rate limit on the website in which so many queries can be made and if it is exceeded it will be blocked and permanently blocked list in cloudflare. I don’t know if that can be done. Free use of Cloudflare

No Cloudflare automated protections do permanent IP address blocks to be on the safe side. To permanently block someone you need to add their IP address to the WAF yourself.

We automate for our application by using scripting on our back end to detect/count what we determine is unwanted behaviour reaching the origins and then use the Cloudflare API to update a list which in turn is used in a WAF challenge rule.

1 Like

@sjr In my case that I am not Tech guys, but i want include some rules to protect sending large amounts of queries to the server and avoid issues. For example is some ip are doing a lot queries to the website automatic stop or block and then include that ip in the block list. I am open to see how I can do that.

What we do…

Our 403/404 pages log every IP address that causes the error.

If the request is clearly from a scanning bot (/wp-, .env, /admin, and other scanned pages), then it is blocked immediately.
Also, more than 10 403/404s in an hour, then the IP also goes on the blocklist.

On the triggering hit, the IP address is put in a queue to use this Cloudflare API endpoint to update the list…

(Queueing is necessary due to this being an asyncronous command)

IP addresses in the list are removed after a week.

The list is used in WAF rule (ip.src in $list_name) to challenge rather than block. A little safer in case a real human triggers it somehow, but we’ve never had a successful challenge answer against this list.

IPs are removed from the list after 7 days.

1 Like

@sjr You use free account or paid?

The most complex version is running on an enterprise account, but I have a simpler version protecting my free accounts. Main difference is you can only have 1 list (although still 10,000 items) instead of 10 lists per account, and fewer WAF rules so you have to be a little clever in combining rules.

The lists are buried in the dashboard, go to manage account, configurations to find them.

@sjr Well, if you take pity on me and can share that information to help me, I would appreciate it. =)

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.