Rate limiting on wordpress - does not work

Hello everyone,

I have problems configuring rate-limiting for wordpress.
I’ve already tried several configurations, also found some topics on this forum but none of them resolve the matter.

I have a wordpress website and I would like to rate-limit the login page.
Do this I use the ‘protect my login’ option with the url: " */wp-login.php"

However, this does not work and gives 0 activity.
I have also tried adding my domain (www.website.nl/wp-login.php) both with and without www or https. I have tried adding * before and * after but I keep getting 0 on this.

Should I use a different page compared to wp-login? I have also tried wp-admin with same results.
Question: How to rate limit your wp-login page in wordpress

I don’t use rate limit on the wp-login.php page because is not that usefult in my opinion.

What I do is to block the wp-login.php from everyone exept me by whitelisting my IP.

If you are interested then add this to your firewall rules and set it to block:

(http.request.uri.path contains “/wp-login.php”) or (http.request.uri.path contains “/wp-admin” and not http.request.uri.path contains “/wp-admin/admin-ajax.php”)

What this rule do is block access to the wp-login.php page and also the hole wp-admin panel but not the admin-ajax.php under /wp-admin because is used by plugins etc. for functions

Then whitelist your IP in the “Tools” section in firewall

And rate limit is used for DDoS attacks, you can check about this here - Configuring Cloudflare Rate Limiting – Cloudflare Help Center

1 Like

Hi user8383,

would this not also block out users from their accounts?
As this is an e-commerce store people also login into their accounts, to find previous orders etc.
Simply blocking it would therefore not work, if I am not mistaken?

I have already blocked the page from several countries, but therefore I thought activating rate limiting would help.

Well blocking countries does help a bit but is not bulletproff.
You should definitely block China, North Korea, Unknown states, other entities or organizations, Tor, and Syria (I’m not racist or anything, simply China can’t be monetized whit AdSense and most of the attacks including DDoS come from China. Tor also can be blocked since nobody would buy from an ecommerce with Tor.)

(ip.geoip.country in {“T1” “XX” “CN” “KP” “SY”})

Then if you are running a ecommerce then the best thing you can do with no cost is to use the wp security plugin WordFence or NinjaFirewall for advance users. Remember to use only 1 security plugin.
Also make sure that Robot Fight Mode is activated and use the security level “High”.

And yes this rule does block everyone exept the whitelisted ips in your CF account, I thought you had a blog.

The problem of rate limiting is that it cost money and if you don’t pay attention you can get a really high bill. Anyway sure you can use rate limit to limit the request on /wp-login.php, but it doesn’t solve the problem.

For WordFence check this tutorial from Scott

I really hope I helped you someway, let me know!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.