Rate-Limiting maximum?

  • pdjp

    (@pdjp)


    17 hours, 22 minutes ago

    Is there a reason to have a maximum requests of 500 in the firewall setting? I have a problem on one website where people sometimes get blocked (with the standard 120 requests/min). I don’t know if 500 would be better, so i disabled rate limiting for this site. There is a plugin wich loads a bigger size of small images, so i think this could be the reason. Wordfence for example uses settings like 480/960/1920/unlimited, but Vigilant has 500 max.

    Are these the same request you see in the developer settings of your browser? Many sites have hundreds of requests on load, so what would be a good overall setting?

Viewing 1 replies (of 1 total)
  • Plugin Author Fernando Tellado

    (@fernandot)

    17 hours, 2 minutes ago

    Hi again @pdjp 🙂

    Very good question, again, and the Wordfence comparison is exactly the root of the confusion, so let me clear that up.

    The numbers aren’t comparable. Vigilant’s rate limit counts only PHP requests that load WordPress (pages, admin-ajax.php, REST API, wp-login.php) from a single IP. It does not count the static assets you see in your browser’s Network tab (CSS, JS, fonts, images), because your web server delivers those without booting WordPress. A page that shows 80 requests in the browser usually counts as just 1–2 against the rate limit. Wordfence’s 480/960/1920 count differently (and segment humans vs crawlers vs 404s), so matching the raw number is misleading. Their “unlimited” is really “rate limiting off”.

    Why you’re getting blocked at 120/min: that almost always means a plugin is loading content through PHP on the fly, via admin-ajax.php or the REST API. If your image plugin pipes each thumbnail through PHP instead of serving a direct URL, one page load can rack up dozens of PHP hits. That’s the first thing to check.

    About the 500 max: it isn’t an arbitrary cap, it’s a deliberate ceiling. 500 PHP requests per minute from a single IP is a lot. Normal human traffic never reaches it; whatever does is usually a bot, which is exactly what the rate limit is meant to catch.

    So instead of disabling rate limiting (which leaves you with no protection at all), I’d suggest:

    • See whether that image plugin can serve images as direct URLs / static files instead of through PHP. That fixes the cause.
    • If it can’t, raise the limit to 240–480 rather than turning it off. That still protects you while giving the plugin room.
    • If it’s only you or a known service hitting the cap, whitelist that IP in the firewall settings (logged-in admins are already exempt automatically).

    Good overall values: 120/min is fine for most sites; WooCommerce / membership / AJAX-heavy sites are comfortable at 240–480.

    One thing your question made clear: the setting doesn’t explain any of this in the UI. I’ll add a short description to that field in the next release so it’s obvious what counts as a request. Thanks for the feedback 😉

Viewing 1 replies (of 1 total)

You must be logged in to reply to this topic.