Recommended Rate Limiting Settings?

  • Resolved consultant1027

    (@consultant1027)


    9 months, 3 weeks ago

    For the first time in 10 years I had an attack on my WordPress site which is pretty PHP script intensive mainly because it runs on the Divi Framework. The IP wasn’t on any of the blocklists Ioad on my configserver firewall. I was surprised Wordfence didn’t block it due to abnormally high page requests. Come to find out, by default the Rate Limiting feature settings are set to UNLIMITED!

    I realize these settings could potentially block legit scrapers. I also realize other than the IP addresses for well known scrapers like Google, attackers could spoof their user agent to look like a scraping bot instead of a user.

    The sites I run are for small businesses so they might have at most 10 or 15 visitors on them at a time. Can anyone recommend settings for the Rate Limiting feature that will prevent these Application Layer Denial of Service attacks on WordPress without prematurely blocking legit scraping traffic?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @consultant1027, thanks for getting in touch.

    We do install with some settings that are designed to unintrusively integrate Wordfence into a customer’s site. Adding strict limitations here out of the box without taking into account the site’s size/popularity, whether IP detection is working properly etc. might result in blocks that a customer doesn’t know the reason for and in some cases the administrator themselves being locked out.

    I’m more than happy to suggest some Rate Limiting settings I use. I personally prefer increasing Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule? to days or even months, stopping problematic IPs from retrying too often.

    I usually set these values to start with and adjust if needed: Rate Limiting Screenshot

    • If anyone’s requests exceed – 240 per minute
    • If a crawler’s page views exceed – 120 per minute
    • If a crawler’s pages not found (404s) exceed – 60 per minute
    • If a human’s page views exceed – 120 per minute
    • If a human’s pages not found (404s) exceed – 60 per minute
    • How long is an IP address blocked when it breaks a rule – 30 minutes

    I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking with crawlers because any good search engine understands what has happened if it is mistakenly blocked and your site isn’t penalized because of it.

    With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period. Sometimes loosening this to higher numbers can be helpful for sites that have a high number of user sign-ins like a forum or WooCommerce store.

    Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules even stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.

    I hope that helps you out!
    Peter.

    Hi, I have an issue where no matter what settings I use for blocking sometimes the block is for just 10 minutes when all is set to block for 2 months or one month when the block is to do with rate limiting.

    Am I missing a setting somewhere?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.