Skip to content

Rate limiting

Rate limiting is a strategy to constrain how often an action can be repeated within a certain timeframe. The implementation of rate limiting can help to prevent some forms of malicious bot activity and to reduce strain on web servers.

For both WordPress and Node.js environments on the VIP Platform, rate limiting is in place at the edge to prevent some crawlers (e.g. Screaming Frog) from causing potential performance issues. This rate limit is global and is not customizable. Customers can prevent crawlers from exceeding the rate limit by reducing the crawl rate to 10 requests per second or less.

XML-RPC rate limiting

Rate limiting is in place at the edge to protect the XML-RPC (/xmlrpc.php) endpoint for all WordPress sites. If requests from an IP address to a site’s XML-RPC exceed the threshold of 10 requests per 30 seconds, a one-hour block timeout will be enforced for that IP address.

Background log processing that triggers the blocking action can add a slight delay before the block is enforced.

This rate limit is global and not customizable per application.

Login rate limiting

Rate limiting is in place for requests that are made to a WordPress site’s login endpoint ( /wp-login.php). The login rate limiting thresholds (e.g. 5 failed attempts within 5 minutes) helps to protect against brute-force and automated login attempts..

The underlying code in VIP MU plugins that protects the login endpoint tracks the rate of incoming requests for either:

  • An IP address
  • A username
  • Or an IP address + username combination

If a user receives the warning message You have exceeded the login limit. Please wait a few minutes and try again. after they attempt to log in to a site, a lockout is in place. The user will be unable to log in to the site until either the lockout time has expired or the lockout has been cleared.

Clear a lockout for a locked out user

Prerequisite

VIP-CLI is installed and has been updated to the most current version.

When a login rate limit threshold has been exceeded, a lockout value is set in the vip_login_limit cache group for either the IP address, username, or IP address + username combination that exceeded the limit.

The lockout value is stored in one of three possible key formats:

  • locked_<IP_ADDRESS_OF_USER> (e.g. locked_1.2.3.4)
  • locked_<USERNAME> (e.g. locked_exampleuser)
  • locked_<IP_ADDRESS_OF_USER>|<USERNAME> (e.g. locked_1.2.3.4|exampleuser)

To clear the lockout:

  1. Collect the username and IP address of the locked out user. A user can retrieve their IP address by visiting WordPress.com’s “whatismyip”.
  2. Structure the three possible key formats based on the user’s supplied username and IP address.
  3. Retrieve the lockout value from one of the three possible key formats in the vip_login_limit cache group. Use VIP-CLI to run the WP-CLI command wp cache get <key> vip_login_limit, where <key> is replaced with a key format with the user’s information.

If the WP-CLI command returns an error, the lockout value is not stored in that key. Run the WP-CLI command for a different key format until the command returns a value of 1, which confirms that the lockout value has been found. 

$ vip @example-app.production -- wp cache get locked_exampleuser vip_login_limit
===================================
+ command: wp cache get locked_exampleuser vip_login_limit
===================================

✔ Are you sure you want to run this command on PRODUCTION for site example-app? (y/N) · true
1
  1. Clear the lockout value from the vip_login_limit cache group. Use VIP-CLI to run the WP-CLI command wp cache delete <key> vip_login_limit, where <key> is replaced with the key storing the lockout value confirmed in Step 3. 
$ vip @example-app.production -- wp cache delete locked_exampleuser vip_login_limit
===================================
+ command: wp cache delete locked_exampleuser vip_login_limit
===================================

✔ Are you sure you want to run this command on PRODUCTION for site example-app? (y/N) · true
Success: Object deleted.

Multisite

To clear a lockout for a user locked out of a network site on a multisite environment, the WP-CLI commands must target that specific site. Use the --url parameter to target the site by domain (e.g. --url=example.com). If a network site is not targeted by the WP-CLI command, the command will be run against the main site, typically ID 1.

Note

Frequent user lockouts can occur if a site is behind a reverse proxy that is not correctly configured to send the original IP address of the end user in an HTTP header.

Modify the number of failed login attempts that are allowed

Use the VIP MU plugin filters wpcom_vip_ip_login_threshold and wpcom_vip_ip_username_login_threshold to modify the number of failed login attempts.

The custom code that uses these filters should be added to a file located within /client-mu-plugins.

For IP address

Modify the number of failed login attempts allowed for an IP address with the wpcom_vip_ip_login_threshold filter. In this code example, the threshold limit for failed login attempts is set to 10:

/client-mu-plugins/example-file.php
add_filter( 'wpcom_vip_ip_login_threshold', function() {
    return 10;
} );

IP address + username combination

Modify the number of failed login attempts to allow for an IP address + username combination with the wpcom_vip_ip_username_login_threshold filter. In this code example, the threshold limit is set to 1 for the number of failed login attempts by the usernames exampleuserone and exampleusertwo:

/client-mu-plugins/example-file.php
add_filter( 'wpcom_vip_ip_username_login_threshold', function( $threshold, $ip, $username ) {
    if ( 'exampleuserone' === $username || 'exampleusertwo' === $username ) {
        $threshold = 1;
    }
 
    return $threshold;
}, 10, 3 );

Last updated: June 19, 2025

Relevant to

  • Node.js
  • WordPress