Rate limiting

Rate limiting is a strategy to constrain how often an action can be repeated within a certain timeframe. The implementation of rate limiting can help to prevent some forms of malicious bot activity and to reduce strain on web servers.

For both WordPress and Node.js environments on the VIP Platform, rate limiting is in place at the edge to prevent some crawlers (e.g. Screaming Frog) from causing potential performance issues. This rate limit is global and is not customizable. Customers can prevent crawlers from exceeding the rate limit by reducing the crawl rate to 10 requests per second or less.

XML-RPC rate limiting

Rate limiting is in place at the edge to protect the XML-RPC (/xmlrpc.php) endpoint for all WordPress sites. If requests from an IP address to a site’s XML-RPC exceed the threshold of 10 requests per 30 seconds, a one-hour block timeout will be enforced for that IP address.

Background log processing that triggers the blocking action can add a slight delay before the block is enforced.

This rate limit is global and not customizable per application.

Login rate limiting

Rate limiting is in place for requests that are made to a WordPress site’s login endpoint ( /wp-login.php). The login rate limiting thresholds (e.g. 5 failed attempts within 5 minutes) helps to protect against brute-force and automated login attempts..

The underlying code in VIP MU plugins that protects the login endpoint tracks the rate of incoming requests for either:

• An IP address
• A username
• Or an IP address + username combination

The allowed number of failed login attempts can be modified in custom application code.