We’re introducing a Traffic Rate Limiting feature into ShieldPRO for WordPress. It’ll help mitigate larger attacks, and put a stop to traffic abuse, by preventing excessive, overloading requests from any visitor.
In this article we’ll explain what the rate the limiting feature is and how it works, and why this is an important security tool in your WordPress site defenses.
What Is Shield’s Traffic Rate Limiting?
Simply put, rate limiting is where you restrict the number of requests a single visitor can make against your site, within a certain period of time.
There are 2 important factors in Rate Limiting your WordPress site:
- How many requests are allowed in the time period.
- How long a time period will you count the number of requests.
Let’s take the example where you limit to 10 requests within 60 seconds.
When a visitor loads a page on your site, attempts a login, or posts a comment, this will start a counter in the rate limiting system.
If they make another request, perhaps browse to another blog post, they’ll add 1 more request to that counter. If they continue to load pages and they reach 11 requests within a 60 seconds, they’ll trigger Shield’s defenses and an offense will be recorded against their IP address.
If they make a further request, still within the same 60 seconds, the offense limit will be incremented, again.
As always with Shield, when the number of offenses marked against an IP address reaches your threshold, the IP address will be blocked entirely from accessing the site.
With rate limiting activated, any visitors/bots that continue to send too many requests to your site, will be blacklisted.
Note: Visitors that exceed your rate limit don’t get blocked immediately. They will only incur an offense against the site. Too many offenses, and then the IP will be blocked.
Why Is Rate Limiting Good For WordPress Security
There are 2 primary approaches to security:
ShieldPRO tackles both of these, but focuses mainly on prevention.
We strongly believe that the earlier you catch a potential issue, a bad-actor, or an intrusion, the better off you’ll be.
It’s far, far easier to prevent a catastrophe, than to recover from one (if you can even recover!). Prevention is much more cost-effective with respect of your time, resources (money), and reputation.
Shield’s Traffic Rate Limiting for WordPress is all about prevention.
How Does Rate Limiting Prevent Security Breaches?
ShieldPRO uses these signals to determine whether a visitor is actually a bot that should be neutralised.
The sooner we can identify these bad bots, the sooner we can block access.
It’s hard to state that a visitor is a bot when it triggers just one of these signals, and even harder to say that it’s malicious.
But if the same bot triggers multiple signals, multiple times, then you probably don’t want to allow further access to your site.
Of course, there may be scenarios where we can’t make this statement, and that’s okay, turning on all of these signals just isn’t appropriate in those cases. But for the vast majority of WordPress sites, these signals play a critical role in identifying malicious bots, or bots that don’t have any redeeming quality, and so don’t need access to your site.
The same can be said about Traffic Rate Limiting.
MOST visitors to your site will be human beings, and human beings don’t usually browse your site more than a page or 2 every few seconds.
Again, there will be websites that are the exception to this generalised statement, and for them, rate limiting will need to be more carefully applied.
But if you have bots throwing 10s/100s of requests at your site within a short period of time, you can be sure they’re not up to anything good.
Better to simply block them as early on as possible. In this way you prevent them from probing your WordPress installation any more than they should.
Any attacks they want to throw at your site thereafter, based off of their analysis will be completely useless.
Does Rate Limiting Affect Search Engine Crawlers?
Shield has been filtering out Search Engine traffic for all the major search engines for a long time now. They won’t even register on the site traffic logging system in the first place.
It is this filtering of legitimate search engine traffic that allows Shield to use the “Fake Search Engine Crawler” signal, too. Since we can test which crawlers are genuine, then we can spot bad bots when they say they’re from Google, but they’re actually not.
Does Rate Limiting Monitor All Traffic?
ShieldPRO’s Rate Limiting feature uses the Traffic Logging system as its foundation. This system lets you carefully exclude traffic you don’t want to log (or limit). The only traffic that the Rate Limiter will monitor, is the of traffic that gets picked-up by the Traffic Logging system.
Does Rate Limiting Use More Resources?
The Traffic Logging feature uses a separate database table to record all requests that you’ve set it to monitor.
This of course has a cost – 1x SQL database insert per request. This is practically nothing, and to ensure there’s no slowdown as a result of the query, we execute it at the end of a page request (i.e. when PHP is shutting down) so it will go unnoticed.
The rate limiting feature will, again on PHP shutdown, assess how many requests in the database for this IP within the time frame. It’s an extra query per request, but again, it’s very small.
Also, separately, we keep the traffic log table well trimmed, so lookups are as fast as they can be.
Is There Anything I Should Be Aware Of?
There are a few things to bear in mind when you’re rate limiting your traffic.
#1 Ensure Your Visitor IP Address Source Is Correct
If Shield can’t detect the correct visitor IP address, this will cause lots of trouble, even before you try to limit traffic.
You can’t properly rate limit traffic unless you’re sure Shield has the correct IP address for each visitor. Go to General Settings > IP Source and ensure that the visitor IP address source is correct.
#2 Rate Limiting the WordPress API
If your WordPress site uses the WP REST API extensively, consider excluding the API from your Traffic Logging (and your rate limiting).
Or, if you’re confident with how it works and what sort of API usage you expect or want to allow, Shield’s Rate Limiting feature will be highly effective in throttling REST API access.
#3 Start By Being Generous
If you’re unsure of how your traffic really looks, set your rate limiting options more generously than you might at-first think.
To do this, you would set your ‘Max Request Limit’ higher and your ‘Time Interval’ lower. Doing both or either of these will reduce the chances that legitimate visitors don’t get blocked.
#4 Don’t Forget About AJAX
AJAX requests, particularly in the WordPress admin areas can be quite frequent. Some plugin use AJAX on the frontend also, so your visitors might more requests to your site than you realise. This goes back to #3 – be more generous at the start and dial it back slowly.
How Can You Get Rate Limiting For WordPress?
This security feature will be released with Shield Security PRO around mid-late March 2020. It’s undergoing final testing and quality control, but we’ll release it as soon as it’s ready.
Comments or Suggestions?
As always, we welcome your suggestions and feedback about this feature, and any other ShieldPRO feature. Please leave your comments below and we’ll get right back to you!