Rate Limiting
Rate Limiting is now configured as a Page Protection Rule action. This allows you to apply rate limiting to specific URI patterns (e.g., /api/*, /wp-login.php) rather than your entire site.
What is Rate Limiting?
Rate limiting restricts the number of HTTP requests a single IP address can make to your site. When a user exceeds the limit, they receive an error response and must wait before making more requests.
Why Use Rate Limiting?
- Prevent DDoS attacks by limiting request floods
- Stop brute force attacks on login pages
- Reduce server load from aggressive scrapers
- Ensure fair usage among all visitors
- Protect API endpoints from abuse
How to Configure Rate Limiting
Rate limiting is configured in the Access Control tab under Page Protection Rules:
- Click Add Rule
- Enable the rule
- Set a Rule Name (e.g., "API Rate Limit")
- Set URI Pattern (e.g.,
/api/*,/wp-login.php) - Choose Action: Rate Limiting
- Set Requests Per Minute (RPM)
- Optionally enable Allow Global Whitelist to Bypass
Requests Per Minute (RPM)
What it is: Maximum number of requests allowed per IP address per minute for this URI pattern.
Plan Limits:
- Free Plan: Up to 10,000 RPM per rule (5 rules max)
- Advanced Plan: Up to 10,000 RPM per rule (30 rules max)
- Enterprise Plan: Unlimited RPM and rules
Recommended values:
- Normal pages: 60-120 RPM
- API endpoints: 30-60 RPM
- Login pages: 10-30 RPM (brute-force protection)
- High-traffic pages: 300-1000 RPM
- Strict protection: 5-20 RPM
Example: Setting 60 means each IP can make 60 requests per minute to this URI. The 61st request will be blocked with HTTP 429 (Too Many Requests).
Response Action
Rate limiting always returns HTTP 429 ("Too Many Requests") when the limit is exceeded. This is the standard response code for rate limiting and cannot be customized.
Whitelist Bypass
What it is: Allow IPs in your global whitelist to bypass rate limiting for this rule.
When to enable (default):
- Your own IP addresses need unlimited access
- Trusted partners or services
- Monitoring tools that check your site frequently
When to disable:
- You want rate limiting to apply to everyone
- Testing rate limiting with your own IP
How Rate Limiting Works
- Request arrives from IP address
203.0.113.45 - Counter checks how many requests this IP made in the last minute
- Under limit: Request is allowed, counter increments
- Over limit: Request is blocked with error response
- Counter resets after one minute
Example Scenarios
Scenario 1: Protect API Endpoints
Rule Name: API Rate Limit
URI Pattern: /api/*
Action: Rate Limiting
Requests Per Minute: 60
Whitelist Bypass: EnabledMost API clients will never hit this limit. Aggressive scrapers will be blocked with HTTP 429.
Scenario 2: Brute-Force Protection
Rule Name: Login Protection
URI Pattern: /wp-login.php
Action: Rate Limiting
Requests Per Minute: 10
Whitelist Bypass: EnabledVery strict limit on login attempts (1 attempt every 6 seconds), but your own IP can still access freely.
Scenario 3: Multiple Endpoints
Rule 1: /api/public/* - 120 RPM
Rule 2: /api/internal/* - 30 RPM
Rule 3: /wp-login.php - 10 RPMDifferent rate limits for different endpoints based on sensitivity and expected usage.
Best Practices
- Start with 60 requests/minute – suitable for most sites
- Monitor your logs – check if legitimate users are being rate limited
- Enable whitelist bypass – so you’re never locked out
- Use 429 response code – it’s the standard for rate limiting
- Adjust based on traffic – increase limit for high-traffic sites
- Test your limits – verify they work as expected
Calculating the Right Limit
Consider your typical user behavior:
Average page load:
- HTML page: 1 request
- CSS files: 2-3 requests
- JavaScript files: 3-5 requests
- Images: 10-20 requests
- Total: ~20-30 requests per page
Typical browsing:
- User views 2-3 pages per minute
- Total: ~60-90 requests per minute
Recommendation: Set limit to 2-3x your typical usage to avoid false positives.
Troubleshooting
Legitimate users are being rate limited
- Increase the events per minute limit
- Check if users are behind shared IPs (corporate networks, VPNs)
- Enable whitelist bypass for known IPs
Rate limiting not working
- Verify rate limiting is enabled
- Check that events per minute is set
- Ensure DNS is properly configured
- Test with a tool like
curlin a loop
Site is slow after enabling rate limiting
- Rate limiting itself is very lightweight
- Slowness is likely from other factors
- Check your server resources and backend performance
Combining with Other Page Protection Actions
Page Protection Rules support multiple actions:
- IP Restriction: Block/allow based on IP addresses (403, 404, 451, 503, or CAPTCHA)
- Rate Limiting: Limit requests per minute (429 response)
- Geographic Access Control: Coming soon
You can create multiple rules with different actions for different URI patterns.
Testing Rate Limiting
To test if rate limiting is working:
# Make 70 requests quickly (assuming 60/min limit)
for i in {1..70}; do
curl -I https://yoursite.com
doneYou should see:
- First 60 requests: HTTP 200 OK
- Requests 61-70: HTTP 429 Too Many Requests
Important: Test from an IP that’s NOT in your whitelist.
Frequently Asked Questions
What is rate limiting and why do I need it?
Protecting against brute-force and DDoS attacksRate limiting restricts the number of requests a single IP can make per minute. It protects against brute-force attacks (password guessing), credential stuffing, DDoS attacks, aggressive scrapers, and API abuse. When exceeded, users receive HTTP 429 Too Many Requests.
How do I configure rate limiting in Page Protection Rules?
Setting up rate limits for specific URLsCreate a Page Protection Rule with action ‘Rate Limiting’. Set the URI pattern (e.g., /wp-login.php), requests per minute (1-10,000), and optionally enable ‘Allow Global Whitelist to Bypass’. Save the rule. Requests exceeding the limit return HTTP 429.
What's a good rate limit to start with?
Recommended initial rate limiting valuesStart with 60 requests per minute for general pages. For login pages, use 10-20 requests/minute. For APIs, use 30-100 depending on expected usage. A typical page load generates 20-30 requests (HTML, CSS, JS, images), so 60/min allows 2-3 page views per minute.
How do I calculate the right rate limit for my site?
Determining appropriate request thresholdsConsider typical user behavior: one page load = ~20-30 requests, normal browsing = 2-3 pages/minute = ~60-90 requests. Set your limit to 2-3x typical usage to avoid false positives. Monitor logs after enabling and adjust as needed.
Will rate limiting affect my site's performance?
Performance impact of rate limitingRate limiting is lightweight and adds minimal overhead (~1-5ms per request). It’s processed at the edge before reaching your server, actually reducing load during attacks. Any slowness after enabling is likely from other factors.
What does 'Allow Global Whitelist to Bypass' mean?
Exempting trusted IPs from rate limitsWhen enabled, IPs in your global whitelist (configured in Access Control) bypass the rate limit entirely. This ensures you, your team, and trusted services like monitoring tools are never rate limited, even during testing or high-activity periods.
Why are legitimate users being rate limited?
Troubleshooting false positive rate limitsCommon causes: limit set too low, users behind shared IPs (corporate networks, VPNs), or aggressive caching services. Solutions: increase the limit, enable whitelist bypass for known IPs, or create separate rules for different URI patterns.
How do I test if rate limiting is working?
Verifying rate limit configurationFrom a non-whitelisted IP, use curl in a loop: ‘for i in {1..70}; do curl -I https://yoursite.com; done’. With a 60/min limit, requests 1-60 should return 200 OK, and 61-70 should return 429 Too Many Requests.
Can I have different rate limits for different pages?
Path-specific rate limiting configurationYes! Create multiple Page Protection Rules with different URI patterns and rate limits. For example: /wp-login.php at 10/min, /wp-admin/* at 60/min, /api/* at 100/min. Rules are evaluated in order, so more specific patterns should come first.
What's the maximum rate limit I can set?
Rate limit thresholds by plan tierFree and Advanced plans support 1-10,000 requests per minute. Enterprise plans have customizable limits. If you need higher limits for legitimate high-traffic scenarios, contact Atomic Edge support to discuss your requirements.