Hi @qpinfo22, thanks for reaching out!
The admin-ajax.php file routes all AJAX requests on WordPress, so it’ll be heavily used to load content on an active website with plenty of visitors, so “excessive” activity might be more subjective based on the kind of traffic you’re expecting. Without further information on quantity of hits or knowledge of your site’s visitors, I think it’d be worth looking at your Rate Limiting Settings.
You can adjust Rate Limiting to be stricter if you wish. I personally prefer increasing Wordfence > All Options > Brute Force > Amount of time a user is locked out and Wordfence > All Options > Rate Limiting > How long is an IP address blocked when it breaks a rule? to days or even months, stopping problematic IPs from retrying after a few minutes if you’re noticing a lot of activity.
I usually set these values to start with and adjust if needed: Rate Limiting Screenshot
- If anyone’s requests exceed – 240 per minute
- If a crawler’s page views exceed – 120 per minute
- If a crawler’s pages not found (404s) exceed – 60 per minute
- If a human’s page views exceed – 120 per minute
- If a human’s pages not found (404s) exceed – 60 per minute
- How long is an IP address blocked when it breaks a rule – 30 minutes
I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking with crawlers because any good search engine understands what has happened if it is mistakenly blocked and your site isn’t penalized because of it.
I hope that helps you out!
Peter.
