Rate Limiting with Caching Plugins

  • Resolved Ironos

    (@irongenetics96)


    10 months ago

    Hi everyone,

    I’ve been running some tests to better understand how Wordfence’s Rate Limiting feature works when combined with WP Fastest Cache , and I’d like to share my findings along with a few open questions I’m hoping the community or support team can help answer. 🔍 Test Setup:

    • WordPress on shared hosting
    • WP Fastest Cache enabled
    • Wordfence Firewall set to “Extended Protection” (Optimized Mode enabled)
    • Rate Limiting active (e.g., 60 requests per minute)

    ✅ Observations:

    1. With WP Fastest Cache disabled:
      • Wordfence logs every request (e.g., repeated visits to /example) in the Live Traffic view.
      • Rate Limiting works as expected, even on repeated page hits.
    3. With WP Fastest Cache enabled

      Only the first visit is logged in Live Traffic.
      Wordfence’s Rate Limiting does not apply to further visits

    ❓ Open Questions:

    • Are there any workarounds to enforce rate limiting or logging, even with a caching plugin like WP Fastest Cache (e.g. cookie, query string, or path-based exclusions)?
    • Would this behave differently with WP Rocket, which (as I understand it) serves cached pages via PHP instead of .htaccess?
    • Is it advisable to combine Wordfence with Cloudflare (Free or Pro) for bot protection and rate limiting on fully cached/static pages?
Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    10 months ago

    Hi @irongenetics96, thanks for your questions.

    There are some limitations to cached pages being served before a block can fire. Most page caches will serve a request using previously-cached HTML files without even running PHP. As an endpoint firewall, Wordfence wouldn’t see the page hit if a cached page is available, as PHP has to run for the plugin to also start. This wouldn’t necessarily be mitigated by another caching product unless it served the cache via PHP, but those can be slower.

    It must be said that Wordfence is designed for defense in depth, by giving you a layered approach to security with its range of features. Many customers choose to compliment the WordPress-specific features we offer with extra protection from products like network firewalls (such as Cloudflare etc.) Having a mix of layers to limit page hits and other attacks will compliment file scans, plugin checks, and login security measures amongst other things.

    Thanks,
    Peter.

Viewing 1 replies (of 1 total)

The topic ‘Rate Limiting with Caching Plugins’ is closed to new replies.