Title: Rate Limiting
Last modified: August 9, 2017

---

# Rate Limiting

 *  Resolved [11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/)
 * (@11whyohwhy15)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/)
 * HI,
 * I’m just setting up the rate limiting for wordfence but I’m a little confused
   over the human settings in your help file. You say:
 * ‘If a human’s page views exceed
    If we detect a visitor is human, then this limit
   will apply. In general we recommend you keep this high, especially if you are
   using AJAX on your website. 240 per minute is a healthy setting unless you have
   many static pages with no AJAX and are sure that the normal traffic pattern that
   humans generate on your site is much lower’
 * What human can view 240 pages a minute ? I’m thinking 5 pages a minute would 
   be more realistic as a block choice ?
 * Ive set the other human parameters to:
    If a human’s pages not found (404s) exceed:
   15 per minute (block) If 404s for known vulnerable URLs exceed: 5 per minute (
   block)
 * Hopefully you can make me understand this as I’m new to this.
 * Thanks
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frate-limiting%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 8 replies - 1 through 8 (of 8 total)

 *  [bluebearmedia](https://wordpress.org/support/users/bluebearmedia/)
 * (@bluebearmedia)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9398519)
 * WF support can chime in here, but I assume the settings are based on the fact
   that determining the difference between bot and human page views are not absolute
   and there is much overlap between the distinction.
 *  Thread Starter [11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/)
 * (@11whyohwhy15)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9398663)
 * Ahhh.. I’ve just been reading up on bots and that they account for at least 56%
   of peoples internet traffic… There’s me thinking my page views are really good
   and google analytics were a bit crap 🙁 Bummer hey !!
 * Thanks for that…
 *  [Caleb](https://wordpress.org/support/users/crudhunter/)
 * (@crudhunter)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9399082)
 * [@11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/), as the page
   info you pasted in indicated, what the correct number is depends highly on your
   page content, type of theme, smarts of your widgets, and other factors like Ajax.
 * For example, if you are using smart widgets, where some might show dependent 
   content based on the visitor (like based on country), then to bust page caches,
   they frequently use Ajax (call-backs to the server) to call in the localized 
   pieces.
    So if you load a page, but that page has 4 widgets each doing just one
   Ajax call, then what looks to the visitor as a single page is really 5 calls 
   to the server. Not counting the other dynamic things that could be going on.
 * So it is not that a human user can read 240 pages, or would even click that fast
   if just browsing through. It is that each single click depending on your site
   design could be multiplied up several times.
 * Hence, YOU, the site owner is the only one that can determine what the right 
   number is for your site. I think the default is merely set so high that it is
   unlikely to suddenly block off half the page content because access limits blocks
   it off in the middle of a page, and generate support calls for THAT reason. 🙂
 * On determining which accesses are truly human or not. Hard to do reliably.
    That
   depends on how “dumb” the robots are created (most are pretty stupid). A really
   well designed robot/crawler can appear VERY human in how they access the site.
 * Heck, forum spammer bots like xRumer and it’s cousins for blog spamming have “
   long term” planning in them to appear human.
    Register on a site one day.. Then
   post a few automated but completely bogus “replies” over a couple of days to 
   appear like a “real, active forum member”. THEN START spamming like crazy after
   gaining forum cred and the site allowing links. 🙂
 * It’s all in the programming.
 * But most robots are simplistic. They miss out on sending certain headers, so 
   are clearly not from a real browser.. Don’t load CSS/JS or other things, and 
   so despite their agent-strings claiming to be a human browser, they are obviously
   not.
 * There are a ton of things that COULD be used for an estimated guess on what is
   human or not. None are 100%.
 * Not even Google Analytics is 100%, because any real human visitor, arriving with
   such tracker blockers as Ghostery will prevent from loading up the Google Analytics
   JS scripts. So these users can browse as normal, read every interesting page 
   on your site, and Google Analytics would be none the wiser. 🙂 Google depend 
   on their Javascript loading up in that person’s browser.
 *  Thread Starter [11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/)
 * (@11whyohwhy15)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9399246)
 * Hey Caleb,
 * That’s such great detailed info !!
 * Thanks so much for taking the time to explain this. It is much appreciated.
 * 🙂
 *  [mountainguy2](https://wordpress.org/support/users/mountainguy2/)
 * (@mountainguy2)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9404399)
 * 11why, yeah, cut your raw server traffic metrics in half for rough idea of “real
   human” traffic. If you’re exploring monetization and want real numbers, install
   something like Adsense and use it for your metrics, that way you get the strict
   Google filtering of what they consider “real” traffic.
 * As for the Wordfence “Rate Limiting Rules” I’ve found them to be incredibly confusing
   and quite a time trap. I finally gave up and set everything to “Block It” with
   fairly strict parameters and a 48 hour block duration.
 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9408760)
 * [@11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/) I wouldn’t
   use “Block” for human traffic rate limiting, instead I recommend using “throttle”
   which means that their site access will be temporarily blocked until they reduce
   their request frequency to below the limit you have set.
    As mentioned in this
   thread “240 pages a minute” might be different CSS/JS or ajax requests, depending
   on how your theme/plugins were developed.
 * Thanks.
 *  [mountainguy2](https://wordpress.org/support/users/mountainguy2/)
 * (@mountainguy2)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9408830)
 * I did a lot of experimenting. For me, setting everything to “Block” works well,
   I guess what saves me is I have the “Human” option set to 60 pages a minute. 
   If one of my actual human site visitors can do 60 mouse clicks in a minute, each
   one going to a new page, respect (smile). MTN
 *  Thread Starter [11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/)
 * (@11whyohwhy15)
 * [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9409025)
 * Thanks everyone for the info..
    Have set it up as follows:
 * If anyone’s requests exceed 240 then throttle
    If a crawler’s page views exceed
   240 then throttle If a crawler’s pages not found (404s) exceed 15 then throttle
 * If a human’s page views exceed 240 then block
    If a human’s pages not found (
   404s) exceed 15 then block If 404s for known vulnerable URLs exceed 10 then block
 * How long is an IP address blocked when it breaks a rule 5 days
 * Will leave it for about 10 days or so then check results.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Rate Limiting’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 8 replies
 * 5 participants
 * Last reply from: [11whyohwhy15](https://wordpress.org/support/users/11whyohwhy15/)
 * Last activity: [8 years, 9 months ago](https://wordpress.org/support/topic/rate-limiting/#post-9409025)
 * Status: resolved