Hi @rik0399, thanks for your question!
It can be concerning to see a large number of hits on your site, especially as there’s no usual pattern for why a site is targeted regarding search engine visibility etc. It could be worth reading our take on this too: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/
Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately based on your settings when they happen. If you’re noticing many of these are spam registration and/or signin attempts, having reCAPTCHA enabled in Wordfence > Login Security > Settings should dramatically reduce amount of successful form submission attempts. This is far less intrusive with v3 than in past versions so there aren’t any puzzles or checkboxes to comply with.
My general advice is that Wordfence does all of the important blocking for you automatically so you don’t have to implement a manual blocking regime – which can be time consuming. The behavior or intent of the humans/bots making these requests is more important to Wordfence when making a decision on blocking.
You can limit the amount of traffic that attempts to hit your site with our Rate Limiting Rules on the Firewall Options page. This configures how crawlers and humans are treated.
I generally set my Rate Limiting Rules to these values to start with:
Rate Limiting Screenshot
- If anyone’s requests exceed – 240 per minute
- If a crawler’s page views exceed – 120 per minute
- If a crawler’s pages not found (404s) exceed – 60 per minute
- If a human’s page views exceed – 120 per minute
- If a human’s pages not found (404s) exceed – 60 per minute
- How long is an IP address blocked when it breaks a rule – 30 minutes
I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.
With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.
Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.
Here is a video guide to Rate Limiting as well: Rate Limiting Guide
I hope that helps you out!
Peter.