Rate Limiting blocking all but bots

  • Resolved redsilkphotos

    (@redsilkphotos)


    5 years, 9 months ago

    Server: Linux
    WF Version: 7.3.3
    WP Version: 5.2.1

    WordFence is blocking all legitimate traffic when a user takes an action on the site. If the user lands on example.com and tries to go to example.com/blog, it immediately gives a 503 access has been limited message. I checked the firewall rules to make sure it wasn’t there. I uninstalled and then reinstalled WF twice (on the second time deleting all tables and data). If I disable rate limiting, the site works fine. However, it breaks as soon as rate limiting is enabled even with the following rules set:

    Immediately block fake Google crawlers: No
    How should we treat Google’s crawlers: Verified Google crawlers have unlimited access.
    If anyone’s requests exceed: Unlimited then throttle it
    If a crawlers page views exceed: unlimited then throttle it
    etc for all other options.

    However, with the blocking set, semrush, googlebot and bingbot are all able to access pages without getting the 503 message. I also cleared the cache several times.

    I have currently disabled rate limiting to make the site usable for legitimate visitors.

    • This topic was modified 5 years, 9 months ago by redsilkphotos.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter redsilkphotos

    (@redsilkphotos)

    So I think I managed to get this solved. I had a rule for blocking admin* in the url, which worked fine until this most recent update. This prevented anyone from either typing ?user=admin in the url or wp-admin in an attempt to gain access to any core directory files (/wp-admin/XXXXXX.php). The problem seemed to only be after a user landed on the site. Once they clicked a link (as I tested in multiple browsers) it tripped a call to wp-admin in AJAX and that caused the lockout.

    What changed in the recent update to cause this error?

    Plugin Support wfphil

    (@wfphil)

    Hi @redsilkphotos

    Nothing has changed in any recent update that would explain your blocking behavior. Blocking any request with admin in the URL can break AJAX functionality for anything that needs it on the front end of the site so we recommend that you remove that rule. Also Wordfence provides full brute force login attack prevention so you don’t need to block access to the wp-admin directory (which will also break WordPress AJAX functionality).

    I assume you created that wildcard rule in the option Immediately block IPs that access these URLs.

    Disabling the Rate Limiting rules would not have prevented that blocking rule from being triggered.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Rate Limiting blocking all but bots’ is closed to new replies.