Hi @phpteam, thanks for your question.
If you’re receiving true DDoS, or at the very least a huge increase in attempted page views, protection at the server’s end such as Cloudflare (as one example) should be the most effective solution. I say this because Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings after PHP loads but, when optimized, before the point your site tries to host content to them. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.
If you have a low setting for “How long is an IP address blocked when it breaks a rule“, like 5 minutes, the IP would be served block pages until that expires. After expiry, it’d reach your site until Wordfence blocked it again and so on.
I am more than happy to share our recommended settings for you to trial, to see if it can help in your case. If you’re noticing many of these are spam registration and/or signin attempts, having reCAPTCHA enabled in Wordfence > Login Security > Settings should dramatically reduce amount of successful form submission attempts with “junk” data.
I generally set my Rate Limiting rules to these values to start with:
Rate Limiting Screenshot
- If anyone’s requests exceed – 240 per minute
- If a crawler’s page views exceed – 120 per minute
- If a crawler’s pages not found (404s) exceed – 60 per minute
- If a human’s page views exceed – 120 per minute
- If a human’s pages not found (404s) exceed – 60 per minute
- How long is an IP address blocked when it breaks a rule – 30 minutes
I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.
With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.
Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start. During an attack you may want to make those rules stricter. If you see visitors, like search engine crawlers getting blocked too often, you might want to loosen them up a little.
If it’s a persistent problem that maxes out the resources of your site, you should definitely speak with your hosting provider or server administrator to see if they can be detected and blocked before PHP runs.
Thanks,
Peter.
