Hi @robin2014, thanks for your question.
We generally don’t recommend utilising features like “Allowlisted IP addresses that bypass all rules” unless absolutely necessary as this allows all Wordfence protection to be bypassed. Regardless, most of your users won’t have fixed IPs but I just wanted to mention it.
It may be worth loosening the “too many login attempts” restrictions slightly to a level that may be considered reasonable for a human to accidentally mistype or momentarily forget their credentials. They may also be inadvertently be caught out with a typo by the “immediately lock out invalid usernames” setting in Wordfence > All Options > Brute Force Protection. We would recommend this be disabled if you have a high quantity of users/customers accessing an online store.
I generally set my Rate Limiting rules to these values to start with:
Rate Limiting Screenshot
- If anyone’s requests exceed – 240 per minute
- If a crawler’s page views exceed – 120 per minute
- If a crawler’s pages not found (404s) exceed – 60 per minute
- If a human’s page views exceed – 120 per minute
- If a human’s pages not found (404s) exceed – 60 per minute
- How long is an IP address blocked when it breaks a rule – 30 minutes
I also always set the rule to Throttle instead of Block. Throttling is generally better than blocking because any good search engine understands what happened if it is mistakenly blocked and your site isn’t penalized because of it. Make sure and set your Rate Limiting Rules realistically and set the value for how long an IP is blocked to 30 minutes or so.
With Brute Force settings, I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30 minute (or longer) lockout time period.
Remember there is no hard and fast, one size fits all set of rules for every site. This is just a good place to start.
Let me know how that goes for you!
Peter.
