Rate Limiting
Learning Focus
By the end of this lesson you will know how to set up Cloudflare rate limiting rules.
What Rate Limiting Does
Cloudflare rate limiting blocks or challenges clients that exceed a defined request threshold within a time window — before traffic reaches your server.
Setting Up Rate Limiting
- In Cloudflare dashboard: Security → WAF → Rate Limiting Rules
- Create a rule:
- Matching URL: e.g.,
/wp-login.phpor/*for site-wide - Threshold: e.g., 50 requests per 10 seconds
- Action: Block, Challenge, or JS Challenge
- Duration: How long the block lasts (e.g., 60 seconds)
- Matching URL: e.g.,
Common Rate Limiting Patterns
| Target | Threshold | Action |
|---|---|---|
Login page (/wp-login.php) | 10 req/min | Block for 1 hour |
API endpoint (/api/) | 100 req/min | Challenge |
| Site-wide | 1000 req/min | JS Challenge |
Cloudflare vs OLS Rate Limiting
| Feature | Cloudflare | OpenLiteSpeed |
|---|---|---|
| Location | Edge | Origin |
| Attack traffic reaches server | No | Yes |
| Granularity | URL + IP + headers | Per-IP connection/request |
info
Edge rate limiting is more effective for DDoS protection because it blocks abusive traffic before it consumes your server's resources.
Key Takeaways
- Rate limiting at the edge protects your server from volume-based attacks.
- Configure aggressive limits for login and sensitive pages.
- Use in combination with OLS-level per-client throttling for defense in depth.
What's Next
- Continue to Bot Protection for automated threat management.