What are some good Nginx rate limits for WordPress websites?

Question

We are optimizing the default configuration for SlickStack, and looking for some good values to recommend to users for the limit_req and limit_conn settings in Nginx.

There are plenty of tutorials around the web, but the settings used are very random.

Most of the time, something like rate=1r/s with burst=1 nodelay is used for URIs like /wp-login.php however this seems too liberal for strong security.

There's also not much discussion about rate-limiting the entire server/website, .php files, and so forth.

The limit_conn feature is rarely mentioned, and limit_rate as well.

I'm hoping to start a thread about some possible settings for typical WordPress websites, with a special nod toward cloud servers or non-shared hosting environments, keeping in mind that these settings should be adjusted depending on your expected traffic levels and otherwise...

Most rate limiting solutions deal with a single login page or otherwise, and fail to consider the large number of "requests" that a CMS might require, and how different parts of the website might need different rate limits. Here's an example from 2015 dealing with a website built on Ruby: https://www.ruby-forum.com/t/request-limit-calculation/242388 — Jesse Nickles, Mar 29 '24 at 09:55
The SE network is not a place for discussions. If you want discussions you need to ask somewhere else. The answer to your question boils down to benchmark and evaluate. — Gerald Schneider, Mar 29 '24 at 11:41
Does this answer your question? How do you do load testing and capacity planning for web sites? — Gerald Schneider, Mar 29 '24 at 12:17
Related: https://serverfault.com/questions/1091683/rate-limiting-only-the-home-page-with-nginx-limit-req-zone — Jesse Nickles, Mar 29 '24 at 13:48
Related: https://serverfault.com/questions/346432/nginx-proper-use-of-limit-req-zone-and-limit-req — Jesse Nickles, Mar 29 '24 at 13:48
Related: https://serverfault.com/questions/1105069/nginx-ratelimit-on-all-files — Jesse Nickles, Mar 29 '24 at 13:49
I don't see how a general answer is possible. It has to be tailored to each sites expected and normal traffic. — vidarlo, Mar 29 '24 at 20:43
Focus on your question. Calling other users names simply doesn't work. There's no conspiracy, there's no power tripping. Nor do I see how your answer is universally applicable. — vidarlo, Mar 30 '24 at 07:51

score 0 · Answer 1 · answered Mar 29 '24 at 14:24

There is a lot of inaccurate information online about rate-limiting in WordPress. Specifically, many people assume that 1 request = 1 page load, which is wrong. There is also significant misinformation about what the per second /s and per minute /m directives mean and what the results will be...

The average WordPress website might require 50-100+ "requests" for a single page load, because of all the different PHP, JS, CSS, etc assets being loaded.

Here are some possible settings for limit_req and limit_conn for a typical WordPress site:

For /wp-login.php rate-limit:

limit_req_zone $binary_remote_addr zone=wplogin:10m rate=1r/s;
limit_req zone=wplogin burst=1 nodelay

For server-wide (e.g. location / in server block):

limit_req_zone $binary_remote_addr zone=sitewide:10m rate=50r/s;
limit_req zone=sitewide burst=100 nodelay;

I will add more later after more testing...

What are some good Nginx rate limits for WordPress websites?

1 Answers1

Linked