# Frequently Asked Questions Find answers to commonly asked questions about Turbo Rate Limiter. If you don't find your question here, please check the other documentation guides or contact support. --- ## General Questions ### What is Turbo Rate Limiter? Turbo Rate Limiter is a WordPress security plugin that protects your website from abuse by limiting how many requests visitors can make to specific URLs within a given time period. It helps prevent brute force attacks, API abuse, comment spam, and other forms of automated abuse that can overwhelm your server or compromise your site's security. ### Why do I need rate limiting? Rate limiting is an essential security measure for any WordPress site. Without it, attackers can: - **Brute force your login page** by trying thousands of password combinations - **Overwhelm your server** with automated requests - **Scrape your content** for data theft or republishing - **Abuse your APIs** beyond reasonable usage limits - **Submit spam comments** at scale Rate limiting makes these attacks impractical by blocking abusive traffic while allowing legitimate users to access your site normally. ### Is rate limiting the same as blocking? No. Rate limiting and blocking are related but different concepts: - **Rate limiting** allows a certain number of requests within a time window. After reaching the limit, additional requests are temporarily blocked until the window resets. - **Blocking** permanently prevents access from certain IPs, users, or ranges. Turbo Rate Limiter focuses on rate limiting, which is generally more effective for security because it doesn't require maintaining blocklists and automatically resets for users who stop their abusive behavior. ### Will rate limiting affect my legitimate users? When configured properly, rate limiting should not affect legitimate users. The limits are designed to be generous enough for normal human behavior while blocking automated attacks. For example, allowing 10 login attempts per minute is more than enough for real users but will stop brute force tools that try hundreds of passwords per minute. --- ## Installation and Setup ### How do I install Turbo Rate Limiter? 1. Go to **Plugins → Add New** in your WordPress admin dashboard 2. Search for "Turbo Rate Limiter" 3. Click **Install Now** on the Turbo Rate Limiter plugin 4. Click **Activate** after installation 5. Navigate to **Turbo Rate Limiter** in your admin menu to configure settings ### Where is the settings page? After activation, find Turbo Rate Limiter in your WordPress admin menu. The main settings page shows your current filters, allows you to add new filters, and provides access to Test Mode and Debug Mode settings. ### How do I create my first rate limit filter? 1. Go to **Turbo Rate Limiter** in your admin dashboard 2. In the "Add New Filter" form, enter: - **Filter Name**: A descriptive name (e.g., "Login Protection") - **URI Pattern**: The URL pattern to match (e.g., `/wp-login.php`) - **Match Type**: How to match the pattern (Exact, Starts With, Contains, Ends With, or Regex) - **Request Limit**: Maximum requests allowed (e.g., 10) - **Time Window**: How often the limit resets (e.g., 60 seconds) - **Action**: What happens when the limit is exceeded (HTTP 429 recommended) 3. Check **Enable this filter** 4. Click **Add Filter** ### What's the recommended starting configuration? For most WordPress sites, we recommend these three filters: 1. **Login Page Protection**: `/wp-login.php` with Starts With match, 10 requests per 60 seconds 2. **Search Protection**: `/?s=` with Starts With match, 30 requests per 60 seconds 3. **XML-RPC Protection**: `/xmlrpc.php` with Exact Match, 20 requests per 60 seconds See our [Getting Started Guide](getting-started.md) for detailed configuration examples. --- ## Match Types Explained ### What is the difference between match types? Each match type determines how the plugin matches URLs against your patterns: - **Exact Match**: Matches only if the URL is exactly the same as your pattern - **Starts With**: Matches any URL that begins with your pattern - **Contains**: Matches any URL that contains your pattern anywhere - **Ends With**: Matches any URL that ends with your pattern - **Regex**: Uses regular expressions for complex matching patterns ### Which match type should I use? Choose based on your needs: - **Exact Match**: Best for single, specific URLs like `/xmlrpc.php` - **Starts With**: Best for directories and URL prefixes like `/wp-admin/` - **Contains**: Best for matching patterns anywhere in the URL like `?s=` - **Ends With**: Best for targeting file types like `.xml` - **Regex**: Use only when other match types can't achieve your goal ### Does the pattern need trailing slashes? Yes, if the URLs you're targeting include trailing slashes, your pattern must match exactly. WordPress URLs can be inconsistent, so you may need multiple filters for complete coverage. For example, for XML-RPC protection, you might want both: - Exact Match: `/xmlrpc.php` - Starts With: `/xmlrpc.php/` See our [Match Types Guide](match-types.md) for detailed examples. --- ## Configuration Questions ### What is Test Mode? Test Mode allows you to preview how your rate limit filters would work without actually blocking anyone. When enabled, matched requests are logged and shown in the "Recent Test Matches" table so you can verify your filters are working correctly before enabling them in production. Always use Test Mode before enabling new filters to ensure they match the correct URLs. ### What is Debug Mode? Debug Mode shows a floating panel in the bottom-right corner of your site for administrators. The panel displays real-time information about rate limiting for the current request, including: - Current request URI - Your IP address - Which filters matched (if any) - Request count and remaining requests - Status (OK or Would Block) This is invaluable for troubleshooting and verifying your configuration. ### Can I use both HTTP 429 and redirects? Each filter can only have one action. However, you can create multiple filters for the same URI with different actions to achieve different behaviors. For example, you might create one filter that returns HTTP 429 for most abuse and another with stricter limits that redirects to a custom page. ### Can I whitelist certain IPs? Turbo Rate Limiter doesn't have a built-in whitelist feature. However, you can achieve similar results by: 1. Creating filters with very high limits (like 1000 requests per minute) for trusted IP ranges 2. Using your hosting control panel or WAF to whitelist IPs at the server level 3. Implementing IP whitelisting in your site's `.htaccess` file ### How do I set different limits for different times of day? Turbo Rate Limiter doesn't currently support time-based schedule for limits. All filters apply their limits consistently 24/7. Consider using a more advanced solution like a WAF if you need scheduled rate limiting. --- ## Troubleshooting ### My legitimate users are being blocked. What should I do? 1. **Check the limit values**: Your limits might be too aggressive for normal usage. Increase them gradually until legitimate users aren't affected. 2. **Review your patterns**: Your pattern might be too broad and matching URLs you didn't intend. Use Test Mode to verify. 3. **Check for false positives**: Some users might be behind shared IPs (corporate networks, schools) where one abusive user affects everyone. Consider higher limits for sensitive areas. 4. **Monitor patterns**: Use your hosting analytics to identify which IPs are being blocked and investigate if they're legitimate users. See our [Best Practices Guide](best-practices.md) for tips on balancing security and usability. ### I'm blocked from my own admin panel. How do I fix this? If you've accidentally blocked yourself: 1. Access your site from a different IP address (mobile hotspot, VPN, etc.) 2. Navigate to **Turbo Rate Limiter** in the admin 3. Disable or adjust the problematic filter 4. Alternatively, access your database directly and modify the filter settings To prevent this, consider creating a filter with a very high limit specifically for your IP address. ### Rate limits aren't working. What could be wrong? Common reasons rate limits don't work: 1. **Filter is disabled**: Check that the filter is enabled in the settings 2. **Pattern doesn't match**: Use Test Mode to verify your pattern matches the correct URLs 3. **Rate limiter is disabled globally**: Check that the plugin is enabled 4. **Cached pages**: Cached pages bypass WordPress entirely, so rate limiting won't apply 5. **Plugin conflict**: Other security plugins might be interfering ### How do I know if rate limiting is blocking traffic? 1. **Check the filters table**: The settings page shows which filters are active and their statistics 2. **Enable Debug Mode**: The debug panel shows real-time rate limit information 3. **Check server logs**: Your hosting provider's analytics may show blocked requests 4. **User reports**: Users may report seeing rate limit errors ### Can I see which IPs have been rate limited? Turbo Rate Limiter doesn't maintain a permanent log of blocked IPs. However: - Debug Mode shows current request information for administrators - Test Mode shows recent test matches when enabled - Your server logs or WAF may maintain blocking logs For permanent IP tracking, consider using a dedicated security plugin or WAF. --- ## Performance and Server Impact ### Will rate limiting slow down my site? Turbo Rate Limiter is designed with performance in mind. The plugin: - Uses transient-based caching to minimize database queries - Compiles filter rules for efficient matching - Skips processing for requests that don't match any filters - Only loads necessary components on each request For most sites, the performance impact is negligible. However, if you have many complex filters or very high traffic, monitor your server resources and consider optimizing your filter configuration. ### How many filters can I create? There's no hard limit, but creating too many filters (especially Contains and Regex types) can impact performance. We recommend: - Keeping filters to a minimum - Preferring Exact Match and Starts With for frequently matched URLs - Consolidating similar filters where possible ### Does rate limiting work with caching plugins? Yes, but with caveats. Rate limiting only applies to requests that reach WordPress. Cached pages are served directly from the cache and bypass WordPress entirely, so rate limiting doesn't apply to them. This is generally desirable—cached pages are typically public content that doesn't need rate limiting. Rate limiting applies to dynamic requests like login forms, search results, and API endpoints. --- ## Search Engine and SEO ### Will rate limiting affect my search engine rankings? **Possibly, if configured incorrectly.** Search engines like Google and Bing crawl your site to index your content. These crawlers are subject to your rate limits just like any other visitor. **To protect your SEO while using rate limiting:** 1. **Be generous with limits for crawlable content**: Allow at least 100-300 requests per minute for public pages 2. **Don't rate limit critical crawling paths**: Avoid aggressive limits on important URLs 3. **Monitor your crawl stats**: Check Google Search Console for crawl errors 4. **Consider excluding common bot user agents**: Use a WAF or security plugin for this See the "Search Engine Considerations" section in our [Getting Started Guide](getting-started.md) for more details. ### Does the plugin exclude Googlebot or other search engines? No, Turbo Rate Limiter does not currently exclude any crawlers or bots. All requests, including search engine crawlers, are subject to your configured rate limits. If search engine crawling is critical for your site, consider: 1. Using higher limits that won't affect normal crawling 2. Using a WAF that can identify and exempt known search engine crawlers 3. Implementing bot detection at your CDN or hosting level ### Will rate limiting prevent my site from being indexed? Only if you set extremely aggressive limits that prevent search engines from crawling your pages. Normal rate limits (10-100 requests per minute) won't affect indexing. Monitor your crawl stats in Google Search Console after enabling rate limits to ensure adequate crawling. --- ## Advanced Questions ### Can I use rate limiting for WooCommerce? Yes, rate limiting can help protect WooCommerce stores from abuse. Consider creating filters for: - **Login attempts**: `/wp-login.php` - **Checkout process**: WooCommerce checkout URLs - **Password reset**: `/my-account/lost-password/` - **API endpoints**: `/wp-json/wc/` prefixes Be careful with checkout protection—test thoroughly to ensure legitimate customers aren't affected. ### Can I rate limit by user role instead of IP? Turbo Rate Limiter currently uses IP-based rate limiting only. User role-based limiting would require more complex implementation and isn't currently supported. ### Can I export or import my filters? Turbo Rate Limiter doesn't currently have built-in import/export functionality. You can export filters by: 1. Manually recording your filter settings 2. Using phpMyAdmin or similar tools to export the `turbo_rate_limiter_filters` option from the `wp_options` table ### Does the plugin work with multisite installations? Yes, Turbo Rate Limiter works on WordPress Multisite installations. The plugin settings are network-wide, but individual site administrators can also configure filters that apply only to their sites. ### Can I use this with a CDN like Cloudflare? Yes, Turbo Rate Limiter works alongside CDNs like Cloudflare. However, consider: 1. Some CDNs provide their own rate limiting that may work better at the edge 2. Requests may appear to come from the CDN's IPs rather than the visitor's actual IP 3. Configure your CDN's IP detection settings correctly for accurate rate limiting --- ## Error Messages ### What does "Too Many Requests" mean? This is the HTTP 429 response that appears when a visitor exceeds their rate limit. It means they've made too many requests within the configured time window and must wait before making more requests. ### What does the rate limit error page look like? The default error page shows a simple message explaining the rate limit was exceeded. You can customize this by redirecting to a custom WordPress page instead. ### Can I customize the error message? Turbo Rate Limiter uses the standard HTTP 429 response. You can customize the user experience by: 1. Creating a custom WordPress page with helpful information 2. Configuring filters to redirect to that page instead of returning HTTP 429 3. Adding custom CSS to your theme to style the error page --- ## Support and Updates ### How do I get help? 1. **Check the documentation**: This FAQ and our other guides cover most common questions 2. **Enable Debug Mode**: The debug panel provides real-time information for troubleshooting 3. **Use Test Mode**: Verify your filters are working correctly before going live 4. **Contact support**: Use the support link in the plugin's admin sidebar ### How do I report a bug? If you believe you've found a bug in Turbo Rate Limiter: 1. Check that your configuration is correct using Test Mode 2. Disable other plugins temporarily to check for conflicts 3. Try the default WordPress theme to rule out theme issues 4. Report the issue with details about your configuration and the problem you're experiencing ### Will the plugin be updated? Yes, Turbo Rate Limiter is actively maintained. Updates may include: - Security improvements - Performance enhancements - New features - Compatibility updates for new WordPress versions Keep the plugin updated through your WordPress admin dashboard. --- ## Related Documentation - **[Getting Started Guide](getting-started.md)**: Overview and quick start - **[Match Types Explained](match-types.md)**: Detailed match type information - **[Rate Limiting Best Practices](best-practices.md)**: Strategies and recommendations --- *Last updated for Turbo Rate Limiter v1.0.0*