Description
Turbo Rate Limiter is a powerful yet easy-to-use security plugin that helps protect your WordPress site from various types of abuse by limiting the rate at which visitors can make requests.
Features
- URI-based filtering – Set rate limits for specific URLs, paths, or patterns
- Multiple match types – Exact match, contains, starts with, ends with, or regex
- Flexible time windows – Configure rate limits per second, minute, or hour
- Multiple actions – Return HTTP 429, redirect to URL, or redirect to page
- Test mode – Preview rate limiting behavior without blocking visitors
- Debug panel – Visual debug panel for administrators
- Cloudflare support – Full IPv4 and IPv6 proxy detection
- Localization ready – Translations available for multiple languages
Use Cases
- API protection – Limit API calls to prevent abuse
- Login protection – Prevent brute force attacks on login pages
- Form spam prevention – Limit form submission rates
- Resource protection – Protect heavy database queries
- CDN compatibility – Works with Cloudflare and other proxies
Arbitrary section
Developer API
Turbo Rate Limiter provides hooks and filters for developers:
// Add trusted proxy IPs
add_filter('turbo_rate_limiter_trusted_proxies', function() {
return [
'173.245.48.0/20',
'2400:cb00::/32',
// More ranges...
];
});
// Access rate limiter instance
$rate_limiter = TURBORL_Rate_Limiter::get_instance();
For full API documentation, see docs/developer-api.md.
Screenshots
Plugin settings page showing all configuration options.
Debug panel displaying rate limit statistics and logs.
Filter form for testing and debugging rate limiting rules.
Installation
Automatic Installation
- Go to Plugins > Add New
- Search for “Turbo Rate Limiter”
- Click “Install Now” and activate the plugin
Manual Installation
- Upload the
turbo-rate-limiterfolder to/wp-content/plugins/ - Activate the plugin through the ‘Plugins’ menu in WordPress
- Go to Settings > Turbo Rate Limiter to configure
Configuration
- Navigate to Settings > Turbo Rate Limiter
- Click “Add New Filter” to create your first rate limit rule
- Configure the URI pattern, match type, request limit, and action
- Enable the filter and save
FAQ
-
Does this work with caching plugins?
-
Yes, with an important caveat: this plugin enforces rate limits only for requests that reach WordPress. If a page is served before WordPress loads (for example, by CDN or server-level/full-page cache), that request can bypass plugin-level checks. For full coverage, pair this plugin with edge/server rate limiting and exclude sensitive routes from full-page cache where needed.
-
Will this block legitimate traffic?
-
Configure your filters carefully. Use the test mode to preview behavior before enabling blocking. We recommend starting with generous limits and adjusting based on your site’s traffic patterns.
-
Does it work with Cloudflare?
-
Yes! The plugin fully supports Cloudflare and other reverse proxies. Configure your trusted proxies in the developer documentation to enable proper IP detection.
-
Can I whitelist specific IPs?
-
Currently, you can configure trusted proxies for IP detection. For IP whitelisting to bypass rate limiting, you would need to modify the plugin code or request this as a feature.
-
What happens when a rate limit is exceeded?
-
You can configure the action: return HTTP 429 (Too Many Requests), redirect to a custom URL, or redirect to a specific WordPress page.
-
Will this slow down my site?
-
The plugin is optimized for performance with compiled filter caching and transient storage. The impact on page load time is minimal.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Turbo Rate Limiter” is open source software. The following people have contributed to this plugin.
Contributors
“Turbo Rate Limiter” has been translated into 1 locale. Thank you to the translators for their contributions.
Translate “Turbo Rate Limiter” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.2
- Preserve encoded Unicode request URIs in the rate limiter.
1.0.1
- Removed the unused cleanup cron because WordPress already expires rate-limit transients automatically.
1.0.0
- Initial release
- URI-based rate limiting with multiple match types
- Configurable time windows and request limits
- Test mode for safe configuration
- Debug panel for administrators
- Full IPv4 and IPv6 Cloudflare support
- Localization support for multiple languages