README

Protect your Craft CMS site from DDoS attacks and abuse by limiting requests per IP address.

Requirements

Craft CMS 5.0.0 or later
PHP 8.2 or later

Installation

Open your terminal and go to your Craft project:
```
 cd /path/to/project
```

Require the plugin via Composer:

 composer require liquidbcn/craftcms-rate-limit

In the Control Panel, go to Settings → Plugins and click "Install" for Rate Limit.

Configuration

Control Panel

Navigate to Settings → Rate Limit to configure:

Enable Rate Limiting - Toggle protection on/off
Max Requests per IP per Minute - Request limit within a 60-second window (default: 4000)
Excluded IPs - Whitelist IPs or CIDR ranges that bypass rate limiting

Config File

You can also configure via config/rate-limit.php. Config file values take precedence over CP settings.

<?php

return [
    'enabled' => true,
    'maxRequestsPerIpPerMinute' => 200,
    'excludedIps' => [
        '127.0.0.1',
        '10.0.0.0/8',
        '192.168.1.0/24',
    ],
];

Multi-environment Configuration

<?php

return [
    '*' => [
        'maxRequestsPerIpPerMinute' => 200,
    ],
    'dev' => [
        'enabled' => false,
    ],
    'production' => [
        'maxRequestsPerIpPerMinute' => 100,
    ],
];

How It Works

The plugin tracks requests per IP using Craft's cache system with 60-second windows. When an IP exceeds the configured limit, subsequent requests receive an HTTP 429 (Too Many Requests) response.

Dashboard

Access the Rate Limit dashboard from the Control Panel sidebar to monitor blocked requests:

Stats overview - Blocked requests in the last hour and 24 hours
Top blocked IPs - Most frequently blocked IP addresses
Recent blocked requests - Log of the last 100 blocked requests with timestamps and URIs
Check IP - Quick link to AbuseIPDB to investigate suspicious IPs

Brought to you by Liquid Studio

liquidbcn / craftcms-rate-limit

Maintainers

Details