Rate limit for Craft CMS: Protect your site from brute force attacks and abuse

A native plugin to limit HTTP requests by IP and protect your Craft CMS site from attacks and abuse
15.12.2025 — Liquid Team — 3 min read

Website security is crucial, especially for projects built with Craft CMS. One of the most common attack vectors are brute force attacks and HTTP request abuse, which can overload your server and compromise your site's performance. To mitigate these risks, we've developed Rate Limit, a native plugin for Craft CMS 5 that restricts requests per IP address.

What is rate limiting and why you need it

Rate limiting is a security technique that restricts the number of requests a client can make within a specific time period. This measure is essential to:

• Prevent brute force attacks on login forms
• Mitigate small-scale DDoS attacks
• Protect APIs and endpoints from abusive use
• Reduce server costs by avoiding unnecessary requests
• Maintain site availability for legitimate users

Rate Limit plugin features

Flexible configuration

The plugin allows you to define the maximum number of requests allowed per IP per minute. The default value is 4000 requests, but you can adjust it according to your project's needs. A low-traffic blog might use more restrictive values (100-500), while a highly interactive application may require higher limits.

IP whitelist

Not all IPs should be subject to limitations. The plugin includes a whitelist where you can exclude:

• Individual IPs: useful for monitoring services or your own office
• CIDR ranges: to exclude entire subnets (e.g., 192.168.1.0/24)

Monitoring dashboard

The dashboard integrated into Craft's control panel shows statistics of blocked requests, allowing you to identify attack patterns and adjust the configuration as needed.

Native Craft integration

The plugin uses Craft CMS's native cache system, which means it doesn't require external dependencies like Redis or Memcached (although it supports them if you already have them configured). Installation is straightforward and doesn't impact your application's performance.

How it works

When an HTTP request arrives, the plugin:

1. Obtains the visitor's IP
2. Checks if it's in the whitelist
3. Queries the request counter in cache
4. If it exceeds the limit, responds with an HTTP 429 error (Too Many Requests)
5. Logs the blocked request for analysis

Time windows reset every minute, allowing legitimate users who have been temporarily blocked to quickly regain access.

Installation

You can install the plugin directly from the Craft CMS Plugin Store or via Composer:

composer require liquidbcn/craftcms-rate-limit
php craft plugin/install rate-limit

After installation, go to Settings > Plugins > Rate Limit to adjust the parameters according to your needs.

Configuration via file

For projects with multiple environments, you can create the config/rate-limit.php file:

<?php
return [
    'enabled' => true,
    'maxRequestsPerIpPerMinute' => 500,
    'excludedIps' => [
        '127.0.0.1',
        '10.0.0.0/8',
    ],
];

Requirements

• Craft CMS 5.0 or higher
• PHP 8.2 or higher

Download the plugin

Rate Limit is available for free on the official Craft CMS Plugin Store:

https://plugins.craftcms.com/rate-limit

Craft CMS
PHP

Let's make your 
digital project reality.

Share your idea and get a custom proposal with no commitment.

💡 How much does it cost to develop an app for your business? Discover the prices