Protect your WordPress site from brute force attacks, API abuse, and DDoS attacks with customizable rate limiting rules.
| Author: | ahriad (profile at wordpress.org) |
| WordPress version required: | 5.0 |
| WordPress version tested: | 6.9.4 |
| Plugin version: | 1.0.2 |
| Added to WordPress repository: | 24-03-2026 |
| Last updated: | 26-03-2026 |
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | |
| Total downloads: | 191 |
 Click to start download |
|
Turbo Rate Limiter is a powerful yet easy-to-use security plugin that helps protect your WordPress site from various types of abuse by limiting the rate at which visitors can make requests.
Features
- URI-based filtering – Set rate limits for specific URLs, paths, or patterns
- Multiple match types – Exact match, contains, starts with, ends with, or regex
- Flexible time windows – Configure rate limits per second, minute, or hour
- Multiple actions – Return HTTP 429, redirect to URL, or redirect to page
- Test mode – Preview rate limiting behavior without blocking visitors
- Debug panel – Visual debug panel for administrators
- Cloudflare support – Full IPv4 and IPv6 proxy detection
- Localization ready – Translations available for multiple languages
Use Cases
- API protection – Limit API calls to prevent abuse
- Login protection – Prevent brute force attacks on login pages
- Form spam prevention – Limit form submission rates
- Resource protection – Protect heavy database queries
- CDN compatibility – Works with Cloudflare and other proxies
Arbitrary section
Developer API
Turbo Rate Limiter provides hooks and filters for developers:
// Add trusted proxy IPs
add_filter('turbo_rate_limiter_trusted_proxies', function() {
return [
'173.245.48.0/20',
'2400:cb00::/32',
// More ranges...
];
});
// Access rate limiter instance
$rate_limiter = TURBORL_Rate_Limiter::get_instance();
For full API documentation, see docs/developer-api.md.
Screenshots
FAQ
ChangeLog