Rate Limiting & IP Control

Beyond CAPTCHA verification, the plugin provides rate limiting and IP-based access control. These features work together to handle repeat offenders and known threats.

Rate limiting

Rate limiting tracks failed CAPTCHA attempts per IP address and temporarily locks out IPs that exceed the configured threshold.

How it works

• A visitor fails CAPTCHA verification.
• The failure is recorded against their IP address.
• If the number of failures within the time window exceeds the limit, the IP is locked out.
• During lockout, all protected forms return an error without even attempting CAPTCHA verification.
• After the lockout period expires, the IP can try again.
• A successful CAPTCHA verification clears the failure counter for that IP.

Configuration

Go to WooCommerce > Settings > CAPTCHA > Access Control and enable rate limiting.

Example scenarios

Default settings (5 attempts, 15-minute lockout, 60-minute window):

A bot fails CAPTCHA 5 times within an hour. On the 6th attempt, it's locked out for 15 minutes. After the lockout, it gets another 5 attempts.

Aggressive settings (3 attempts, 60-minute lockout, 30-minute window):

Three failures within 30 minutes triggers a 1-hour lockout. Better for stores under active attack.

Lockout message

Locked-out visitors see a message like: "Too many failed attempts. Please try again in 15 minutes." The message includes the remaining lockout time with proper pluralization.

Monitoring

The dashboard widget at Dashboard > CAPTCHA Protection shows:

• Current active lockouts
• Failed attempts today
• Failed attempts this week

Cleanup

Expired rate limit entries are cleaned up automatically via WordPress cron (cfwc_cleanup hook). No manual maintenance needed.

---

IP whitelist

Whitelisted IPs skip CAPTCHA verification entirely on all protected forms. They are also exempt from rate limiting.

Configuration

Go to WooCommerce > Settings > CAPTCHA > Access Control and add IPs to the whitelist textarea. One entry per line.

Supported formats

Common use cases

• Your office IP -- so your team never sees CAPTCHA during testing
• Payment gateway IPs -- if a gateway makes server-to-server callbacks through your checkout
• Monitoring service IPs -- uptime monitors that check your checkout page

---

IP blocklist

Blocked IPs are rejected immediately on all protected forms. The form submission is stopped before CAPTCHA verification even runs.

Configuration

Go to WooCommerce > Settings > CAPTCHA > Access Control and add IPs to the blocklist textarea. Same format as the whitelist (single IPs, CIDR, wildcards, comments).

Use cases

• Known attacker IPs from your server logs
• IP ranges associated with data centers commonly used by bots
• Temporary blocks during an active attack

Blocked IP message

Blocked visitors see a customizable error message. The default is generic and does not reveal that the IP is specifically blocked. You can customize it:

add_filter( 'cfwc_blocked_ip_message', function( $message, $ip ) {
    return 'Access denied. Please contact support if you believe this is an error.';
}, 10, 2 );

---

IP detection

The plugin checks multiple headers to determine the visitor's real IP address, in this order:

• HTTP_CF_CONNECTING_IP (Cloudflare)
• HTTP_X_REAL_IP (nginx reverse proxy)
• HTTP_X_FORWARDED_FOR (load balancers, proxies)
• REMOTE_ADDR (direct connection)

This ensures accurate IP detection even behind Cloudflare, load balancers, or reverse proxies.

How the layers work together

When a form is submitted, the plugin checks in this order:

• IP blocklist -- if blocked, reject immediately
• IP whitelist -- if whitelisted, skip all checks, allow through
• Rate limit check -- if currently locked out, reject with lockout message
• CAPTCHA verification -- verify with provider
• Rate limit update -- record failure (if failed) or clear counter (if passed)

This layered approach means blocklisted IPs never waste provider API quota, and whitelisted IPs experience zero friction.