Rate Limiting & IP Control
Rate Limiting & IP Control#
Beyond CAPTCHA verification, the plugin provides rate limiting and IP-based access control. These features work together to handle repeat offenders and known threats.
Rate limiting#
Rate limiting tracks failed CAPTCHA attempts per IP address and temporarily locks out IPs that exceed the configured threshold.
How it works#
- A visitor fails CAPTCHA verification.
- The failure is recorded against their IP address.
- If the number of failures within the time window exceeds the limit, the IP is locked out.
- During lockout, all protected forms return an error without even attempting CAPTCHA verification.
- After the lockout period expires, the IP can try again.
- A successful CAPTCHA verification clears the failure counter for that IP.
Configuration#
Go to WooCommerce > Settings > Bouncer > Security and enable rate limiting.
| Setting | Description | Default | Range |
|---|---|---|---|
| Enable Rate Limiting | Master toggle | Off | — |
| Max Failed Attempts | Failures before lockout | 5 | 3-50 |
| Lockout Duration | Minutes the IP is locked out | 15 | 5-1440 |
| Time Window | Minutes to track failures | 60 | 5-1440 |
Example scenarios#
Default settings (5 attempts, 15-minute lockout, 60-minute window): A bot fails CAPTCHA 5 times within an hour. On the 6th attempt, it’s locked out for 15 minutes. After the lockout, it gets another 5 attempts.
Aggressive settings (3 attempts, 60-minute lockout, 30-minute window): Three failures within 30 minutes triggers a 1-hour lockout. Better for stores under active attack.
Lockout message#
Locked-out visitors see a message like: “Too many failed attempts. Please try again in 15 minutes.” The message includes the remaining lockout time with proper pluralization.
Monitoring#
The dashboard widget at Dashboard > CAPTCHA Protection shows:
- Current active lockouts
- Failed attempts today
- Failed attempts this week
Cleanup#
Expired rate limit entries are cleaned up automatically via WordPress cron (cfwc_cleanup hook). No manual maintenance needed.
Global rate limiting#
Beyond per-IP rate limiting, Bouncer includes a global rate limiter that tracks total form submissions and failures across all visitors site-wide.
How it works#
- Every form submission (success or failure) is counted in a rolling time window.
- Every failed CAPTCHA verification is also counted separately.
- If total submissions exceed the max requests threshold, or total failures exceed the max failures threshold, new submissions are blocked for all visitors until the window rolls over.
- Whitelisted IPs are exempt.
Configuration#
Go to WooCommerce > Settings > Bouncer > Security and enable global rate limiting.
| Setting | Description | Default | Range |
|---|---|---|---|
| Enable Global Rate Limiting | Master toggle | Off | — |
| Max Total Submissions | Total form submissions allowed in window | 100 | 10-1000 |
| Max Total Failures | Total failures allowed in window | 50 | 5-500 |
| Time Window | Rolling window in seconds | 300 (5 min) | 60-3600 |
When to use#
- Under distributed bot attacks where many different IPs each make a few attempts (staying under per-IP limits)
- As a circuit breaker during sudden traffic spikes
- Combined with per-IP rate limiting for layered protection
How it differs from per-IP rate limiting#
Per-IP rate limiting blocks individual repeat offenders. Global rate limiting catches coordinated attacks spread across many IPs. Use both together for best coverage.
IP whitelist#
Whitelisted IPs skip CAPTCHA verification entirely on all protected forms. They are also exempt from rate limiting.
Configuration#
Go to WooCommerce > Settings > Bouncer > Security and add IPs to the whitelist textarea. One entry per line.
Supported formats#
| Format | Example | Description |
|---|---|---|
| Single IPv4 | 192.168.1.100 | One specific IP |
| CIDR range | 192.168.1.0/24 | Entire subnet (256 addresses) |
| Wildcard | 192.168.1.* | Pattern matching |
| IPv6 | 2001:db8::1 | Single IPv6 address |
| IPv6 CIDR | 2001:db8::/32 | IPv6 subnet |
| With comment | 192.168.1.100 # Office | Inline documentation |
Common use cases#
- Your office IP — so your team never sees CAPTCHA during testing
- Payment gateway IPs — if a gateway makes server-to-server callbacks through your checkout
- Monitoring service IPs — uptime monitors that check your checkout page
IP blocklist#
Blocked IPs are rejected immediately on all protected forms. The form submission is stopped before CAPTCHA verification even runs.
Configuration#
Go to WooCommerce > Settings > Bouncer > Security and add IPs to the blocklist textarea. Same format as the whitelist (single IPs, CIDR, wildcards, comments).
Use cases#
- Known attacker IPs from your server logs
- IP ranges associated with data centers commonly used by bots
- Temporary blocks during an active attack
Blocked IP message#
Blocked visitors see a customizable error message. The default is generic and does not reveal that the IP is specifically blocked. You can customize it:
add_filter( 'cfwc_blocked_ip_message', function( $message, $ip ) {
return 'Access denied. Please contact support if you believe this is an error.';
}, 10, 2 );Username blocking#
Block login attempts using specific usernames. Bots commonly target admin, administrator, test, and similar usernames.
Configuration#
Go to WooCommerce > Settings > Bouncer > Security and add usernames to the blocklist. One per line.
Supported formats#
| Format | Example | Description |
|---|---|---|
| Exact match | admin | Blocks this exact username |
| Wildcard | admin* | Blocks admin, admin1, administrator, etc. |
| Wildcard | test* | Blocks test, testing, testuser, etc. |
Blocked username attempts are rejected with a generic error message that doesn’t reveal the username is specifically blocked.
IP detection#
The plugin delegates IP detection to WC_Geolocation::get_ip_address(), which handles Cloudflare, load balancers, and proxy headers correctly. This prevents IP spoofing through X-Forwarded-For header manipulation.
How the layers work together#
When a form is submitted, the plugin checks in this order:
- IP blocklist — if blocked, reject immediately
- IP whitelist — if whitelisted, skip all checks, allow through
- Global rate limit check — if site-wide limit exceeded, reject
- Per-IP rate limit check — if currently locked out, reject with lockout message
- Username check — if login form and username is blocked, reject
- CAPTCHA verification — verify with provider
- Rate limit update — record failure (if failed) or clear counter (if passed)
This layered approach means blocklisted IPs never waste provider API quota, and whitelisted IPs experience zero friction.