As a security measure, we’ve implemented a new rate limiting rule to protect your site from malicious attempts to access your WordPress site. If you’re trying to login to your WordPress admin and see a message that says “RATE LIMIT EXCEEDED,” this is a result of your connection being temporarily locked out. We have several security checks in place that could have triggered the lockout and inability to login.
The first is based on the wp-admin username. If there have been many attempts with either an invalid username and/or password, then our system will prevent any further login attempts from being made with that username for a few minutes.
As part of WordPress best practices, it’s recommended that you avoid using the default username of “admin” (along with the standard variations of administrator) as well as the “guest” username. If you’re having issues with your password, then you can follow this guide on resetting your wp-admin password.
The other security checks are based on the IP address the login request originated from, but with different thresholds. The first threshold will limit access based on a number of attempts to your site in general. The second is based on hits across the whole server. Both of these checks are designed to protect your site against malicious bots that cycle through usernames attempting to brute force a login.
Part of the roll out of this new rate limiting functionality is to activate persistent object cache, as this will be used to track these login attempts. If you see any performance issues on your site after the persistent object caching is enabled, or have a network configuration where these rate limiting measures are being triggered as part of legitimate day to day work, then please don’t hesitate to contact our Support team so they can assist you in getting your site working properly.