Skip to main content
WordPress Security Guide
Q&AWordPress

Does WordPress support rate limiting?

WordPress does not include built-in rate limiting. The login page, REST API, XML-RPC, and all other endpoints accept unlimited requests by default. This makes WordPress sites vulnerable to brute-force password attacks, API abuse, and resource exhaustion. You can add rate limiting through security plugins like Wordfence or Limit Login Attempts, web server configuration in nginx or Apache, a CDN like Cloudflare, or custom code using WordPress hooks. Server-level rate limiting is more effective than plugin-based solutions because it blocks requests before they reach PHP. UNPWNED checks whether your WordPress login and API endpoints have rate limiting protection.

Check your WordPress app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

How to secure a WordPress site?Is WordPress XML-RPC a security risk?

More WordPress Security Questions

Is WordPress secure?What are common WordPress vulnerabilities?How to secure a WordPress site?Does WordPress add security headers?Can WordPress plugins be hacked?Does WordPress expose user information?