What Is Rate Limiting and How to Set It up [2 Methods]

Key Takeaways

• Rate limiting protects server stability by capping how many requests a user or bot can make in a specific timeframe.
• It prevents resource exhaustion by ensuring that malicious scrapers or brute-force attacks don’t steal bandwidth from real visitors.
• Implementing a limit is a performance necessity, acting as a critical safeguard that keeps your site fast and accessible even during a traffic spike.

You’ve probably seen a “429 Too Many Requests” error before. Maybe you refreshed a page too fast, or some background script went haywire and started hammering your server.

Annoying? Absolutely. But there’s a reason it exists.

Without rate limiting, your server is wide open. A single aggressive bot or unexpected traffic surge can chew through your resources in seconds. And it always happens at the worst time, right when you actually need your site working.

That’s what rate limiting fixes. It puts a hard cap on how often someone can make requests to your application. Simple, but effective.

This guide covers how it works under the hood. We’ll look at the algorithms that catch these spikes, the attacks they prevent (DDoS, brute force attempts, the usual suspects), and what those error messages actually mean.

Then we get to implementation. I’ll show you two approaches. One is the manual route using Cloudflare’s free tier. The other is a managed solution through Cloudways if you’d rather not deal with the technical setup yourself.

Alright, let’s get into it.

How Does Rate Limiting Work?

Rate limiting is not complex. It is effectively a counter that sits between a user and your server.

Think of it like a subway turnstile. You tap your card (make a request), and the machine checks if you have a valid ride (limit not reached). If you do, the gate opens. If you do not, the gate stays locked.

The system handles this in three specific steps:

1. Tracking: It needs to know who you are. Usually, this is your IP address. For logged-in users or APIs, it might be your User ID.
2. Metering: It checks your history. How many requests have you made in the last sixty seconds?
3. Throttling: It makes the call. If you are under the limit, you are good. If you are over, you get blocked or delayed.

But simple counting has a flaw. If you just reset the counter every minute on the dot, clever bots can cheat the system. That is why engineers use specific algorithms to smooth things out.

Stop Malicious Bots with Automated Enterprise Rate Limiting

Deploy Cloudflare Enterprise via Cloudways to identify and block bot threats in real-time. Protect your server resources for just $4.99 per domain.

Learn More

Common Rate Limiting Algorithms

Fixed Window

This is the most basic version. The counter resets at the top of the minute, every minute.

• The Risk: It has a blind spot. A bot could hit you with 100 requests at 12:00:59 and another 100 at 12:01:00. Technically, it obeyed the “100 per minute” rule for each separate minute. But your server just took a 200-request hit in two seconds.

Sliding Window

This fixes the blind spot. Instead of resetting at the top of the clock, it looks at the last 60 seconds from the exact moment a request comes in. It prevents those double dips by smoothing out the count.

Token Bucket

This one is popular for APIs because it allows for human behavior. Imagine a bucket that gets filled with tokens at a steady speed. When you make a request, you spend a token. If you step away for a bit, your bucket fills up.

This means when you come back, you can make a quick burst of requests. For example, loading a dashboard without getting blocked. Once those saved tokens are gone, you are limited to the steady refill speed.

Why Is Rate Limiting Important for Security?

Most people see rate limiting as a performance thing. They think it just keeps servers from going down when traffic jumps.

But website security teams rely on it for protection. It blocks attacks that work by flooding your system with requests.

DDoS Mitigation

Distributed Denial of Service attacks try to drown your server in fake traffic. There are different types of DDoS attacks. Layer 7 attacks are tougher to catch because they look normal – loading pages, running searches, that kind of thing.

Rate limiting filters this out. A real person doesn’t reload the same page 50 times in one second. Set a threshold and you block the attack while letting actual visitors through.

Brute Force and Credential Stuffing

Hackers use bots to test thousands of password combinations on your login page. They’re not sitting there typing each one manually.

If you cap login attempts at five per minute, their whole approach falls apart. What used to take a few hours now takes years. The attack becomes pointless and they move on.

Content Scraping and Inventory Denial

Competitors run bots to grab your pricing or steal your content. In e-commerce, bots will load up shopping carts and hold inventory so real customers can’t purchase anything.

Rate limiting creates a wall against this. Bots move at speeds no human can match, so the system spots them and blocks them before they can do damage.

API Rate Limiting

Your API is a direct line to your database. A developer writes buggy code that accidentally loops requests, or a third-party app starts pounding your endpoint – either scenario can bring down your entire service.

Rate limiting makes sure no single user or broken script can drain your system dry.

Rate Limiting Error Codes and User Experience

Your server sends back a specific code when someone hits your rate limit. Understanding what these codes mean helps you sort out whether a real customer needs assistance or if the system is working as intended.

HTTP Status 429: Too Many Requests

The 429 error is what most sites use for rate limiting. When someone exceeds your threshold, they get this response. Browsers display a generic error page. APIs treat it as a signal to slow down and retry the request later instead of failing completely.

Error 1015 (Cloudflare)

Cloudflare accounts show Error 1015 rather than a standard 429. The key difference is where the blocking occurs. Cloudflare’s edge network stops the request before it gets anywhere near your actual server.

This happens based on the rate rules you’ve set up through their control panel. During an active DDoS attack, these errors show up frequently because the protection layer is doing its job.

“You are being rate limited”

Your application layer can enforce limits separately from what happens at the server level. Users might see plain text saying “You are being rate limited” when this kicks in. Twitter implemented this type of limit to restrict how much content users can consume in a timeframe.

The goal isn’t always about preventing server crashes. Sometimes it’s about controlling platform usage and resource allocation in ways that align with your business model.

How to Implement Rate Limiting?

To prevent your server from tipping over, you need to decide where to place the barrier. You generally have three choices for implementation.

Application Level (Plugins): This is the easiest to set up but the worst for performance. If you use a security plugin, the bad traffic still reaches your server and executes code before getting blocked. It burns resources just to say “no.”

Server Level (Nginx/Apache): This is strictly better. You configure rules directly in your web server. The traffic reaches your machine, but the server blocks it before it loads your heavy application files.

Edge Level (CDN/WAF): This is the gold standard. The traffic is blocked at the network edge, often on a completely different server farm (like Cloudflare’s). Your actual server never even feels the impact of the attack.

Now that we know where to put the guardrails, we need to look at the setup. We will cover two specific ways to do this next:

• Method #1 (Manual Configuration)
• Method #2 (Managed Protection)

Method 1: Implement Rate Limiting Via Manual Configuration (Free Cloudflare)

As we mentioned earlier, there are multiple ways to implement rate limiting. But for this setup, we are going to focus on Edge Level protection. This is the gold standard.

I will show you how to implement rate limiting using Cloudflare’s Free Tier. It is the industry standard and acts as a shield by blocking bad traffic before it ever hits your server.

The Constraints of the Free Tier

The free version of Cloudflare is quite restrictive. You need to be aware of these hard limits before you deploy your rule:

• One Rule Only: You get exactly one custom rate limiting rule for your entire domain. This forces a difficult trade-off. You have to decide which single part of your site is most vulnerable. Is it your admin login page, your internal search bar, or a specific API endpoint? You cannot protect all of them at once.
• Locked Timeframe: The Period is locked to 10 seconds. You cannot choose a longer window like 1 minute or 1 hour.
• Limited Action: You only have the Block action available. Advanced options like Managed Challenge (CAPTCHA) are not included.
• Fixed Penalty: The Duration for the block is also locked to 10 seconds. If someone triggers the rule, they are blocked for 10 seconds, after which they can try again. If you need more rules or longer blocks, you would typically need to upgrade to their Pro plan ($20/month).

The Setup (Protecting Your Login Page)

Since we only have one rule to work with, let’s use it to stop brute force attacks on your login area as this is the most common threat.

• Go to your Cloudflare dashboard and click on the domain you want to protect.

• On the left sidebar, click the Security dropdown, then select Security Rules.

• Click the blue + Create rule button on the right and select Rate limiting rules.

• Give it a clear name like “Login Protection”

• Define the Traffic (When incoming requests match…):
  • Field: Select URI Path.
  • Operator: Select equals.
  • Value: Enter your login path, such as /wp-login.php (for WordPress) or /admin.

• Set the Trigger (When rate exceeds…):
  • Requests: Set a strict limit, like 5.
  • Period: Set the timeframe to 1 minute.

• Choose the Penalty (Then take action…):
  • Choose action: Select Block (hard ban) or Managed Challenge (CAPTCHA).
  • Duration: Set how long they stay in the penalty box. 1 hour is standard for login attacks.
• Click Deploy to make your single rule live.

Once you hit deploy, Cloudflare pushes this rule to its global edge network, and it begins filtering traffic to your login page immediately.

The Risks of Manual Setup

While this method is free, the “one rule” limit combined with the 10-second restriction creates significant gaps.

• The Looping Problem: Since the block duration is only 10 seconds, a persistent bot will simply wait out the timer and start hitting your login page again. It slows them down, but it does not stop them.
• Single Point of Failure: If you use your one rule for the login page, your search bar and API are left wide open to DDoS attacks.
• High Sensitivity: A 10-second window is very short. If you refresh your login page quickly or use a password manager that retries rapidly, you might trigger your own rule and lock yourself out of your own site.
• Maintenance Overhead: As your site grows, you have to manually adjust these thresholds. Differentiating between a viral spike and an attack becomes a full-time job.
• False Positives: If you try to create a broad “catch-all” rule to save your one slot, you will likely block legitimate users or break your site’s images and CSS.

Sure, these limitations can be mitigated by upgrading to Cloudflare’s paid plans, but the costs add up quickly. The Pro plan costs $25/month, while the Business plan jumps to $250/month. If you wanted the true “Enterprise” grade protection we are about to cover next, it would typically cost thousands of dollars per month if bought directly from Cloudflare.

Method 2: Implement Rate Limiting Via Cloudways Cloudflare Enterprise Addon

As we saw in the previous section, the “free” route requires you to be a technician. You have to configure rules, worry about 10-second timers, and constantly monitor for false positives.

Method 2 is different. It shifts the responsibility from you to an automated system.

This method uses the Cloudways Cloudflare Enterprise Add-on. While we are focusing on rate limiting here, this integration also includes broader performance and security features like Edge Page Caching, Argo Smart Routing, and an intelligent WAF.

Normally, an Enterprise plan purchased directly from Cloudflare costs thousands of dollars a month. However, Cloudways has a partnership that lets you access this same infrastructure for just $4.99 per month per domain.

The Setup Steps

First, you need to enable the Cloudflare Enterprise add-on for your application. We have a detailed guide that walks you through the complete steps of enabling Cloudflare Enterprise addon on Cloudways.

Once you have the add-on active, you don’t need to write complex rules. You just need to flip a single switch.

• Open Cloudflare Settings: Inside your Cloudways application, go to the Cloudflare tab.
• Navigate to Settings: Click on the Settings menu option.

• Enable Rate Limiting: Scroll down to the security section and toggle the Rate Limiting option to Enable.

How it Works (The “Hands-Off” Approach)

This is where the difference becomes obvious. In Method 1, you had to guess the numbers and use a harsh “Block” action. In Method 2, the logic is pre-configured for optimal balance:

• Intelligent Thresholds: The system monitors IP requests in 60-second intervals. If an IP exceeds 200 requests, it triggers the protection. This is a much safer buffer than the rigid limits we had to use in the free tier.
• Smart Challenges: Instead of a hard block, Cloudflare applies Managed Challenges to requests that go over the limit. This means if a real user somehow triggers it, they just solve a puzzle. They aren’t locked out.
• Smart Exclusions: The system is pre-trained to ignore safe traffic. It automatically excludes known search engines and static assets. This ensures Googlebot can crawl your site without getting banned, and your legitimate users won’t get blocked just because their browser loaded 50 images at once.

Why This Matters

For the price of a coffee, this removes the risks we talked about in Method 1. You get a firewall that knows the difference between a search engine, a static image, and a malicious bot… automatically.

Which Option Should You Choose?

We have covered two very different ways to solve the same problem. So, which one is right for your specific situation?

Choose Method 1 (Cloudflare Direct) if:

• You want granular control: You are a developer who wants to tweak every single variable of your firewall rules.
• You have the budget: You are willing to pay the $20–$200/month for the Pro/Business tiers to get proper rule sets.
• You are okay with limits: You are on the free tier and accept that your protection will have 10-second gaps.

Choose Method 2 (Cloudflare Enterprise via Cloudways) if:

• You need enterprise security on a budget: You get the same high-tier Cloudflare infrastructure used by large corporations for just $4.99/mo through the integration. (Here is a cloud security checklist for managed hosting plans for details)
• You want automated protection: You prefer a system that uses machine learning to identify and block threats in real-time without you needing to manually write or update rules.
• You cannot risk SEO issues: This method automatically whitelists verified search engine crawlers like Googlebot so your site remains indexed and visible regardless of your security settings.

Secure Your Site Without Risking Your Search Rankings

Filter bad actors while ensuring Googlebot always has access. Get Cloudflare’s Enterprise engine through Cloudways for smarter, automated traffic control.

Learn More

Wrapping Up!

Rate limiting keeps your server focused on actual users instead of wasting resources on bots and broken scripts. Skip it and one traffic spike can slow everything down for everyone trying to use your site.

We covered two ways to set this up. Manual configuration through Cloudflare gives you control over each rule you create. The automated option through Cloudflare Enterprise on Cloudways uses machine learning to sort traffic without you having to babysit it.

Both approaches stop resource abuse. The difference is how much time you want to spend managing them.

Whatever route you take, the important part is actually doing it. Leaving traffic unchecked creates a vulnerability you can’t ignore.

Also read our detailed guide on rate limiting in Laravel.