Login
Book a Demo

How to Build an API Rate Limiter in WordPress

Katarzyna Węgrzyn

As WordPress continues to evolve into a full-fledged application platform, its REST API is being used more than ever—for mobile apps, headless frontends, third-party integrations, and more. But with great power comes great responsibility. Unprotected APIs can be abused, leading to performance bottlenecks, security issues, or even complete service outages.

That’s where rate limiting comes in. Implementing an API rate limiter helps you:

  • Throttle abusive requests
  • Prevent denial-of-service (DoS) attempts
  • Ensure fair usage among users
  • Optimize server resources

In this guide, we’ll explore how to build a basic but effective API rate limiter in WordPress. Whether you’re a plugin developer or running a headless WordPress setup, this approach will help keep your API healthy and performant.

What Is API Rate Limiting?

API rate limiting restricts how many requests a client (usually defined by IP address or user token) can make to your API over a given time window. Common strategies include:

  • Fixed window (e.g., 100 requests per hour)
  • Sliding window (more dynamic, based on timestamps)
  • Token bucket or leaky bucket algorithms (used in high-scale systems)

Why It Matters for WordPress

Out of the box, WordPress REST API endpoints are publicly accessible unless restricted by authentication or other means. If someone starts hitting wp-json/wp/v2/posts 1,000 times a minute, you’re in trouble—especially on shared hosting or resource-limited servers.

When to Use It

  • When your API is public-facing
  • When you allow guest users to access endpoints
  • When you integrate with third-party services that might get spammed via your API

Using Transients API for Rate Limiting

WordPress’s Transients API is ideal for storing temporary data like request counts. Here’s how we can use it:

  • Identify a client (usually by IP)
  • Count requests within a set time window (e.g., 5 minutes)
  • Block or throttle if the limit is exceeded

Step 1: Hook Into rest_pre_dispatch

This filter runs before the REST API returns a response.

add_filter('rest_pre_dispatch', 'custom_api_rate_limiter', 10, 3);

function custom_api_rate_limiter($response, $server, $request) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $limit = 100; // requests
    $window = 5 * MINUTE_IN_SECONDS;
    $key = 'rate_limit_' . md5($ip);

    $data = get_transient($key);

    if (!$data) {
        $data = ['count' => 1, 'start' => time()];
        set_transient($key, $data, $window);
    } else {
        $data['count'] += 1;

        if ($data['count'] > $limit) {
            return new WP_Error(
                'rate_limited',
                __('Too many requests. Please try again later.', 'textdomain'),
                ['status' => 429]
            );
        }

        set_transient($key, $data, $window - (time() - $data['start']));
    }

    return $response; // Continue as normal
}

Step 2: Add Headers for Rate Status (Optional)

You can send headers to let clients know their remaining requests:

add_filter('rest_post_dispatch', function ($response, $server, $request) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $key = 'rate_limit_' . md5($ip);
    $data = get_transient($key);
    $remaining = isset($data['count']) ? max(0, 100 - $data['count']) : 100;

    $response->header('X-RateLimit-Limit', 100);
    $response->header('X-RateLimit-Remaining', $remaining);
    return $response;
}, 10, 3);

Best Practices

1. Use Object Cache If Available

Transients rely on the database unless an object cache (like Redis or Memcached) is installed. For performance, use plugins like Redis Object Cache.

2. Don’t Rate Limit Authenticated Users the Same Way

Admins and trusted apps may need higher limits. Adjust logic based on:

$current_user = wp_get_current_user();
if ($current_user->exists()) {
    return $response; // skip rate limiting
}

3. Separate Limits for Different Endpoints

Some endpoints (like contact-form, subscribe, etc.) might deserve stricter limits than others.

4. Log Abuse for Security Monitoring

Consider logging users who consistently exceed limits and blocking them via firewall or .htaccess.

Conclusion

Adding an API rate limiter to your WordPress site is a simple yet powerful way to protect your resources, improve site stability, and enhance security.

By leveraging WordPress hooks and the Transients API, you can implement a flexible solution without installing heavy third-party services.

This setup isn’t just for developers—it’s for any WordPress user who cares about uptime and user experience.

How Sitebox Makes API Rate Limiting Easier

Sitebox offers a modern, developer-first WordPress hosting environment where API security and performance are baked in.

Here’s how Sitebox helps:

  • Built-in object caching (great for transients-based rate limiting)
  • Environment-aware deployments to test rate-limiting safely
  • Custom NGINX headers and server-level protections for rate control
  • Auto-scaling infrastructure to handle traffic spikes gracefully

Whether you’re building a headless frontend or a plugin-powered REST API, Sitebox ensures you deploy with confidence—and performance.

Subscribe today

We handle everything: migrating, configuring, and optimizing your WordPress website so it’s ready for a smooth DNS switch. Enjoy a risk-free transition—if it’s not a perfect fit, switch back within 30 days at no cost.

Schedule a Call