Skip to content
CMS Max Documentation

Rate Limiting

How to protect your site from abuse by limiting form submissions and payment failures per IP address

Overview

The Security tab under Settings > Site Configuration contains rate limiting controls that protect your site from automated abuse. These settings limit how many times a visitor from the same IP address can perform certain actions within a 24-hour period.

Limits are counted per IP address and apply to every visitor.

Finding Rate Limiting Settings

  1. In the admin sidebar, go to Settings > Site Configuration.
  2. Click the Security tab.
  3. The Rate Limiting section groups these settings together.

Available Settings

Form Submissions

Limits how many times a visitor can submit any form on your site per 24 hours. This includes contact forms, event signups, and any other public forms.

  • Default: 3
  • Set to 0 to disable (unlimited submissions allowed).

Payment Attempt Failures

Limits how many failed payment attempts are allowed before the visitor's IP is temporarily locked out. This protects against card-testing attacks where someone tries stolen card numbers on your payment forms.

  • Default: 3
  • Minimum: 1 (cannot be disabled)
  • Maximum: 6

This setting counts failures returned by the payment gateway (e.g., a declined card or a rejected bank account). Errors caught before the payment reaches the gateway — such as missing required form fields — do not count.

Note: This protection applies to server-processed gateways (Authorize.Net, CardPointe, and Paya/ACH). Stripe card declines are handled in the visitor's browser and never reach this lockout — Stripe's own Radar fraud protection covers card-testing on Stripe.

How the Payment Failure Lockout Works

When a visitor reaches the failure limit, their IP is temporarily locked out. The lockout duration increases with each repeated lockout:

Lockout # Wait Time
1st 15 minutes
2nd 30 minutes
3rd 4 hours
4th 8 hours
5th 16 hours
6th+ 24 hours (maximum)

A successful payment resets the failure counter — the visitor is not penalized for past failures.

Tip: If a legitimate customer is locked out, an admin can clear the lockout via the server. Contact your developer for assistance.