Rate Limiting
How to protect your site from abuse by limiting form submissions and payment failures per IP address
Overview
The Security tab under Settings > Site Configuration contains rate limiting controls that protect your site from automated abuse. These settings limit how many times a visitor from the same IP address can perform certain actions within a 24-hour period.
Limits are counted per IP address and apply to every visitor.
Finding Rate Limiting Settings
- In the admin sidebar, go to Settings > Site Configuration.
- Click the Security tab.
- The Rate Limiting section groups these settings together.
Available Settings
Form Submissions
Limits how many times a visitor can submit any form on your site per 24 hours. This includes contact forms, event signups, and any other public forms.
- Default: 3
- Set to 0 to disable (unlimited submissions allowed).
Payment Attempt Failures
Limits how many failed payment attempts are allowed before the visitor's IP is temporarily locked out. This protects against card-testing attacks where someone tries stolen card numbers on your payment forms.
- Default: 3
- Minimum: 1 (cannot be disabled)
- Maximum: 6
This setting counts failures returned by the payment gateway (e.g., a declined card or a rejected bank account). Errors caught before the payment reaches the gateway — such as missing required form fields — do not count.
Note: This protection applies to server-processed gateways (Authorize.Net, CardPointe, and Paya/ACH). Stripe card declines are handled in the visitor's browser and never reach this lockout — Stripe's own Radar fraud protection covers card-testing on Stripe.
How the Payment Failure Lockout Works
When a visitor reaches the failure limit, their IP is temporarily locked out. The lockout duration increases with each repeated lockout:
| Lockout # | Wait Time |
|---|---|
| 1st | 15 minutes |
| 2nd | 30 minutes |
| 3rd | 4 hours |
| 4th | 8 hours |
| 5th | 16 hours |
| 6th+ | 24 hours (maximum) |
A successful payment resets the failure counter — the visitor is not penalized for past failures.
Tip: If a legitimate customer is locked out, an admin can clear the lockout via the server. Contact your developer for assistance.