Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

IP Limiter

71 sites No security coverage
View on drupal.org

The IP Limiter module helps protect your Drupal site from excessive requests by limiting how many times an IP address can access specific paths, routes, or match certain user agents. It uses a flexible plugin system to define multiple rules that can automatically ban offending IP addresses for a configurable period. While it adds a valuable layer of application-level protection, it is not a replacement for a firewall.

Upgrade from 1.0.0-alpha2: Starting from 1.0.0-alpha3, the module now supports plugin based restrictions. This helps set different boundaries for different endpoints and cases. You will need to reconfigure the module in order to setup the restrictions.

The IP Limiter module for Drupal allows you to limit the number of requests from a single IP address based on paths, routes, or user-agent headers. It uses an extensible plugin system, so you can define multiple rules — each with its own
thresholds — and custom modules can add their own rule types.

Warning: This module provides application-level rate limiting but should not be used as a firewall on its own. It offers additional protection for specific pages but will not fully protect your server. Keep in mind that
legitimate clients, like crawlers, may also be affected.

What it can do: It can prevent bots from overwhelming your server with requests to heavy pages, like search. It is useful when your site has low or medium traffic and you notice a high volume of spam requests. IP Limiter
blocks these at the application level, reducing the load on your services. Ban durations escalate automatically on repeat offenders and decay over time via cron.

What it cannot do: The module cannot eliminate server load entirely. Blocked requests still reach your web server, pass through the firewall, and write logs. For persistent malicious IPs, a permanent firewall ban remains
the recommended solution.

Features

  • Plugin-based rule system with three built-in plugins: Path, Route, and User-Agent.
  • Multiple rules with independent thresholds — the same plugin type can be used more than once.
  • Regex support for path and route matching.
  • User-Agent rules with blacklist/whitelist strategies and built-in bot detection presets.
  • Optional matcher conditions per rule: user-agent filtering, query string patterns, and referer requirements.
  • Configurable time period, ban duration, and response type (403, 404, or 429) per rule.
  • Automatic ban escalation with multiplier decay via cron.
  • View and manage banned IP addresses through the admin interface.

Installation

  1. Download and install the module as you would any other Drupal module.
  2. Enable the module at /admin/modules.
  3. Configure the module settings at /admin/config/system/ip-limiter.

Configuration

Navigate to /admin/config/system/ip-limiter to manage rules. Each rule is configured with:

  • Plugin: The rule type — Path (request path), Route (Drupal route name), or User-Agent.
  • Condition: The values to match against (one per line). Supports regular expressions when enabled.
  • Max Requests / Time Period: The request threshold and rolling window (in seconds).
  • Ban Duration: How long (in seconds) to ban an IP after exceeding the limit.
  • Response Type: 403 Forbidden, 404 Not Found, or 429 Too Many Requests.

Support

If you encounter any issues with the module, please report them in the issue queue.

Activity

Total releases
4
First release
Mar 2025
Latest release
5 months ago
Releases (12 mo)
2
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.0.0-alpha3 Pre-release Feb 15, 2026
1.0.0-alpha2 Pre-release Nov 15, 2025
1.0.0-alpha1 Pre-release Mar 16, 2025
1.0.x-dev Dev Mar 16, 2025