Drupal is a registered trademark of Dries Buytaert
cva Module cva crossed 1,000 active installs. ai_dashboard Module ai_dashboard crossed 1,000 active installs.
← All modules

ip_limiter

63 sites No security coverage
View on drupal.org

Upgrade from 1.0.0-alpha2: Starting from 1.0.0-alpha3, the module now supports plugin based restrictions. This helps set different boundaries for different endpoints and cases. You will need to reconfigure the module in order to setup the restrictions.

The IP Limiter module for Drupal allows you to limit the number of requests from a single IP address based on paths, routes, or user-agent headers. It uses an extensible plugin system, so you can define multiple rules — each with its own
thresholds — and custom modules can add their own rule types.

Warning: This module provides application-level rate limiting but should not be used as a firewall on its own. It offers additional protection for specific pages but will not fully protect your server. Keep in mind that
legitimate clients, like crawlers, may also be affected.

What it can do: It can prevent bots from overwhelming your server with requests to heavy pages, like search. It is useful when your site has low or medium traffic and you notice a high volume of spam requests. IP Limiter
blocks these at the application level, reducing the load on your services. Ban durations escalate automatically on repeat offenders and decay over time via cron.

What it cannot do: The module cannot eliminate server load entirely. Blocked requests still reach your web server, pass through the firewall, and write logs. For persistent malicious IPs, a permanent firewall ban remains
the recommended solution.

Features

  • Plugin-based rule system with three built-in plugins: Path, Route, and User-Agent.
  • Multiple rules with independent thresholds — the same plugin type can be used more than once.
  • Regex support for path and route matching.
  • User-Agent rules with blacklist/whitelist strategies and built-in bot detection presets.
  • Optional matcher conditions per rule: user-agent filtering, query string patterns, and referer requirements.
  • Configurable time period, ban duration, and response type (403, 404, or 429) per rule.
  • Automatic ban escalation with multiplier decay via cron.
  • View and manage banned IP addresses through the admin interface.

Installation

  1. Download and install the module as you would any other Drupal module.
  2. Enable the module at /admin/modules.
  3. Configure the module settings at /admin/config/system/ip-limiter.

Configuration

Navigate to /admin/config/system/ip-limiter to manage rules. Each rule is configured with:

  • Plugin: The rule type — Path (request path), Route (Drupal route name), or User-Agent.
  • Condition: The values to match against (one per line). Supports regular expressions when enabled.
  • Max Requests / Time Period: The request threshold and rolling window (in seconds).
  • Ban Duration: How long (in seconds) to ban an IP after exceeding the limit.
  • Response Type: 403 Forbidden, 404 Not Found, or 429 Too Many Requests.

Support

If you encounter any issues with the module, please report them in the issue queue.

Activity

Total releases
4
First release
Mar 2025
Latest release
2 weeks ago
Release cadence
112 days
Stability
0% stable

Release Timeline

Releases

Version Type Release date
1.0.0-alpha3 Pre-release Feb 15, 2026
1.0.0-alpha2 Pre-release Nov 15, 2025
1.0.0-alpha1 Pre-release Mar 16, 2025
1.0.x-dev Dev Mar 16, 2025