WordPress 429 too many requests: what triggers it and how to clear it
Quick answer
HTTP 429 too many requests on WordPress means a rate limiter is throttling the request. The three usual sources are your host's per IP limit, Cloudflare or another CDN protecting the origin, and a security plugin like Wordfence or Limit Login Attempts blocking a specific IP. Identify the source by checking response headers for a Retry-After value and comparing the blocked IP against your firewall and plugin logs, then relax the specific rule that fired rather than turning off protection wholesale.
The three places a 429 comes from
- Your host. Managed WordPress hosts throttle admin-ajax.php, xmlrpc.php, and wp-login.php per IP to blunt brute force attacks. Response headers usually name the host in the Server field.
- Your CDN or firewall. Cloudflare, Sucuri, and StackPath all return 429 when their WAF or rate limiting rule matches a request. The response body often shows their branded challenge page.
- A security plugin inside WordPress. Wordfence, Limit Login Attempts Reloaded, and iThemes Security can all issue 429 to individual IPs after failed logins or crawl bursts.
Diagnose in under 5 minutes
Open the browser network tab and click the failing request. Look at the response headers for Retry-After, X-RateLimit-Remaining, or a CF-Ray header. Those name the source.
If the header points at Cloudflare, sign into Cloudflare, open Security > Events, and filter by the affected IP. The rule that fired is listed there.
If the request has no CDN header, check your host's dashboard for rate limit alerts, then check Wordfence or Limit Login Attempts logs for a lockout on that IP.
Clear it without weakening the site
Whitelist the specific IP inside the tool that blocked it. Do not disable the whole rule.
If the block was legitimate, wait out the Retry-After window rather than lifting the rule. Bots watch for suddenly permissive endpoints.
If a plugin or theme is hammering admin-ajax.php from your own server, fix the plugin. The 429 is a symptom of a real load problem you want to know about.
Common questions
Will a 429 hurt SEO?+
Only if Googlebot itself gets 429 responses for long enough that pages fall out of the index. A short lived 429 on random visitor IPs has no SEO impact. Check Google Search Console crawl stats to confirm.
How long does a WordPress 429 lockout last?+
It depends on the source. Cloudflare rate limiting resets within minutes. Wordfence lockouts default to 4 hours. Host level throttles are usually 15 to 60 minutes. The Retry-After header tells you exactly.
Can I just disable Wordfence to fix it?+
You can, and the 429 will stop. So will the protection that was keeping brute force attempts out. Whitelist the specific IP or endpoint instead.
Want help with this?
The pages below go deeper, by service and by city.
Services
Want this handled for you?
Book a call and we will review your site before recommending anything.