Rate Limiting and Bot Protection for PrestaShop Without a WAF

Rate Limiting and Bot Protection for PrestaShop Without a WAF

Bots account for over 40% of all web traffic in 2026, and not all of them are benign search engine crawlers. Scraper bots steal your product data and pricing, credential-stuffing bots attack your login pages, and inventory-hoarding bots buy out limited stock before real customers can. A Web Application Firewall (WAF) like Cloudflare Pro is the ideal solution, but many PrestaShop store owners operate on budgets that do not include enterprise security tools. This guide shows you how to implement effective bot protection using only server configuration, .htaccess rules, and lightweight modules.

Understanding the Bot Threat Landscape

Types of Malicious Bots

• Scraper bots - Crawl your entire catalog to steal product data, descriptions, images, and prices for competitor sites or counterfeit marketplaces.
• Credential stuffing bots - Try stolen username/password combinations against your login page. They can test thousands of combinations per minute.
• Inventory hoarding bots - Add products to cart and hold them, preventing real customers from purchasing limited-stock items.
• Form spam bots - Submit contact forms, registration forms, and newsletter signups with spam content or phishing links.
• DDoS bots - Flood your server with requests to make your store unavailable.
• SEO spam bots - Inject spam links into your blog comments, product reviews, or contact forms.

Method 1 - Apache .htaccess Rate Limiting

If your server runs Apache with mod_evasive or mod_ratelimit, you can limit request rates at the server level.

Using mod_ratelimit

# Limit all connections to 10 requests per second
<IfModule mod_ratelimit.c>
    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 400
</IfModule>

Block Known Bad User Agents

# Block common scraper and attack bots
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (SemrushBot|AhrefsBot|MJ12bot|DotBot|BLEXBot) [NC]
RewriteRule .* - [F,L]

# Block empty user agents (most legitimate browsers identify themselves)
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F,L]

# Block specific known bad IPs (update regularly)
# Deny from 192.168.1.100
# Deny from 10.0.0.0/8

Protect Sensitive Endpoints

# Rate limit login page
<Location "/en/login">
    <IfModule mod_evasive20.c>
        DOSHashTableSize 3097
        DOSPageCount 5
        DOSSiteCount 50
        DOSPageInterval 2
        DOSSiteInterval 5
        DOSBlockingPeriod 60
    </IfModule>
</Location>

Method 2 - Nginx Rate Limiting

If your PrestaShop runs behind Nginx (either as the web server or as a reverse proxy), Nginx has built-in rate limiting that is more powerful than Apache's.

# In nginx.conf or your site's server block

# Define rate limit zones
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;

server {
    # Apply rate limit to login pages
    location ~ /login$ {
        limit_req zone=login burst=3 nodelay;
        # ... your existing configuration
    }
    
    # Apply rate limit to API/webservice
    location /api/ {
        limit_req zone=api burst=10;
        # ... your existing configuration
    }
    
    # General rate limit for all pages
    location / {
        limit_req zone=general burst=20;
        # ... your existing configuration
    }
}

Method 3 - fail2ban for Brute Force Protection

fail2ban monitors your server logs and automatically bans IP addresses that show malicious behavior. It is available on most Linux servers and is free.

Install and Configure for PrestaShop

# Install fail2ban
sudo apt-get install fail2ban

# Create a PrestaShop login filter
sudo cat > /etc/fail2ban/filter.d/prestashop-login.conf << EOF
[Definition]
failregex = ^<HOST> .* "POST .*/login.*" (401|403)
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
EOF

# Create a jail for PrestaShop
sudo cat > /etc/fail2ban/jail.d/prestashop.conf << EOF
[prestashop-login]
enabled = true
port = http,https
filter = prestashop-login
logpath = /var/log/apache2/access.log
maxretry = 10
findtime = 300
bantime = 3600
EOF

# Restart fail2ban
sudo systemctl restart fail2ban

Method 4 - PHP-Level Rate Limiting

For stores on shared hosting where you cannot modify server configuration, implement rate limiting in PHP. Create a simple rate limiter that uses PrestaShop's database or file system:

// Simple file-based rate limiter for PrestaShop
// Add to a custom module's hook on actionFrontControllerInitBefore

function rateLimitCheck($maxRequests = 60, $timeWindow = 60) {
    $ip = Tools::getRemoteAddr();
    $cacheDir = _PS_CACHE_DIR_ . 'ratelimit/';
    
    if (!is_dir($cacheDir)) {
        mkdir($cacheDir, 0755, true);
    }
    
    $file = $cacheDir . md5($ip) . '.json';
    $now = time();
    
    if (file_exists($file)) {
        $data = json_decode(file_get_contents($file), true);
        
        // Clean old entries
        $data['requests'] = array_filter(
            $data['requests'], 
            function($timestamp) use ($now, $timeWindow) {
                return ($now - $timestamp) < $timeWindow;
            }
        );
        
        if (count($data['requests']) >= $maxRequests) {
            header('HTTP/1.1 429 Too Many Requests');
            header('Retry-After: ' . $timeWindow);
            die('Rate limit exceeded. Please wait and try again.');
        }
    } else {
        $data = ['requests' => []];
    }
    
    $data['requests'][] = $now;
    file_put_contents($file, json_encode($data));
}

Method 5 - robots.txt and Crawl Control

While robots.txt does not stop malicious bots (they ignore it), it reduces the load from well-behaved crawlers:

# robots.txt for PrestaShop
User-agent: *
Disallow: /modules/
Disallow: /classes/
Disallow: /controllers/
Disallow: /translations/
Disallow: /var/
Disallow: /*?order=
Disallow: /*?orderby=
Disallow: /*?orderway=
Disallow: /*?tag=
Disallow: /*?id_currency=
Disallow: /*?search_query=
Disallow: /*?back=
Disallow: /*?n=
Disallow: /en/login
Disallow: /en/my-account
Disallow: /en/cart
Disallow: /en/order

# Limit crawl rate for aggressive bots
User-agent: SemrushBot
Crawl-delay: 10

User-agent: AhrefsBot
Crawl-delay: 10

User-agent: Googlebot
Allow: /

Sitemap: https://yourstore.com/1_index_sitemap.xml

Method 6 - CAPTCHA on Critical Forms

Add Google reCAPTCHA or hCaptcha to your most targeted pages:

• Login page - Prevents credential stuffing attacks
• Registration page - Prevents fake account creation
• Contact form - Prevents spam submissions
• Newsletter signup - Prevents list pollution

PrestaShop has official reCAPTCHA modules available. For PrestaShop 8.x+, look for modules compatible with reCAPTCHA v3 (invisible) for the best user experience.

Method 7 - Cloudflare Free Tier

Even without Cloudflare Pro (which includes WAF), the free tier provides significant bot protection:

• Browser Integrity Check - Challenges requests with suspicious HTTP headers
• Bot Fight Mode - Automatically detects and challenges bots (available on free tier)
• Rate limiting - 1 free rule with 10,000 requests/month
• Under Attack Mode - JavaScript challenge for all visitors during active attacks

Monitoring and Detection

To know if bots are attacking your store, monitor your access logs:

# Find the top 20 IP addresses by request count
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -20

# Find IPs hitting login page excessively
grep "login" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Find suspicious user agents
awk -F'"' '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -30

If you see a single IP making thousands of requests, or a user agent you do not recognize making hundreds of requests per minute, you have a bot problem.

Summary of Protection Layers

Further reading: Visitor Control: Blocking Bad Bots and Unwanted Traffic and reCAPTCHA for PrestaShop: Protecting Your Store from Spam and Bots.