security – What are some good Nginx rate limits for WordPress websites?

We are optimizing the default configuration for SlickStack, and looking for some good values to recommend to users for the limit_req and limit_conn settings in Nginx.

There are plenty of tutorials around the web, but the settings used are very random.

Most of the time, something like rate=1r/s with burst=1 nodelay is used for URIs like /wp-login.php however this seems too liberal for strong security.

There’s also not much discussion about rate-limiting the entire server/website, .php files, and so forth.

The limit_conn feature is rarely mentioned, and limit_rate as well.

I’m hoping to start a thread about some possible settings for typical WordPress websites, with a special nod toward cloud servers or non-shared hosting environments, keeping in mind that these settings should be adjusted depending on your expected traffic levels and otherwise…