How to fix the 429 Too Many Requests error (as a user and site owner)
429 Too Many Requests is an HTTP response from a server when it gets too many requests too fast. It’s like the server is telling you to stop sending requests and try again later.
While the error usually resolves on its own, there are measures you can take to fix and prevent it from ever showing up again, both as a user and a WordPress website owner. We’ll cover those in this guide.
What does 429 Too Many Requests mean?
Error 429 Too Many Requests is the response web servers make when a client sends too many requests within a certain time period.
This is a form of rate limiting to control traffic flow, protecting the server against brute force and distributed denial of service (DDoS) attacks.
Here’s how the error message appears in Google Chrome:
You might also see other variations of the error code depending on the root cause and browser:
- 429 Error
- HTTP 429
- HTTP Error 429
- Error 429 (Too Many Requests)
What causes the 429 error?
Like other 4XX HTTP status codes, the 429 response appears because of client-side errors. This means something is wrong on your end, rather than the server itself.
Here are several common causes of an HTTP 429 error:
- Too many requests. A web server or API usually has a limit on how many requests you can make per minute to prevent overload and DDoS attacks. When you exceed the limit, the 429 error shows up.
- Server resource limits. You’ve used more server resources (CPU, RAM, and storage) than what your web hosting provider allows.
- Cyber attacks. The server detects malicious activity, like brute force attacks (forced logins), from a specific IP address.
- Third-party software. Faulty plugins or themes can also cause the 429 error on WordPress sites.
How to fix the 429 Too Many Requests error as a user
If you get the 429 error message while trying to access a web page, follow these steps to fix it:
1. Wait and retry later
Since repeated requests that happen too fast often cause the error, you have to simply wait and try again later.
Sometimes, the HTTP 429 error message tells you exactly how long you have to wait:
HTTP/1.1 429 Too Many Requests Content-type: text/html Retry-After: 3600
In this example, the Retry-After header says 3600, which means 3600 seconds. In other words, you will have to wait an hour before you can send another request.
2. Clear browser data
If the error persists, try clearing your browser’s cache and cookies to delete any corrupted data that may be causing the 429 status code.
Here’s how to do it on Google Chrome:
- Click the three dots icon on the top right corner of your browser and select Settings.
- On the left sidebar, head to Privacy and security → Delete browsing data.
- Choose the Cached images and files and Cookies and other site data options.
- Open the dropdown menu to set the time range – we recommend All time.
- Click Delete data and restart Google Chrome to complete the process.
If you use other browsers like Firefox, Safari, or Microsoft Edge, read our guide on how to clear browser cache to find the full steps.
3. Flush the DNS cache
Every time you visit a web page, your computer stores a cached version of its DNS records (domain name and the corresponding IP address).
By doing so, the page content will load faster during the next visit. This is because your browser doesn’t have to repeat the DNS lookup process all over again.
However, when the DNS cache becomes corrupted, missing, or invalid, it will result in connection issues.
You can fix this by simply flushing the DNS cache on your Windows or macOS operating system.
How to fix the 429 Too Many Requests error as a website owner (WordPress)
As a site owner, getting the 429 error code can be worrying. But there’s no need to panic – the issue usually resolves itself over time. All you have to do is sit back and try accessing your site later.
That said, if the error keeps popping up, you can try these troubleshooting methods:
1. Upgrade your hosting plan
As we said before, server resource limits are one of the leading causes of the 429 status code.
So, make sure to check whether your resource usage has exceeded the limits. You can do this by accessing your hosting control panel.
If you’re a Hostinger user, follow these steps:
- Log in to your hPanel dashboard and go to Websites from the left menu.
- Select Dashboard next to your domain name.
- When the Dashboard section appears, click See details under Hosting resources usage.
- From there, you can see your resource usage, including disk, inodes, CPU, memory, and PHP workers.
When your usage has exceeded the limits, simply upgrade your hosting plan to get more resources.
For instance, if you use web hosting, consider switching to cloud hosting, which offers 20x more server resources.
What’s more, our cloud solutions come with a content delivery network (CDN). So, if your primary server experiences errors, another server in the network will take its place to serve your website content.
If your resource usage is low, but your site still shows the 429 error message, try other solutions.
2. Disable your WordPress plugins
Sometimes, poorly-coded plugins may also cause HTTP issues, including the 429 error code.
To see whether your plugins are the ones causing the error, try to disable them one by one:
- Access your WordPress admin area and go to Plugins → Installed plugins.
- Click the Deactivate option under the first plugin.
- Access your website in incognito mode to see if the problem has been resolved.
- If not, repeat the second step for all active plugins until you find the culprit.
Once you have found the faulty plugin, update it and see if it solves the problem. Otherwise, you might need to deactivate the plugin for good and look for a new alternative.
If you’re locked out of your WordPress admin area, open the wp_content folder in your root directory using an FTP client. Find the plugins folder, then proceed to rename it to plugins-disable to deactivate all plugins at once.
3. Switch to a default WordPress theme
Besides plugins, outdated and unmaintained custom themes are prone to code and security issues.
That’s why we recommend switching to a default theme, such as Twenty Twenty, to see if this solves the problem. Make sure to back up your website data before performing such action in case something goes wrong.
If you can’t access your WordPress admin area, open your phpMyAdmin database instead. Hostinger users can do this via hPanel by navigating to Websites → Dashboard → Databases → Enter phpMyAdmin.
From there, click wp_options and find the template and stylesheet rows – they are usually located on the second page.
Next, double-click on the option_value of each row and edit the value into the default theme name, for example, Twenty Twenty-Four.
If the 429 error disappears after switching to a default theme, then the problem most likely lies within your custom theme. Contact the theme’s developer to report the issue, or simply abandon it and use other alternatives.
4. Contact your hosting provider
If you’ve done all the steps above and your site still shows the 429 Too Many Requests error, it’s always a good idea to contact your web host.
For Hostinger users, simply log in to hPanel and click the help button on the bottom right corner of the screen.
Next, select the topic to Website, choose your troubled domain, and click Start a live chat. That’s it – our Customer Success agent will be in touch shortly.
How to prevent the 429 error in the future
You’ve fixed the 429 error and regained access to your WP admin area. But how do you make sure it doesn’t happen again?
Here are some best practices you can follow:
1. Change the default WordPress login page
Every WordPress website has a default login URL, such as:
- domain.com/wp-admin
- domain.com/wp-login
And since it’s generic, hackers can easily guess the WP login URL of any website. All they have to do is to add /wp-admin or /wp-login to the domain they want to breach.
Guess what happens when your site is under attack? The server will notice it and show the 429 error code as self-defense.
One easy way to avoid brute force attacks is to change your default login URL. You can use a plugin like WPS Hide Login to create an alternate login page and prevent hackers from getting into your website.
Simply install and activate the plugin from the WordPress dashboard, then go to Settings → WPS Hide Login. Enter your new login page address in the Login url field.
Don’t forget to click Save Changes once done.
2. Implement rate limiting on your site
There are many security plugins that offer a rate limiting feature, which allows you to set a limit on how many requests users and bots can make every minute.
This is a great way to keep your server from being overwhelmed by too many requests.
For this tutorial, we’ll show you how to enable rate limiting using Wordfence:
- Install Wordfence and follow the instructions to get a free license.
- Once activated, go to Wordfence → All options.
- Under Firewall Options, click on Rate Limiting and toggle on the button to enable it.
After that, you will need to adjust the default rate limits (they’re currently set to unlimited). Here are the recommended rate-limiting settings according to Peter from the Wordfence support team:
- If anyone’s requests exceed – 240 per minute, then throttle it
- If a crawler’s page views exceed – 120 per minute, then throttle it
- If a crawler’s pages not found (404s) exceed – 60 per minute, then throttle it
- If a human’s page views exceed – 120 per minute, then throttle it
- If a human’s pages not found (404s) exceed – 60 per minute, then throttle it
- How long is an IP address blocked when it breaks a rule – 30 minutes
But these settings are not set in stone – you can always adjust them based on your specific needs.
3. Limit login attempts
A brute force attack is a common hacking method, where an attacker plays a guessing game until they finally crack your password.
Even if the hacker fails to guess your password correctly, they’ve already sent numerous requests in close proximity, which can lead to the HTTP 429 error.
To prevent this, you can limit the number of login attempts allowed before users are locked out.
In Wordfence, this feature is called Brute Force Protection, and it’s located just above Rate Limiting.
While there’s no right or wrong set of rules, you can follow Peter’s suggestions:
- Lock out after how many login failures – 3 to 5
- Lock out after how many forgot password attempts – 3 to 5
- Count failures over what time period – 4 hours
- Amount of time a user is locked out – 30 minutes or longer
Another effective way to protect your site from malicious bots is to enable reCAPTCHA on the login page.
To do so, you need to create Google reCAPTCHA v3 keys first. After that, head back to Wordfence → Login Security → Settings, and enter your reCAPTCHA v3 Site Key and reCAPTCHA v3 Secret.
Conclusion
The 429 Too Many Requests error means a client sends too many requests within a certain period. It usually happens because of brute force attacks, poorly-coded plugins or themes, and server resource limits.
If you encounter this issue while trying to visit a web page, simply wait and retry later. Clearing cached data on your browser and operating system might also help.
For WordPress site owners, resolving this error can be as simple as upgrading your hosting plan. If that doesn’t work, try disabling active plugins, using a default theme, and contacting your web host’s support team as a last resort.
Once fixed, you should change the default WordPress login URL, implement rate limiting, and limit login attempts to prevent the 429 error from appearing again.
429 Too Many Requests error FAQ
How do I prevent a 429 Too Many Requests error?
To prevent the 429 error, you should limit the requests and login attempts users can make per minute using plugins like Wordfence. Changing your default WP login URL is also helpful to avoid brute force attacks, which are a common cause of the error.
What are the consequences of a 429 Too Many Requests error?
A 429 Too Many Requests error can result in poor website performance, reduced user experience, and lost revenue. It can also lead to decreased search engine rankings and reputation damage. What’s worse, frequent 429 errors can also result in IP blocking, preventing legitimate users from accessing your website.