Chatbot

View All Docs
+

Getting Started (3)

+

Ai Configuration (5)

+

Woocommerce Integration (6)

+

Chatbot Implementation (3)

+

Customization (2)

+

Conversation Management (2)

+

Mobile App Pwa (5)

+

Chatbot Menu Settings (5)

+

Performance And Optimization (1)

Security And Privacy (6)

User Limits

Reading Time: 4 minutes

Overview

WPiko Chatbot’s User Limits feature lets you cap how many chat requests a single visitor can make, bucketed per IP address. It is designed to protect you against runaway OpenAI API costs and to prevent abuse of your chatbot. The feature is opt-in and disabled by default, so it will not affect your visitors until you explicitly enable it.

Limits are enforced as a hard block: once a visitor reaches the configured threshold, further requests are rejected with a friendly, customizable message. Blocked requests are logged into the conversation with the error role so you can review them later.

How It Works

Per-IP Rate Limiting

  • Each visitor is identified by their IP address (using REMOTE_ADDR by default, which cannot be spoofed at the TCP level).

  • Two independent windows can be configured: hourly and daily.

  • A fixed-window counter is stored in WordPress transients for each IP and window.

  • When a visitor sends a request, the plugin checks the active windows. If the count in either window has reached the configured limit, the request is blocked. Otherwise, the counter for each active window is incremented.

    • Admin Take Over Bypass

    When an admin is actively handling a conversation through the Pro version’s Take Over feature, the per-IP limit is automatically bypassed for that conversation. Messages exchanged during a takeover are neither blocked nor counted, so live human support is never interrupted by rate limiting.

    Fail-Open Behavior

    If the plugin cannot determine a visitor’s IP address, the request is allowed through rather than blocking everyone. This ensures the chatbot keeps working even on unusual server configurations.

    Configuring User Limits

    Steps

  • Log in to your WordPress dashboard

  • Navigate to WPiko Chatbot and open the User Limits tab

  • Toggle Enable User Limits to turn the feature on

  • Set the Hourly Limit (maximum requests per IP per hour)

  • Set the Daily Limit (maximum requests per IP per day)

  • Optionally customize the Limit Reached Message

  • Click Save User Limits

    • Setting Values

  • Hourly Limit — A positive integer. Set to 0 to disable the hourly window.

  • Daily Limit — A positive integer. Set to 0 to disable the daily window.

  • If both windows are set to 0, no limit is enforced even when the feature is enabled.

  • Limit Reached Message — Leave blank to use the default message: “You have reached the maximum number of messages allowed. Please try again later.”

    • How Blocked Requests Are Handled

    When a visitor hits the limit:

    • The configured (or default) friendly message is shown to the visitor in the chatbot interface.

    • The blocked request is logged into the conversation with the error role, so it appears in the conversation transcript and debug log for admin review.

    • For streaming requests, an error event with type: rate_limit is sent to the client. For non-streaming requests, a JSON error response with the same type is returned.

    Troubleshooting

    Limits Not Being Enforced

  • Confirm Enable User Limits is checked and saved

  • Verify that at least one of the hourly or daily limits is greater than 0

  • Check that your caching layer is not caching the chatbot’s AJAX responses (see the Cache-Busting System documentation)

    • All Visitors Blocked

  • This usually means your server reports the same IP for everyone (e.g. behind a proxy). Use the wpiko_chatbot_client_ip filter to read the real visitor IP from the appropriate forwarded header.

    • Limits Reset Too Quickly

  • The hourly and daily windows are fixed windows, not sliding windows. Counts reset when the transient expires, which is tied to the first request in the current window.

    • Best Practices

  • Start with generous limits and tighten them based on observed usage

  • Always set a daily cap as a safety net for API costs, even if you also use an hourly cap

  • Customize the limit-reached message to match your site’s tone and offer alternative contact options

  • If your site is behind a CDN or reverse proxy, configure the wpiko_chatbot_client_ip filter so limits apply to real visitors rather than the proxy IP

  • Periodically review blocked requests in the conversation log to spot genuine abuse patterns