Hoster : Rate Limiting Issue in secure-download.php – Suggested Fix

Hi,

I’m Kévin Doussaint from VivaWeb agency (https://www.vivaweb.fr). I manage over 50 WordPress/WooCommerce sites hosted on the same VPS infrastructure, and I’ve been experiencing issues with the Hoster plugin’s update system.

The Problem

All my sites started receiving 429 “Too Many Requests” errors when checking for plugin updates. After investigating the server logs, I identified the root cause in two files:

1. /inc/secure-download.php (lines 18-29)
2. /inc/generate-json.php – function handle_secure_download() (lines 104-115)

Both files contain the same rate limiting logic that restricts downloads to 3 per day per IP address:

$user_ip = $_SERVER['REMOTE_ADDR'];
$ip_limit_key = "hoster_downloads_ip_" . md5($user_ip);
$download_attempts = get_transient($ip_limit_key) ?: 0;

if ($download_attempts >= 3) {
    status_header(429);
    die(json_encode(['error' => 'You have exceeded the maximum allowed downloads (3 per day). Please try again tomorrow.']));
}

set_transient($ip_limit_key, $download_attempts + 1, DAY_IN_SECONDS);

Why This Is Problematic

1. Every update check (not just actual downloads) counts against the limit
2. Multiple sites hosted on the same server share the same outgoing IP address
3. With 50+ sites checking for updates, the limit of 3 is reached within minutes
4. WordPress automatically checks for updates multiple times per day (via cron and admin visits)
5. The rate limiting is duplicated in two files, so both need to be modified

My Temporary Fix (Tested and Working ✅)

I’ve implemented an IP whitelist with CIDR range support in both files to exclude my own servers from rate limiting:

$user_ip = $_SERVER['REMOTE_ADDR'];

// Whitelisted IPs (individual IPs + CIDR ranges)
$whitelisted_ips = [
    '109.234.165.153',
];

$whitelisted_ranges = [
    '5.39.62.0/24',
    '109.234.165.0/24',
];

if (!function_exists('hoster_ip_in_range')) {
    function hoster_ip_in_range($ip, $cidr) {
        list($subnet, $mask) = explode('/', $cidr);
        $ip_long = ip2long($ip);
        $subnet_long = ip2long($subnet);
        $mask_long = -1 << (32 - $mask);
        return ($ip_long & $mask_long) === ($subnet_long & $mask_long);
    }
}

$is_whitelisted = in_array($user_ip, $whitelisted_ips);
if (!$is_whitelisted) {
    foreach ($whitelisted_ranges as $range) {
        if (hoster_ip_in_range($user_ip, $range)) {
            $is_whitelisted = true;
            break;
        }
    }
}

if (!$is_whitelisted) {
    $ip_limit_key = "hoster_downloads_ip_" . md5($user_ip);
    $download_attempts = get_transient($ip_limit_key) ?: 0;
    
    if ($download_attempts >= 3) {
        status_header(429);
        die(json_encode(['error' => 'Too many requests.']));
    }
    set_transient($ip_limit_key, $download_attempts + 1, DAY_IN_SECONDS);
}

Suggested Improvements for Future Versions

1. Add a whitelist setting in the admin panel — Allow users to define trusted IPs/ranges that bypass rate limiting
2. Increase the default limit — 3 requests per day is too restrictive for agencies or hosting providers managing multiple sites
3. Separate JSON checks from actual downloads — Update checks (file=json) should have a higher or no limit, while actual ZIP downloads can remain restricted
4. Consider per-license or per-site limiting — Instead of per-IP, track by the requesting site URL or license key
5. Centralize the rate limiting logic — Having duplicate code in two files makes maintenance harder and can lead to inconsistencies

I hope this feedback helps improve the plugin. I love using Hoster for managing my plugin updates — it’s a great tool! 🙌

Let me know if you need any additional details.

Best regards,

Kévin Doussaint VivaWeb Agency https://www.vivaweb.fr