Version: 1.0.0
Author: FlowAxy
Developer: iTeffa (iteffa@flowaxy.com)
Studio: FlowAxy
Website: https://flowaxy.com
License: Proprietary
Anti DDoS plugin for Flowaxy CMS provides protection against DDoS (Distributed Denial of Service) attacks by limiting requests from IP addresses and blocking suspicious activity. The plugin tracks request rates and automatically blocks IPs that exceed configured limits.
- 🛡️ Rate Limiting — Limits requests per minute and hour from each IP
- 🚫 Automatic Blocking — Blocks IPs that exceed rate limits with 429 Too Many Requests response
- ✅ Whitelist Management — Configure IPs that should never be blocked
- 🚨 Blacklist Management — Configure IPs that should always be blocked
- 📊 Statistics — View blocking statistics and top blocked IPs
- 📝 Logging — All blocked requests are logged to the database
- ⚙️ Settings Page — Easy configuration through admin panel
- 🔒 Protected Admin Panel — Admin panel and API are always accessible
- Early request interception via
handle_early_requesthook - Request rate tracking by IP address
- Database-backed settings and logging
- Integration with Flowaxy CMS access control system
- Configurable block duration
- PHP >= 8.4.0
- Flowaxy CMS with plugin support
- MySQL/MariaDB database
- Admin access for configuration
- Copy the plugin directory to
plugins/anti-ddos/. - Activate the plugin via the admin panel (Settings → Plugins).
- The plugin will automatically create necessary database tables.
The plugin will automatically register its route and menu item upon activation.
- Log in to the admin panel.
- Navigate to System → Anti DDoS in the menu.
- Or go directly to
/admin/anti-ddos.
- Toggle the "Enable DDoS Protection" switch to enable or disable DDoS protection.
Configure the maximum number of requests:
- Max Requests Per Minute — Maximum number of requests allowed per minute from a single IP (default: 60)
- Max Requests Per Hour — Maximum number of requests allowed per hour from a single IP (default: 1000)
- Block Duration — How long to block an IP after exceeding limits (default: 60 minutes)
Whitelist IPs — IPs that will never be blocked (one per line):
127.0.0.1
::1
192.168.1.100
Blacklist IPs — IPs that will always be blocked (one per line):
192.168.1.200
10.0.0.50
-
Request Tracking — The system tracks the number of requests from each IP address in the database.
-
Rate Checking — On each request, the system checks:
- Number of requests in the last minute
- Number of requests in the last hour
- Whether the IP is in the whitelist (allowed) or blacklist (blocked)
-
Blocking — If limits are exceeded:
- IP is logged to the
anti_ddos_logstable - Request receives a 429 Too Many Requests response
- IP remains blocked for the configured period
- IP is logged to the
-
Statistics — All blocking activity is tracked for monitoring and analysis.
The plugin provides:
- Blocked Today — Number of IPs blocked today
- Total Blocked — Total number of blocked requests
- Top Blocked IPs — IP addresses with the most blocked attempts
anti-ddos/
├── assets/
│ └── styles/
│ └── anti-ddos.css # Styles for the settings page
├── src/
│ ├── admin/
│ │ └── pages/
│ │ └── AntiDdosAdminPage.php # Admin settings page
│ └── Services/
│ └── AntiDdosService.php # Core protection service
├── templates/
│ └── anti-ddos.php # Settings page template
├── tests/
│ └── AntiDdosPluginTest.php # Diagnostic tests
├── init.php # Plugin initialization
├── plugin.json # Plugin metadata
└── README.md # Documentation
The plugin uses a service-oriented architecture:
- AntiDdosService — Core service for rate limiting and IP blocking
- AntiDdosAdminPage — Admin panel page for configuration
- Templates — PHP templates for HTML rendering
Logs all blocked requests:
id— Unique identifierip_address— IP address of blocked requesturl— Requested URLblocked_at— Block timestampcreated_at— Creation timestamp
Tracks request rate by IP:
id— Unique identifierip_address— IP addressrequest_count— Number of requestsfirst_request_at— Time of first requestlast_request_at— Time of last request
- ✅ CSRF protection for all write operations
- ✅ Access permission checks before executing operations
- ✅ Admin panel and API are always accessible
- ✅ SQL injection protection via prepared statements
- ✅ XSS protection via output sanitization
The plugin uses the following hooks:
handle_early_request(priority: 2) — Early request interception for rate limitingadmin_register_routes— Register admin routeadmin_menu— Add menu item
By default, the plugin:
- Limits to 60 requests per minute per IP
- Limits to 1000 requests per hour per IP
- Blocks IPs for 60 minutes after exceeding limits
- Allows access to admin panel and API
- Logs all blocked requests
You can customize protection:
- By changing rate limits in the admin panel
- By adding IPs to whitelist or blacklist
- By modifying block duration
- By adjusting rate checking logic in
AntiDdosService::checkRequestRate()
The plugin uses the following components from the Engine:
engine/core/support/base/BasePlugin.phpengine/core/support/helpers/DatabaseHelper.phpengine/interface/admin-ui/includes/AdminPage.phpengine/core/support/helpers/UrlHelper.phpengine/core/support/helpers/SecurityHelper.php
To extend the plugin:
- Configure rate limits — Modify default values in the
install()method - Add new rate limits — Extend the
checkRequestRate()method - Add new statistics — Extend the
getStats()method - Customize UI — Edit
templates/anti-ddos.phpandassets/styles/anti-ddos.css
If you find a bug or have questions:
- Check log files for errors
- Verify database tables are created
- Ensure PHP has proper permissions
The plugin includes a set of diagnostic tests to verify functionality. Tests are located in the tests/ directory:
- AntiDdosPluginTest.php — Set of automatic tests to verify:
- Blocking IPs from blacklist
- Allowing IPs from whitelist
- Rate limiting (per minute and hour)
- Saving and retrieving settings
- Statistics and log clearing
Tests are automatically loaded through Flowaxy CMS TestService and TestRunner system.
You can test rate limiting using curl:
# Make multiple rapid requests
for i in {1..100}; do
curl http://your-domain.com/
sleep 0.1
done
# After exceeding the limit, you should receive 429 Too Many RequestsProprietary. All rights reserved.
- ✨ Initial release
- ✅ Rate limiting (per minute and hour)
- ✅ IP blocking and logging
- ✅ Admin panel settings page
- ✅ Statistics and monitoring
- ✅ Whitelist and blacklist management
- ✅ Integration with Flowaxy CMS Engine
- ✅ Database timezone support
- ✅ Diagnostic tests
FlowAxy
Developer: iTeffa
Email: iteffa@flowaxy.com
Studio: flowaxy.com
Website: https://flowaxy.com
Developed with ❤️ for Flowaxy CMS