Hey James,
Thanks for sending the logs over and for the well wishes! I was out for positive reasons, thankfully!
In the section you highlighted, the IP address 34.174.*** accessed the site successfully only 2 times before the 508 response started. Since a 508 response indicates the server has run out of resources, it’s sent by the server itself before the request reaches Wordfence, which is why the rate limiting didn’t kick in. The hostname on the IP is *.bc.googleusercontent.com. This is often confused for Googlebot, but it’s actually the hostname used by Google-hosted cloud servers for users, rather than being used by Google itself.
Checking through the access logs, I also see a few times where there are bots spoofing the user agent Googlebot. For example, on 9/25 at 5:30 am, the IP address 79.127.*** uses the Googlebot user agent, but is not a legitimate Googlebot. I see they had approximately 60 accesses over the course of 2 minutes before the server started to return 508 responses. This would not have been throttled by the rate-limiting settings in the original diagnostics I received.
If you’d like to verify legitimate Googlebot traffic in the future, you can use reverse DNS lookup or check against Google’s published IP ranges. Google has some solid details on that here: https://developers.google.com/search/docs/crawling-indexing/verifying-googlebot
If you often see a variety of IP addresses before the resource limits have been hit, it might be worth using a service with DDoS protection, such as Cloudflare, to add an extra layer of security to the site.
If your server’s resource limits are fairly low, you might consider setting the rate limits as low as 60 requests per minute, but please keep an eye on your Live Traffic log to ensure that regular visitors aren’t being blocked.
It may also be a good idea to check with your host. They should be able to help review for any potential issues leading to higher-than-normal resource usage.
Please let me know if you have any questions!
Thanks,
Margaret
