What does HTTP error 429 “Too many requests” mean? (+ how to fix it)

If you spend enough time managing a website, you’ll eventually come across cryptic error codes that stop you in your tracks: HTTP 500, HTTP 503, HTTP 403, and the infamous HTTP error 429: Too Many Requests.

Unlike other HTTP error codes, a 429 doesn’t always mean something is broken. Instead, it’s your server’s way of waving a red flag and saying, “Slow down, you’re asking for too much at once.”

The tricky part is that an HTTP 429 error gives you very little detail. You know requests are being blocked, but you don’t know why or what’s causing them. That can make it frustrating for you and your users.

Source

Once you understand what this error really means, you can not only fix it quickly but also prevent it from happening in the future.

In this guide, I’ll break down what causes a 429 error, share real examples I’ve run into, and walk you through both short-term fixes and long-term solutions to keep your site running smoothly.

Table of Contents

• Causes of HTTP Error 429: Too Many Requests
• How to Fix an HTTP 429 Error
• How to Fix HTTP 429 Error on WordPress
• How to Avoid an HTTP 429 Error

Free Ebook: How to Use an API

Everything you need to know about the history and use of APIs.

• A History of APIs
• Using APIs
• Understanding API Documentation
• And more!

Get Your Free Guide Learn more Get Your Free Guide

Download Free

All fields are required.

You're all set!

Click this link to access this resource at any time.

Download Now

Causes of HTTP Error 429: Too Many Requests

In my experience, an HTTP 429 isn’t exactly a “bug” or “error.” I prefer to describe the 429 status code as a protective response from the system.

It appears when the server, application programming interface (API), or service is essentially throwing up a hand and saying, “Hold on, you’re sending requests faster than I can handle!”

To elaborate further, I reached out to Nayan Das, an experienced technical support lead who provides technical support to over 1 million WordPress users.

Das described, “A 429 status code means you’re making too many requests in a short period. It’s the server’s way of asking you to reduce the frequency. I would rather not call it a failure, just a signal to slow down.”

I also reached out to Vladimir Milosavljevic, a technical support lead with over a decade of experience providing technical support, who says, “I’ve always explained the 429 status code as the server’s way of protecting itself. It’s not an error in the traditional sense, but a safeguard.

“Most cases come down to rate-limiting, whether from brute force attempts, misconfigured plugins or APIs, or simply too many users on the same network."

Based on my knowledge and the expert insights, we can see a clear picture that the 429 status code is deliberate. It’s often triggered by API rate-limiting mechanisms, which are intentionally set by the server to prevent overload, abuse, or attacks.

The client application usually refers to a website or app, a script, or even an automated bot. Still, it can also refer to individual users, like the site admin, a site visitor, or a hacker.

The error message displayed with a 429 status code may vary. A 429 error may appear in the following ways, with or without the phrase “too many requests”:

• HTTP error 429
• HTTP code 429
• HTTP error code 429
• HTTP status code 429
• HTTP response code 429
• Response code 429
• 429. That’s an error.
• 429 server error
• There was a problem with the server 429
• Problem with the server 429

Here are some of the potential causes of the 429 error:

1. Repeated requests to server. Sending too many requests in a short timeframe triggers the server’s rate limits.
2. API call limits. Applications or users exceed the allowed number of API requests.
3. Brute-force login attempts. Bots or attackers repeatedly try password combinations, overwhelming the login endpoint.
4. Automated traffic. Bots, scrapers, or scripts flood the server with rapid or excessive requests.
5. Server resource limits. The server limits traffic if CPU, memory, or bandwidth is maxed out.
6. Multiple users on one IP. Many people sharing one IP address can collectively hit rate limits.
7. Faulty or unoptimized code. Programming bugs or bad design lead to repetitive or unnecessary server requests.

Repeated Requests to the Server

The primary cause of a 429 error is sending too many requests within a short period of time. If a user keeps refreshing a page, or if a script is misconfigured and sends constant requests. I have experienced that it can also be intentional. Many platforms set request limits to prevent overload. X’s API, for instance, returns a 429 error if an app exceeds its 15-minute limit.

I’ve seen this happen on websites of all sizes. Personal blogs, WordPress websites, big platforms like Facebook or YouTube, and even Google itself can return a 429 error if overloaded.

Google Search Console, for example, may trigger 429 responses when it makes too many data requests at once. The bottom line is that if a client (browser, bot, or app) sends more requests than allowed, the server responds with “Too Many Requests.”

It’s basically a warning to slow down. MDN Web Docs explains that the 429 status code exists specifically for these rate-limiting rules.

Brute-Force Login Attempts

Another common cause of 429 errors on WordPress and other CMS platforms is a brute-force login attack. It happens when a bot or hacker tries to guess passwords by sending rapid login attempts.

I’ve seen this recently while working for a WordPress brand, Infinite Uploads, with dozens of attempts per minute. Luckily, Cloudflare security measures kicked in alongside the security plugin and started returning 429 errors by limiting the login requests.

In this case, the 429 error is actually a security feature. It throttles requests to protect the site. Brute-force attacks are a leading cause of 429 errors on WordPress sites.

Server Resource Limits

I have also seen that many shared hosting environments will issue 429 errors if a single user or IP address starts using too many resources. It’s the server’s way of maintaining stable performance.

For example, PayPal’s API sandbox blocks an IP for five minutes if it sends more than 50 requests in a single minute. That’s a resource-driven rate limit. Cross the threshold, and you’ll get 429 errors until the block is lifted. I’ve seen similar rules in other APIs, with limits set per minute, hour, or day.

On a regular hosting server, you may see 429 errors if your site or a script on it makes too many database or API calls. Shared servers, in particular, enforce these rules to prevent one site from slowing down others.

Himel Islam, a technical support engineer at Dorik CMS, once encountered a bug that generated thousands of requests in minutes. “The host’s firewall responded with 429 errors, which actually saved the server and gave me time to fix the bug.”

Here, the HTTP 429 error is saving your server by limiting accessibility. But on the other hand, it also limits other valuable aspects, such as search engine crawlers.

Evan Cunningham-Dunlop, founder of Perth SEO Studio, discussed how his customers handle the HTTP 429 error and its impact on their SEO:

“HTTP 429 errors can be devastating for SEO if they happen often. When Googlebot encounters too many 429 errors, it reduces the crawl rate, which may prevent key pages from being indexed or updated.

“I’ve seen many businesses investing heavily in SEO, only to have those efforts undermined by server limits holding them back."

Now we know that a 429 isn’t a punishment, it’s a form of protection. It keeps your servers from overloading, but it also interrupts valuable services. That’s why you need to keep an eye on it to reduce damage.

Free Ebook: How to Use an API

Everything you need to know about the history and use of APIs.

• A History of APIs
• Using APIs
• Understanding API Documentation
• And more!

Get Your Free Guide Learn more Get Your Free Guide

Download Free

All fields are required.

You're all set!

Click this link to access this resource at any time.

Download Now

How to Fix an HTTP 429 Error

1. Wait to send another request.
2. Clear your browser’s cache.
3. Flush your DNS cache.
4. Implement exponential backoff.

Most of the steps below focus on avoiding, rather than retroactively fixing, an HTTP 429 error. Take a look.

1. Wait to send another request.

The simplest and often most effective fix to an HTTP 429 error is: Do nothing for a bit! I know that sounds anticlimactic, but if you or your app has been rate-limited, the server just needs you to pause.

Often, the 429 response includes a header called Retry-After, which tells you how long to wait before trying again. For example, a response might say Retry-After: 3600 (meaning wait 3600 seconds, or 1 hour).

Here’s an example that asks the client to wait an hour before sending another request.

HTTP/1.1 429 Too Many Requests Content-Type: text/html Retry-After: 3600 <html> <head> <title>Too Many Requests</title> </head> <body> <h1>Too Many Requests</h1> <p>Only 100 requests per hour per logged in user is allowed on this website. Try again soon.</p> </body> </html>

As an example from the StackOverflow community: “If everything is set up properly, you will also have received a ‘Retry-After’ header along with the 429 response... The proper way to deal with this ‘problem’ is to read this header and to sleep your process for that many seconds.”

From a developer’s standpoint, ensure your code respects any Retry-After or similar guidance. For instance, if you’re calling an API and receive a 429, have your script pause or back off rather than continuously hammering the server.

2. Clear your browser’s cache.

Sometimes, the browser repeats old requests or uses outdated login tokens that the server has flagged. Thus, if waiting does not resolve a 429 error, my next step is to clear my browser cache and cookies.

A full cache can also cause odd behavior, such as a cached script that keeps retrying in the background. Clearing the cache makes sure your next request is fresh.

To do so in Chrome:

• Click CMD + Shift + Delete on Mac or Control + Shift + Delete on Windows.
• The “Clear browsing data” analog pop-up.
• Click on the Advanced tab.
• Select the time range and the data you’d like to delete.
• Click Clear data.

To find instructions for your specific browser, click here.

3. Flush your DNS cache.

Another lesser-known fix for 429 errors is flushing your DNS cache. The DNS cache is your computer’s memory for website lookups. It stores IP addresses, allowing sites to load faster.

If your computer’s cache points to a server that returned a 429, it may continue to use that server even if another is available. Flushing DNS forces your system to fetch fresh data, which can sometimes solve the issue.

I’ll admit that this doesn’t apply to every 429 case, but I’ve used it successfully with APIs and web services.

How you flush DNS depends on your OS:

• Windows. Open Command Prompt → run ipconfig /flushdns
• macOS. Open Terminal → run sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
• Linux. Varies by distro, but often systemd-resolve --flush-caches or restarting the DNS service.

It sounds technical, but it’s usually just one command. After flushing, try again to see if the HTTP Error 429 is gone. You can learn more about flushing your DNS cache with proper instructions for different versions of different operating systems.

4. Implement exponential backoff.

If you’re a developer or power user dealing with HTTP 429 errors in scripts or APIs, one of the best fixes is exponential backoff. Instead of retrying immediately at a constant rate, you wait a bit, and if it fails again, you wait longer each time.

For example, if I hit a 429, I’ll wait one second and retry. If it fails again, I wait two seconds, then four, then eight, and so on. Each attempt gives the server more breathing room. In most cases, the limit clears before I reach more than a few retries.

Experts strongly recommend this. The OpenAI team advises exponential backoff for their API. They note that rapid retries still count against your limit. So backing off is the only way to succeed.

In automation, many libraries handle this for you. For example, Python has a backoff library, and cloud SDKs like Google’s or AWS’s include retry logic with exponential backoff built in.

import backoff

import requests

@backoff.on_exception(backoff.expo, requests.exceptions.RequestException, max_tries=5)

def get_url(url):

return requests.get(url)

Even if you’re not coding, you can apply the same idea manually by using an exponential backoff calculator. Here’s how:

• Access a calculator such as exponentialbackoffcalculator.com.
• Input a time interval, such as two seconds.
• Input the maximum number of retries or requests you’d like to make.
• Input an exponential for subsequent requests.
• Use a manual alarm or timekeeper to make new requests at the resulting timestamps.

Alternatively, if you’re a developer or advanced user, you can add code to implement this approach. For instance, you can use a framework like Celery that comes with a built-in exponential backoff module.

Source

HubSpot advisor Ruben Burdin notes, “A 429 from HubSpot usually means you’ve hit documented API limits, but sometimes throttling happens even under quota. That’s why it’s best to plan for hiccups and use exponential backoff or queuing so your app can recover automatically.”

The steps discussed above are general fixes for the 429 “Too Many Requests” Error. If you have a WordPress site, then you may need a WordPress-specific solution.

How to Fix HTTP 429 Error on WordPress

As a WordPress administrator, seeing an HTTP 429 error can be alarming. It means that you, your users, or something in your WordPress environment is flooding the server with requests.

The general fixes we discussed above, such as waiting, caching, and backoff for APIs, etc., are the fixes. However, WordPress has some specific areas to check.

In my experience, 429 errors in WordPress often stem from issues with plugins, themes, or external services connected to WordPress.

Let’s go through the steps I take to troubleshoot HTTP Error 429 on a WordPress site.

1. Wait before re-accessing your website.

The first step with HTTP 429 errors in WordPress is often just waiting. On WordPress, these errors can happen during sudden traffic spikes, especially on shared hosting.

I’ve seen this myself when I worked as a developer managing my university registration system. Thousands of students usually try to log in in the last few days of the semester registration deadline.

The traffic surge caused HTTP 429 errors for some students until things calmed down. A few minutes later, the site was back to normal. Rather than taking immediate action, I advised my university professor to be patient and wait.

However, while you wait, it’s worth doing quick checks:

• Clear your WordPress cache (or CDN cache).
• Flush your DNS, and make sure the problem isn’t local.

But most of the time, a temporary 429 clears on its own. If it lasts more than an hour or keeps happening, it’s time for deeper fixes. Another part of “waiting” is evaluating your hosting plan. Frequent 429 errors during busy times may indicate that your site has outgrown its current plan.

Pro tip: Occasional HTTP 429 errors under heavy load in WordPress are normal. But if it’s a pattern, you may need stronger hosting or a CDN to handle traffic better.

Free Ebook: How to Use an API

Everything you need to know about the history and use of APIs.

• A History of APIs
• Using APIs
• Understanding API Documentation
• And more!

Get Your Free Guide Learn more Get Your Free Guide

Download Free

All fields are required.

You're all set!

Click this link to access this resource at any time.

Download Now

2. Hide or move your default WordPress login page.

Sometimes, HTTP 429 errors can arise due to cybersecurity attacks, such as brute-force attacks on your default WordPress login page. Attackers know this, so they target yourwebsite.com/wp-login.php or /wp-admin. URL with repeated attempts.

One practical and surprisingly simple fix I’ve implemented is changing the default login URL for WordPress.

What can’t find you, can’t hurt you!

You can check several ways to figure out if you’re under a cyberattack:

• Use a WordPress traffic plugin to detect a sudden traffic spike without a clear reason, such as a campaign, which could indicate an attack.
• Traffic from an unfamiliar country may signal hacking attempts.
• Excessive traffic from a single IP address may indicate that a single attacker is targeting your site.

To move your default login page, you only need to change its URL. That can be easily done using the WPS Hide Login plugin.

Here’s how to use it:

• Install the plugin through your WordPress admin dashboard.
• Access the plugin’s Settings page.
• Next to Login URL, add the new slug for your login page.
• Click Save Changes.

Save the new URL somewhere for safekeeping. The last thing you want is to forget where to log in!

3. Deactivate your plugins one by one.

From what I’ve seen over the years, plugins are one of the most common culprits behind recurring HTTP 429 errors.

A plugin might flood an external API with repeated calls, or retry endlessly when something breaks, creating a cascade of “HTTP 429 Too Many Requests” responses.

Kaumil Patel, COO of GreenGeeks Hosting, has spent over two decades working in WordPress and Joomla hosting, and he has observed this pattern repeatedly.

“Across thousands of customer sites, we’ve noticed that 429 complaints often trace back to a single plugin misbehaving. It could be firing off unthrottled API requests, stacking retries, or running too many cron jobs at once.

“My rule of thumb is that if something breaks on a website, a plugin might be involved. So my response is to start deactivating plugins one by one to see if the scenario changes. And it changes more often than you’d expect!”

From my experience, rather than deactivating them all at once, do so one after another so that you can isolate the culprit. Here’s how:

• On your WordPress dashboard’s sidebar, tap Plugins > Installed Plugins.
• Click Deactivate on the first plugin.
• Check to see if this resolves the issue by accessing your website through an incognito window.
• If not, deactivate the next one until all plugins are deactivated.
• Activate them one by one once you’re finished.

4. Uninstall your custom WordPress theme.

If plugins aren’t the issue, the next place to look is your WordPress theme. Some custom themes from third-party marketplaces, such as ThemeForest or Envato, can make heavy external or internal requests.

For example, a theme might fetch feeds, run constant AJAX calls, or use inefficient code that floods the server with requests and triggers 429 errors.

To test this yourself, try switching to a default WordPress theme on a backup or staging site. If the errors stop, your custom theme is the problem.

Then, you can troubleshoot the code, contact the theme developer for fixes, or consider another theme. If you must keep the theme, contact the developer for necessary updates.

5. Set your own throttling limit for any APIs.

Client-side throttling is a bit advanced, but it’s a proper fix if your WordPress site or any site relies heavily on external APIs. Instead of letting your site fire API requests every time a page loads, you can throttle them.

For example, you can limit the number of calls to 10 per hour or cache results for 15 minutes to prevent constant API hits. You can implement a stricter throttling limit for yourself to prevent going over the limits of a server, API, or other service you’re using.

It’s highly beneficial if you’re using a costly API, such as the X API, and want to avoid exceeding your usage policy.

Besides, it’s common to have multiple cron jobs all hitting an API at midnight, which causes a burst of requests and 429 errors. Staggering or combining the jobs can solve the problem.

In short, be aware of how often your site calls external services. If you modify your code or use plugins that allow you to set a stricter limit on the number of requests, you won’t exceed the provider’s cap.

6. Contact your hosting provider.

If all else fails, or you suspect the 429 is coming from the server side, reach out to your hosting provider. Besides, hosts have access to logs and server settings that you don’t, and they can often pinpoint the cause.

Hosts can also help if the HTTP 429 error is tied to third-party integrations. Some services, such as Cloudflare or Google Search Console, may be rate-limited by your hosting provider.

When contacting support, provide details like:

• When did the error start?
• What triggered it?
• What have you tried so far?

The more info they have, the faster they can help.

Good hosts take 429s seriously because frequent errors can negatively impact user experience and even affect SEO. Search engines, such as Googlebot or LLM crawlers, may crawl your site less frequently if they encounter 429 errors.

In short, once you’ve exhausted your fixes, your hosting provider’s support team may have the final solution.

How to Avoid an HTTP 429 Error

So far, I’ve covered my experience and how to troubleshoot and fix an HTTP 429 error when it happens. However, as someone who manages websites and APIs, I always prefer to avoid errors in the first place if possible.

To make it more actionable, I reached out to Onur Birsen, CTO of Glacial Multimedia, who has managed over 3,000 websites and witnessed firsthand how 429s impact both performance and growth.

Birsen shares best practices from his 25 years of website management experience to reduce the likelihood of receiving the “HTTP 429 Too Many Requests” message below.

• Design with limits in mind. Every server or API has a threshold. So, throttle or cache requests to avoid overwhelming servers and APIs.
• Use caching and CDNs. A CDN can serve static files efficiently and reduce repeated hits to your origin.
• Know your API limits. Keep track of each service’s quota, space out jobs, and upgrade tiers if needed.
• Monitor usage. Keep an eye on your logs and analytics. Check logs and analytics for spikes, bots, or misbehaving plugins.
• Use progressive rate limiting. Instead of blocking users outright, gradually slow down the rate of heavy users.

Resolving the HTTP 429 Error

Over time, I’ve stopped seeing the HTTP 429 “Too Many Requests” error as a dreaded signal and started seeing it as a helpful indicator. But now I know 429s protect my sites from abuse, stop bots, and even save me from my own buggy code.

Fixing an HPPT 429 error usually has two parts:

• Immediate response.
• Long-term prevention.

In the short term, steps such as waiting, clearing caches, backing off, or disabling a problematic plugin can help get your site running again. It’s always a relief when a quick fix brings everything back to normal.

In the long term, the key is understanding why the 429 occurred. Solve the root cause, whether by increasing rate limits, upgrading hosting, or adjusting configurations to make the site more resilient.

At the end of the day, it’s all about keeping your site smooth and your visitors happy. So next time you see “Too Many Requests,” take a breath, apply the right fix, and know you’ve got it under control.

This article was originally published in December 2020 and has been updated for comprehensiveness.

Free Ebook: How to Use an API

Everything you need to know about the history and use of APIs.

• A History of APIs
• Using APIs
• Understanding API Documentation
• And more!

Get Your Free Guide Learn more Get Your Free Guide

Download Free

All fields are required.

You're all set!

Click this link to access this resource at any time.

Download Now