I have 2 website running on VPS. Their purpose is sharing music files and publishing news. Both of them use wordpress.

What I am trying is that I want to prevent little hackers from flooding the webserver and putting stress on the server to make it crash.

The problem is that after using limit_req_zone and limit_req my website became very slow. Browsing Wordpress control panel takes a long long time. I tried changing values but it didn't improve much. I guess the problem is Wordpress because it's the only script I am using on both front and back end.

Here is the last setting which seems to be more responsive than others :

limit_req_zone $binary_remote_addr zone=flood:5m rate=10r/m;

location ~ \.php$ {
limit_req   zone=flood burst=100 nodelay;
}

What are the optimal values that should be used in my case (wp) ? I want the website have it's normal behavior, On the other hand stopping lifeless people from flooding.

Another question, Is it safe and enough to use limit_req only on php files ?