Adding "HTTP Method" as a Match Target in Frequency Limit Rules

I have encountered a limitation in the Frequency Limit (Rate Limiting) module. Currently, the "Match Target" options only include URL Path and Content-Type. There is no option to filter requests by HTTP Method (e.g., POST, GET, PUT) within this specific module.

The Problem: When protecting WordPress sites, many critical actions (like 2FA OTP requests, login attempts, and form submissions) are sent to the /wp-admin/admin-ajax.php endpoint via the POST method. However, this same file is also frequently accessed via GET requests for normal administrative functions.

Without the ability to specify the HTTP Method in Frequency Limit rules, I am forced to rate-limit the entire URL path. This creates a risk of:

False Positives: Legitimate GET requests being blocked or challenged because they share the same path as a POST-based attack.

Reduced Granularity: Inability to set strict limits specifically for POST-based OTP flooding or Brute Force attacks without affecting overall site performance.

Proposed Solution: Please consider adding Method as a selectable option in the Match Target dropdown menu within the Frequency Limit configuration. This would allow users to create more precise rules, such as:

Match Target: Method | Operator: Equals | Content: POST

Match Target: URL Path | Operator: Equals | Content: /wp-admin/admin-ajax.php

Impact: This enhancement would significantly improve the security posture for WordPress and CMS users by allowing targeted mitigation of "Lack of Rate Limiting" vulnerabilities on shared endpoints.

Thank you for your hard work on this excellent WAF.