When it comes to WordPress security, blocking unwanted visitors is a guaranteed way to keep your website safe. However, most website owners ignore this, as they find it too technical.
That’s why in this article we’ll show you simple ways to block IP addresses in WordPress. And keep your website safe from hackers and spammers.
Specifically, we’ll look at:
- What is an IP address?
- 2 reasons why you might need to block IP addresses
- How to find IP addresses that you need to block?
- Blacklisting IP addresses to prevent spam comments
- How to block IP address in WordPress?
Let’s get started.
What is an IP address?
You probably already know this — the internet is a network of computers.
These computers talk to one another by exchanging packets of data. But how does a computer know how to reach the other computer?
That’s where an IP address comes in.
An IP address is a unique identification number that is used to identify a computer in a network. Just like we humans use phone numbers to contact each other, computers use an IP address.
Get WordPress Cookie Consent Plugin for GDPR & CCPA to help you comply with the EU GDPR’s cookie consent and CCPA’s “Do Not Sell” opt-out regulations. Get free access now!
The computer that you’re using to read this blog post also has a unique IP address. To find out your IP address:
- Go to https://google.com
- Search for “what is my ip”
Google will spit out your computer’s IP address.
If you look at the number carefully, you’ll observe that an IP address is a set of 4 numbers —
XXX.XXX.XXX.XXX. These numbers range from 0 to 255 and are separated by dots.
2 reasons why you might need to block IP addresses
Your website is continuously under threat from spammers and hackers. Blacklisting known IP addresses helps you protect your website.
For a WordPress website, there are 3 reasons why you might consider blocking IP addresses.
One of the most common forms of spam that WordPress websites face is in the form of comments. Blocking IP addresses of spam comments on your blog articles:
- Keeps your website SEO healthy.
- And, saves you a lot of time moderating comments.
Block hacker attacks
According to Sucuri, of all content management systems, 90% of the hacked websites were built on WordPress.
DDoS (Denial of service) and brute force are the two most common forms of hacker attacks on WordPress websites. Identifying and blocking IP addresses that are a source of these attacks keeps your website safe.
How to find suspicious IP addresses to block?
Finding the IP address of a spam commentator is easy from your WordPress Admin Dashboard > Comments area.
For a DDoS or a brute force attack, you’ll need to check the access logs of your website. These access logs can be found in the Cpanel of your web hosting account.
To find the access logs login to the Cpanel area and look for Raw Access under the Metrics section.
The current access logs record each visit to your website. You can look at the access logs using a simple notepad application on your computer.
Verify suspicious IP addresses using a blacklist check tool.
Some website owners choose to blacklist all the IP ranges from specific countries. This works well if you have a well-defined audience for your website.
How to blacklist IP addresses that cause comment spam?
This one is simple and can be done right from your WordPress admin dashboard.
- Login to your WordPress admin dashboard.
- Go to Settings > Discussion.
- Enter the spammer’s IP address in the Comment Blacklist textarea. One IP address per line.
How to block IP addresses to prevent access to your website
While blocking spam commentators can be done from the WordPress admin dashboard, other malicious IP addresses need to be blocked from the entire website.
Block IP address from the Cpanel
To block an IP address, log in to your web hosting account’s Cpanel area. Under Security > IP Blocker, add an IP or a range of IP addresses that you’d like to block.
Once added, this IP address will not be able to access your entire website.
Block IP address with .htaccess
The second way to prevent access to your website is to deny access to an IP address from your
.htaccess file is a hidden file that you can find in the root folder of your website. To access this file, login to your Cpanel and open the File Manager.
Please note that you may have to set the option to show hidden files in order to see the
Open the file and add the IP blocking snippet to it.
Order Allow,Deny Allow from all Deny from XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX is the IP address you want to block.
Block IP addresses using WordPress Plugins
The above methods work well if you’re blocking basic hacking attempts, single IP addresses, or users from a specific region or country.
But most hacker and spam attacks are more sophisticated than this.
In such cases, what you need is software that continuously monitors access to your website and automatically blocks suspicious IP addresses.
Let’s look at some WordPress plugins that can help keep your website secure:
The WordPress Sucuri plugin monitors your website in real-time to identify suspicious, blacklisted IP addresses and blocks them.
It also scans your website for malware and checks file integrity.
The premium version comes with a website firewall. The firewall monitors your website for DDoS and brute force attacks.
Price: $0 to $200 per year
The Blocker plugin is the lesser cousin of Sucuri.
This plugin comes with IP whitelist, blacklist, country-specific IP blacklist features. It can also block malicious bots or user agents
The Cloudflare Manager plugin integrates your website with the Cloudflare firewall.
It provides the features to whitelist, blacklist IPs, as well as block IP addresses by country.
IP2Location is an advanced plugin that lets you block the unwanted traffic from accessing the blog posts or admin area by proxy servers.
You can also whitelist the crawlers like, Google, Yandex or Bing.
Blocking IP addresses of malicious users, user agents and bots can help you protect your website from spam and hacker attacks.
For a WordPress website, you have various options to block IP addresses including – .htaccess, Cpanel, and using WordPress plugins.
Know any other ways of blocking malicious IP addresses, let us know in the comments below.