How to Block IP Address in WordPress [3 Easy Methods]

Wonder how to block IP address in WordPress? We’ve compiled some of the easiest methods to blacklist IPs from your site.

You must have already heard that WordPress faces about 90,000 cyberattacks every passing minute. So, as a website owner, securing your site should be on top of your to-do list.

One effective way to protect your site against hacking attempts is to block IP addresses that seem suspicious.

Since IP addresses are attached to the device used to access the Internet, blocking them from your site is like stopping cyberattacks at their source.

You can also impose different levels of restrictions, like preventing users from commenting on your post or banning them entirely from accessing your site.

So, join us as we walk you through ways to identify and block malicious IP addresses in WordPress.

What is an IP Address?

An IP address, short for Internet Protocol address, is a unique identification number assigned by Internet providers to devices or local networks connected to the Internet.

You can think of it as a postal address for your computer on the Internet, allowing it to send and receive data.

IPv4 addresses, i.e., IPs following Internet Protocol version 4, consist of 4 sets of numbers starting 0 to 255, with a period (dot) separating each set.

Here’s an example of an IPv4 address:

On the other hand, newer IPv6 addresses are longer as they use both strings of text and numbers.

These look like:

Every device on the Internet has a unique IP address. When visitors access your website on their device, your site saves their IP in an access log file on its server.

Why Should You Block Certain IP Addresses in WordPress?

Identifying and blocking malicious IP addresses is an essential step in website management.

Here’s why:

1. Prevent Spam

WordPress gets around 487 billion spam messages every month. Often, these are comments trying to leverage a site’s reach to promote themselves or redirect users to suspicious domains.

But spammers can also submit fake entries in your contact form. Blocking IP addresses is an effective way to reduce irrelevant comments and form submissions on your site.

2. Prevent Brute Force Attacks

Brute force attacks involve attackers using trial-and-error to guess login info and encryption keys or find a hidden web page.

It puts the credentials of your visitors and the site’s admin at risk.

Blocking IPs with countless login attempts can help prevent these attacks, ensuring your site remains secure and accessible.

3. Prevent DDoS Attacks

DDoS or Distributed Denial of Service attacks include driving an enormous amount of fake traffic to a site to clog its resources.

Because of this surge, there’s not enough bandwidth left for your genuine visitors. They face longer loading times, which ultimately affects their user experience.

So, blocking these IP addresses ensures your site remains accessible only to the right people.

4. Safeguard Against Bots

Bots generate almost 38% of all traffic on the Internet. Besides artificially inflating your traffic stats, bots can leave spam comments and even steal your content.

Identifying and blocking malicious IP addresses helps you keep bots at bay.

5. Legal Compliance

Newer cybersecurity norms put a greater responsibility on website owners to take steps to safeguard their sites as well as visitors.

Depending on your country’s policies, you may be required by the law to block suspicious IP addresses.

Hackers can exploit Website login pages to gain illegal access to admin accounts. Here are 11 ways to protect your WordPress login page.

How to Identify Unauthorized IP Addresses to Block?

Before you can restrict IPs, you must recognize the signs that constitute an IP being malicious. Here are some suspicious activities that can be telltale signs of a problematic IP:

• Multiple failed login attempts from the same address within a short period can signify a brute force or DDoS attack.
• A sudden surge in traffic from a specific IP address, especially during odd hours or in large volumes, can indicate a potential threat of cyberattack.
• Comments and form submissions from users with random usernames with long strings or numbers make a strong case for banning their IP addresses.
• Frequent requests for URLs known to be vulnerable or that don’t exist on your server might indicate that an attacker is looking for entry points or weaknesses.

Instead of manually scraping these addresses, use a specialized IP lookup tool for the identification process.

These tools reveal the IP address’s location, service provider, and hostname, along with its blacklist status, allowing you easily separate genuine users from suspicious ones.

So, where can you find these IP addresses in WordPress? There are two places you can look for them:

1. WordPress Comments Panel

The easiest way to find IP addresses is to look for them in your WordPress comments panel.

From your WordPress dashboard, head over to the Comments tab.

Here, you’ll find all the comments along with details about users, such as their name, email, and IP address.

Once you are in the comments panel, try looking for suspicious comments.

These can include comments from users with randomly generated usernames, users whose names and emails don’t match, or comments with links to external web pages.

Note down their IP addresses so you can block as shown later in this post in the “How to Block IP Address in WordPress” section.

To ensure you don’t block your genuine visitors, verify their authenticity using an IP lookup tool.

2. Your Site’s Server Logs

The previous method is only suitable for marking obvious spammers.

To identify more sophisticated attacks like abnormal surges in traffic or failed login attempts, you’ll need to access your server logs from your hosting account dashboard.

If you use cPanel hosting, here’s how you can find the access log file:

Step 1. Login to your hosting account and scroll down to the Logssection in the cPanel dashboard.

Step 2. Look for the Raw Access Logs option. Click it, and you’ll be taken to the access logs page.

Step 3. Look for the compressed log file in the Archived Raw Logs section. Click the file name and the logs will be downloaded to your device.

Step 4. Upload the logs file to an IP lookup tool to analyze their authenticity.

How to Block IP Address in WordPress [Proven Methods]

Here are three ways you can block IP addresses in WordPress:

Method 1: Using Security Plugins to Block IP Addresses in WordPress

The easiest way to block IP addresses is to use a plugin.

You can either download a complete security plugin like All-In-One Security (AIOS), or you can get a plugin like IP Location Block, which is explicitly designed to block IP addresses.

These plugins eliminate the process of manually identifying and blocking unauthorized users. Instead, they automatically identify suspicious IP addresses and restrict them.

They also maintain a log of blacklisted IP addresses and users, along with their location and the time they were blocked.

Here’s how you can use the All-In-One Security plugin to block IP addresses in WordPress:

Step 1. Head over to the Plugins tab and install the AIOS plugin.

Step 2. Once the plugin is installed, a new tab called WP Security will be added to your WordPress side menu.

Click it, navigate to Firewall settings, and open the Blacklist tab.

Step 3. Now, Add the problematic IP addresses in the text field in front of the Enter IP Addresses option. Add only one address in each line.

Click the Save Settings button to save your IP blocklist.

You can also use plugins to geo-block users with ease. The feature is essential because most ISPs today have dynamic IPs.

Devices get new IPs when they connect to a network. Geo-blocking helps you identify the location of malicious IP addresses and block traffic from an entire region, be it a city or country.

To achieve this in the AIOS plugin, simply enter the IP range instead of individual addresses.

You must use the “*” symbol to signify a range. Here are some examples of you can specify a range:

If you are looking for a security plugin for your site, check out our list of 6 best WordPress security plugins.

Method 2: Manually Block IP Addresses in WordPress

There are also ways to block IP addresses without using a plugin. This method will help you prevent spam comments from blacklisted IPs.

Here’s what you need to do:

Step 1. Login to your WordPress dashboard and head over to Settings > Discussion.

Step 2. Once you’re in the Discussion settings, scroll down to locate a Disallowed Comment Keys section.

Step 3. Paste the unwanted IP addresses.

Step 4. Save the changes.

WordPress will now prevent spammers from these addresses from leaving a comment on your site.

However, they can still access your site, which brings us to our next trick.

Method 3: Blocking IP Addresses from .htaccess File

This method also requires some manual effort on your end, but it also blocks users with backlisted IPs from accessing your site.

We’ll have to add problematic IPs to the .htaccess file stored on our site’s root folder.

Here’s how you can edit the .htaccess file in your cPanel account:

Step 1. Login to your cPanel hosting account.

Step 2. Go to Files and then open File Manager.

Step 3. Look for a folder named public_html. Click the plus “+” icon to expand it.

Step 4. Now, search the .htaccess file. Right-click the file name and select the Edit option from the menu.

Step 5. Type the following code in the file:

Deny from 123.123.123.123

Step 6. To block multiple IPs, add a space and type the next address as shown below:

Deny from 111.111.111.111 222.222.222.222 333.333.333.333

Save the file, and that’s it. You’ve successfully blacklisted unauthorized IPs from accessing your site.

Note: A periodbefore a file name signifies that the file is hidden by default. So, if you don’t see the .htaccess file in the directory, enable the Show Hidden Files option from the settings.

Wrapping Up

Actively monitoring comments and incoming traffic can help you identify possible threats to your site.

Once you’ve identified such users, you can get their IP address from your hosting account and block them using the steps shown above.

That way, you can easily prevent hackers and other ill-intent users from compromising your site’s security.

With your site now secured, it’s time to improve its design and functionalities. Check out The Plus Addons for Elementor, a plugin that gives you access to over 120+ widgets, 300+ UI blocks, and 18+ ready-to-use templates.

For your next read, check out our WordPress website maintenance checklist.

FAQs on Blocking IP Addresses in WordPress