Imagine you have a security guard for your website. This guard lets the real people in and stops the bad people.
This is what happens when we block some IP addresses on the WordPress website. This is a simple but powerful method that we use on WPGuidePro to:
- Stop spammers
- Avoid brute-force attacks
- Protect the website from people who can cause harm
In this article, we will tell you how to block IP addresses in WordPress. And we will also tell you which IP addresses should be blocked.
Want to stay ahead with AI-driven change footer in WordPress insights and stay updated with the latest trends? Subscribe for daily search insights at wpguidepro.com to improve your WordPress strategy
Table of Contents
What Is an IP Address?
Every computer that connects to the internet gets an IP address which is given by its internet service provider.
If we consider the internet as a real world, then the IP address is like the number of a country, street, and house. The IP address is a set of 4 numbers, in which every number is between 0 to 255, and they are separated by dots.
Examaple: 172.16.254.1
All the people who visit your WordPress website, their IP address is saved in the website’s access log file. Meaning, whenever you view any website, that website also saves your IP address.
If you want to hide your real IP address and personal information when you use the internet, you can use a VPN service.
Why & When Do You Need to Block IP Addresses?
If you want to avoid unwanted visitors, comment spam, email spam, hacking attempts, and DDoS (denial of service) attacks on your website, block IP addresses is a simple and effective way.
The most common sign of a DDoS attack is that your website is frequently not accessible or the pages take a long time to load
Other attacks are more obvious, such as when you start receiving a lot of spam emails from spam comments or contact forms. We have many ways to combat spam comments, but ultimately block IP addresses is the only solution.
Finding Out IP Addresses You Want to Block in WordPress
WordPress stores the IP addresses of users who comment on your website. You can see these IP addresses on the Comments page of your WordPress admin area.
If your website is under DDoS attack, the best way is to check the access logs of your server.
To view these logs, you need to login to the cPanel dashboard of your WordPress hosting account. Then find the ‘Logs’ section and click on the ‘Raw Access Logs’ icon
This will take you to the access logs page.
You will need to download the access log file by clicking on your domain name.
Your access log file will be in a .gz archive file. Click on this file to extract it.
If your computer doesn’t have a program that can handle .gz files, you’ll need to install one. Winzip and 7-zip are popular programs for Windows users.
Inside the Archive, you’ll see your access log file, which you can open in a plain text editor like Notepad or TextEdit.
The access log file contains the raw data for every request made to your website. Each line starts with the IP address of the person making the request.
Be careful not to block you, legit users, or search engines from your website. If you find any suspicious IP addresses, then use online IP lookup tools to get more information about them.
You will have to search your access logs for those IP addresses that are making unusually high requests. We will tell you how to automate this at the bottom of this article.
When you find those suspicious IP addresses, then copy and paste them in a separate text file
Blocking IP Addresses in WordPress
If you only want to block users with a specific IP address from commenting on your website, you can easily do this from within the WordPress admin area.
Just go to Settings » Discussion page, then scroll down and reach the ‘Comment Blacklist’ box
You just have to copy and paste the IP addresses you want to block and then click on the ‘Save Changes’ button.
Now WordPress will block users with these IP addresses from commenting on your website. These people can visit your website but will be shown an error message when they try to comment.
Blocking an IP Address Using cPanel
This method completely block IP address from viewing or accessing your website. You should use this method when you want to protect your WordPress site from hacking attempts or DDoS attacks.
First of all, login to your hosting account’s cPanel dashboard. Then scroll down and go to the Security section and click on the ‘IP Blocker’ icon.
This will take you to the IP Blocker tool.
Now here you can add the IP addresses that you want to block. You can also enter a single IP address or an IP range. After that click on the ‘Add’ button.
If later you need to unblock IP then you can come back to this page.
When IP Address Blocking Doesn’t Work – Automate It!
If you just want to block basic hacking attempts, a few specific users, or users from a country or region, block IP addresses will work.
But most hacking attempts and attacks come from random IP addresses that come from all over the world. Blocking all these random IPs manually is difficult.
That’s why you need a Web Application Firewall (WAF) like Sucuri or Cloudflare. These website security services protect your site through WAF.
In simple words: All your website traffic first goes through their servers. These servers scan the traffic and if any suspicious IP is found then they block it immediately.
For example, Sucuri blocked 450,000 WordPress attacks on our site in 3 months.
I hope you have learned from this article how to block IP addresses in WordPress. You can also check out our WordPress Security Guide for Beginners or check out our expert list of Best WordPress Firewall Plugins.
