How to Block IP Addresses in WordPress

What is an IP Address?

If internet was a physical world, then think of IP addresses as country, street, and house numbers. They are basically 4 sets of numbers from 0-255 separated by dots and look like this:

172.16.254.1

Each computer connected to the internet has an IP address assigned to them by their internet service provider.

All visitors to your website have an IP address which is stored in your website’s access log files. This means that all websites that you visit also stores your IP address.

You can hide this information by using a VPN service. This allows you to hide your IP address and other personal information.

Why & When You Need to Block IP Addresses?

Blocking an IP address from accessing your website is an effective way to deal with unwanted visitors, comment spam, email spam, hacking attempts, and DDOS (denial of service) attacks.

The most common sign that your website is under a DDOS attack is that your website will frequently become inaccessible or your pages will start taking forever to load.

The other attacks are more obvious such as when you start getting spam comments or a lot of spam emails from your contact form. We have a list of ways to fight spam comments, but the last solution is to block IP addresses.

Finding Out IP Addresses You Want to Block in WordPress

WordPress stores an IP addresses for users that leave a comment on your website. You can see their IP address by visiting the comments page in your WordPress admin area.

If your website is under DDOS attack, then the best way to locate the IP addresses is by checking your server’s access log.

To see those logs, you will need to login to the cPanel dashboard of your WordPress hosting account. Next, locate the ‘logs’ section and click on the ‘Raw Access Logs’ icon.

This will take you to the access logs page where you need to click on your domain name to download the access logs file.

Your access log file will be inside a .gz archive file. Go ahead and extract the file by clicking on it. If your computer does not have a program to handle .gz archive files, then you will need to install one. Winzip or 7-zip are two popular choices among Windows users.

Inside the archive, you will see your access log file which you can open in a plain text editor like Notepad or TextEdit.

The access log file contains raw data of all requests made to your website. Each line begins with the IP address making that request.

You need to make sure that you don’t end up blocking yourself, legit users, or search engines from accessing your website. Copy a suspicious looking IP address and use online IP lookup tools to find out more about it.

You will have to carefully look at your access logs for suspicious unusually high number of requests from a particular IP address. Tip: there’s a way to automate this that we share at the bottom of this article.

Once you have located those IP addresses, you need to copy and paste them in a separate text file.

Blocking IP Addresses in WordPress

If you just want to stop users with a specific IP address from leaving a comment on your site, then you can do that inside your WordPress admin area.

Head over to Settings » Discussion page and scroll down to ‘Comment Blacklist’ text box.

Copy and paste the IP addresses that you want to block and then click on the save changes button.

WordPress will now block users with these IP addresses from leaving a comment on your website. These users will still be able to visit your website, but they will see an error message when they try to submit a comment.

Blocking an IP Address Using cPanel

This method completely blocks an IP address from accessing or viewing your website. You should use this method when you want to protect your WordPress site from hacking attempts and DDOS attacks.

First, you need to login to cPanel dashboard of your hosting account. Now scroll down to the security section and click on ‘IP Address Deny Manager’ icon.

This will take you to the IP Address Deny Manager tool. Here you can add the IP addresses you want to block. You can add a single IP address or an IP range and then click on the add button.

You can come back to the same page again if you ever need to unblock those IP addresses.

When IP Address Blocking Doesn’t Work – Automate It!

Blocking an IP address would work if you are just blocking some basic hacking attempts, specific users, or users from specific regions or countries.

However, many hacking attempts and attacks are made using a wide range of random IP addresses from all over the world. It is impossible for you to keep up with all those random IP addresses.

That’s when you need a Web Application Firewall (WAF). For the WPBeginner website, we use Sucuri. It is a website security service that protects your website against such attacks using a website application firewall.

Basically, all your website traffic goes through their servers where it is examined for suspicious activity. It automatically blocks suspicious IP addresses from reaching your website altogether. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to easily block IP addresses in WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.