Website security should be a top priority for every WordPress user. You’ll need to find ways to keep out troublesome bots and malicious users, so they can’t target your site with spam or steal sensitive information. Sometimes, that requires learning how to block IP addresses in WordPress.
This is possible through the use of ‘blacklisting’ – a technique that restricts specific IPs from using certain features on your site, or keeps them from accessing it altogether. For example, you can use blacklisting to ban addresses that have raised specific red flags, or to keep spammers out of your comments section.
An introduction to blacklisting
Every user who visits your WordPress site has an IP address. This number identifies a particular Internet connection (network) and remains constant even if the same user creates multiple accounts. This means you can use IP addresses to keep an eye on your visitors and spot any that appear to be malicious.
The following are examples of red flags that will indicate that the user of a specific IP address is potentially malicious:
- A high number of consecutive login attempts (indicating a potential attempt to hack your site).
- Lots of spam comments posted by users from the same IP address.
- Access attempts on sensitive or restricted information by an unknown user, or a user without the correct permissions.
If you see a pattern of suspicious activity like this, you can ‘blacklist’ the IP addresses involved. In other words, you can ban any users originating from that address. This can either be a total ban – so they can’t access your site at all – or it can simply be a restriction from specific features or areas of your site.
As an alternative approach, you can also use “whitelisting”, which is essentially the opposite – all IP addresses are blocked except for specific IP addresses that are allowed. We also wrote an article about whitelisting IP addresses in WordPress.
How to block IP addresses in WordPress (2 methods)
As we mentioned earlier, one of the most useful aspects of blacklisting is that you can choose exactly what you want to block suspicious users from doing. Now, let’s discuss how to block IP addresses in WordPress using two different methods. The first will be a more targeted strategy, while the second keeps problematic users out of your entire site.
1. Block specific IP addresses from using your comments section
A common use for blacklisting is to prevent spammers and bots from posting unwanted messages in your comments section. If you visit the Comments tab in your WordPress dashboard, you can see the IP address each message was posted from:
When you notice multiple spam comments resulting from the same IP – even if they’re posted by different users – you can simply block that address. To do this, navigate to Settings > Discussion and look for the Comment Blacklist field:
Here, you can paste in any problematic IP addresses. Save your changes, and users from those IPs will no longer be able to post comments on your site.
If you’re worried about accidentally blacklisting legitimate users, you can instead place suspicious IPs in the Comment Moderation field just above. New comments from those addresses will then be held for your approval, so you can keep an eye on them to see if they are actually spammers.
2. Ban IP addresses from your site completely
Of course, you may also want to block users with a pattern of suspicious activity from accessing your site altogether. To do that, you can make a simple addition to one of your WordPress files. Make sure you have a recent backup in place first, as a security precaution. Then, you’ll need to log into your site directly using File Transfer Protocol (FTP). If you’ve never done this before, you can check out our beginner’s guide to FTP.
With your FTP client open and running, look for your website’s root folder. This is often named after your domain, but might also be called www or root. With this folder highlighted, find the .htaccess file:
Right-click on this file, and select View/Edit. This will open the file in your default text editor, enabling you to make changes. On a new line at the bottom of the file, paste in the following snippet:
Allow from all
Deny from 111.222.333.444
You’ll want to replace the string of numbers in the final line with the first IP address you want to block. Then you can add additional Deny lines, each with a new IP. Save the file, and users from those IP addresses will no longer be able to access your site.
If you don’t like editing your .htaccess file directly, you can also use the free All In One WP Security & Firewall plugin:
Locating IPs for your blacklist
As you can see, learning how to block IP addresses in WordPress is pretty simple. There’s one step we still haven’t covered, though – how to find the IPs you’ll need to ban. This is trivial when you’re dealing with comments, as we discussed earlier. However, it’s a little trickier when you’re looking for suspicious IPs that you want to keep out of your site completely.
There are a few ways you can pinpoint IPs that may be malicious. You can use an activity log plugin, for example, which will keep a record of everything significant that happens on your site. By looking through the resulting logs, you can identify IP addresses that have made too many login attempts or tried to access sensitive information. If you don’t have an activity log plugin set up on your site already, WP Security Audit Log is an excellent choice.
In addition, you can often find some of the same information in your web host’s logs. Visit your hosting control panel, and look for the option called Raw Access or Raw Access Logs:
Here, you can download a file with information about all the access attempts made on your site. Once again, you can then look for IP addresses that have tried to gain access to sensitive pages, or have made an unusually high number of login attempts. If you have trouble locating this option in your control panel, you can usually find help in your hosting provider’s documentation.
Understanding these logs and figuring out which IPs to block can take a little practice. However, spending time to ensure your site’s security is always time well spent.
Blacklisting might initially sound like a bad thing, but it’s actually a very useful method for protecting your website. By learning how to block IP addresses in WordPress, you can keep hackers and spammers at bay without inconveniencing your legitimate users.
Once you’ve decided to implement blacklisting on your site, here are two ways you can get the job done:
- Block specific IP addresses from your comments section, using default WordPress functionality.
- Ban IP addresses from your site completely, by making a change to your .htaccess file.