Key Takeaways
Additional Insights
Table of Contents [TOC]
You can easily block visitors from a specific country on your WordPress website. In this post, we are going to learn How to block an IP address from a certain country to increase the security of our website and combat brute force attacks that come from specific countries.
If you use a plugin that allows you to monitor requests and attacks on your website, you may have noticed that users from certain countries only access a specific type of WordPress page.
What will a user from a country like Russia, Korea, Malaysia be doing trying to login to my website?
Nothing good for sure!
Normally the pages they try to access are the WordPress login or registration and the XML-RPC file. But you can disable the XML-RPC file in wordpress to make it more secure.
And it is no coincidence since there are known vulnerabilities or parts of WordPress for which they will try to sneak spam, inject code, steal data, access your administration panel or simply blow up your website. Although you can use WordPress vulnerability scanners or plugin to find out vulnerabilities in your WordPress website.
So today we are going to teach you how to block countries in WordPress so that users from certain countries cannot access your entire website or only the WordPress admin .
Geo-blocking consists of blocking certain internet services and products based on the IP address of the person trying to access it, based on the restrictions established by the country’s authorities or the selling company.
In practice, the world of the Internet is not as global as we might a prior think, since through geo-blocking and using technological protection measures (TPM) access to locations that are not allowed is prevented, which is a limitation to electronic commerce. international.
IP Geo Block is a free plugin, very complete with more than 10,000 active installations that allow us to block countries according to their country code and also:
Also Read – Whitelisting IP Addresses in WordPress Site To Restrict Login Access
If you don’t already know which countries to block from accessing your WordPress website. You can still stop bad traffic in its tracks, there are a few ways to find out. Also we can restrict or block specific IP Addresses to Login in WordPress Dashboard, or you can use WordPress plugins for Blocking IP Addresses or there is also a manual way to block ip address access to WP admin.
All-in-one WP Firewall and Security is a free, comprehensive, and easy-to-use firewall plugin solution for your WordPress site. It reduces security threats by implementing the latest WordPress recommended security practices as well as checking your website’s security weaknesses as a whole.
Apart from login, database, and file system security features, you also get lots of firewall features by installing the plugin.
These include the ability to refuse bad or malicious query strings and protect against WordPress Cross-Site Scripting (XSS) attack, access to WordPress PingBack Vulnerability Protection, the ability to log all 404 events on your site, etc.
You will also be able to prevent other people from linking your images and will be able to prevent fake Google bots from crawling your site. In addition to all this, you will have access to the cookies-based brute force login prevention feature that will allow you to instantly block brute force login attacks.
Some other features include adding a simple math captcha to the WordPress login form to combat brute force login attacks, the ability to rename your admin login page URL (to prevent hackers and bots to access your real WordPress login URL), etc.
Finally, the plugin comes with impressive support and can be translated into over 10 languages.
Bulletproof Security is another freemium plugin that comes with comprehensive security protection and enough features to provide decent protection for any medium-sized website. Its free features include an app-level firewall, wordpress malware scanner, comprehensive setup wizard, connection security and monitoring, anti-spam filter tool, maintenance mode, and more.
The professional features you get include a self-restoring and quarantine intrusion detection and prevention system, automated whitelisting IP Addresses, and real-time IP address updates.
Although not the most user-friendly option, Bulletproof Security is a great plugin as it comes with a lot of unique features compared to other firewall plugins on the market.
In any case, to find the source of bad requests, install any of these two plugins. You can also find out exactly where the traffic is coming to your site with the help of Google Analytics.
On your Google Analytics dashboard, go to Sessions by Country > Location Overview to find details about your users. Here you will see a visual representation of your global traffic.
Google Analytics will only show you where the traffic is coming from, not what type of traffic you are receiving. Based on your website content and audience profile, you will be able to determine if traffic from a country is detrimental to your website.
In this Google Analytics web traffic report, you can see which channels drive the most traffic to your website. For example, you can see that organic search has the highest number of visitors. These are the people who come from search engines.
Through Google Analytics web traffic report you will also understand at what level the campaigns perform better.
As we know the CMS itself does not have built-in functionality to optimize content based on location.
Fortunately, there are many free and premium plugins available to help you. These WordPress geotargeting plugins can enhance websites for a global audience. Most plugins need you to get a free/paid API to request IP geolocation information from the plugin server or third-party server.
Let’s look at some plugins that can help you optimize traffic, as well as do other things based on visitors’ IP addresses.
The IP2Location Country Blocker plugin gives website owners the ability to limit and block country IP addresses in WordPress. The plugin is packed with features and allows you to easily restrict access to the website content as you see fit.
Once the plugin is installed, you will be able to restrict content as well as enable or disable visitors from certain countries from accessing your website. Have you been looking for an easy solution to block country IP addresses? Okay, this is all.
IP2Location Country Blocker comes with a lot of features. Some of the main ones include:
If you are looking for an easy-to-use and easy-to-configure solution to block country IP addresses, then IP2Location Country Blocker is a great option.
WP-Ban is a slightly advanced version of Simple IP Ban!
It not only allows you to ban a certain list of IPs but also allows you to ban an entire IP range (ie if you want to block a particular ISP).
You can also whitelist certain IP addresses that you do not want to ban. The plugin itself will display the message notifying the user about the ban every time the user tries to access the blog.
The plugin itself will display the message notifying the user about the ban every time the user tries to access the blog.
You can also monitor the number of attempts made to visit your blog using the statistics recorded by the plugin. It also displays your details to make sure you don’t crash in the process.
It also displays your details to make sure you don’t crash in the process.
How to use WP-Ban?
Step 1 – Simply install and activate the WP-Ban plugin from the WordPress repository.
Step 2 – You will find the options for this WordPress IP blocker under “ Settings ” in your WP admin panel.
Step 3 – From the WP-Ban settings page, you can choose to list the IPs you want to ban or select the IP range based on your preferences. You can also set a custom message for banned users.
Step 4: Once all the options are set, just click “Save Changes” to start.
iQ Block Country is quite similar in function to the plugin above, allowing you to allow or restrict visitors from specific countries to view parts of your content. It is effective to block corrupt hackers from entire countries and spam comments as well. And if you want to allow some visitors to access from blocked countries, that is also possible. You will only need to whitelist their IPs.
The plugin provides almost iron-clad security to your admin page by allowing entry only to specific IP addresses or addresses located in your home country. Visitors who are denied entry may be redirected to another page or website. Or, you can show them a message that can be styled using CSS.
To use the plugin, you will need to download the GeoIP database from a third party or get an API from them to get access to the geodata. The plugin works well with many (but not all) caching plugins.
WP GeoIP is a country-specific redirection WordPress plugin. Have you ever needed a reliable tool for your WordPress-based website to help you redirect visitors by country? Look no further! WP GeoIP Country Redirect allows you to automatically detect your users’ countries based on IP address and take action based on their input.
With GeoIP it is possible to manage your website traffic by redirecting visitors from different countries to specific posts or pages. You can use it for many advantages like:
It has some complex features such as IP address exceptions, all countries except one rule, No Redirect parameter in URL, Once Redirect cookie function, etc.
If you don’t already know which countries you want to block from accessing your WordPress website, but still want to stop bad traffic in its tracks, there are a few ways to find out.
Once installed we go to Settings> IP Geo Block to start configuring it.
First, we are going to configure the validation rules where we will create a white and black list of countries.
The most advisable thing is to put the country from which we connect normally on the white list and the countries that we have detected that attacks are constantly reaching us on the black list.
First, we will press the “ Scan Your Country Code ” button. This option will show us the country code from which we are connecting.
Then we configure the white and black list of countries. The white list will be the countries that will not be blocked or that will have access allowed.
And in the blacklist, we will configure the countries that we want to block.
Simply in the drop-down of the “Matching rule” option, we choose Whitelist and Blacklist.
And we introduce the code of each country separated by commas in the option “ Whitelist of country code ” or “ Blacklist of country code ” depending on whether we want to block it or not.
We can find the country codes in the link below the option or here.
For example, the code ES represents Spain and RU represents Russia.
ZZ is the code for unknown countries, useful if hackers are hiding the country from which they connect and by default, it is configured in the blacklist.
In the option “ Whitelist of extra IP addresses prior to country code (CIDR) ” we can configure the white list by IP, to enter our own IP or the IP of the external service servers that we use, such as the IP of the servers of the Jetpack plugin.
With the “ Response Code ” option we can simulate the error that will be shown to users from restricted countries. By default, it is set to 403 Forbidden.
“Max number of failed login attempts per IP address” This option configures the number of failed login attempts that an IP can make before being blocked.
This is where WordPress Website Monitoring comes in to help you with user activity log. There could be serious consequences if you are unable to monitor user activity in WordPress.
Once these options are configured, we are going to configure the options for blocking by countries of the Back End.
In these options, we can choose who will have access to the different parts of the BackEnd according to the white or black list of the countries that we have previously configured.
We simply have to check the “ Block by country ” checkboxes to activate the blocking in each option.
Admin area and login form protect the administration area and WordPress logins from user access and registration and the password loss form.
By default, they are marked and it is recommended to have them to have the minimum security configuration of this plugin.
Comment Post, this option protects the comment forms, it is not checked by default since if we use an external comment system that is not the original WordPress one we can leave without access to your system.
XML-RPC This option activates the protection of the WordPress XML-RPC file that takes care of pingbacks and is also used by mobile applications and some plugins such as Jetpack. If jestpack not installed in your wordpress you can disable the XML-RPC file manually or by using plugin.
With this type of options, you have to be careful if you have many countries on the blacklist, keep in mind that if you use external services with their own servers they may be affected and these services may stop working.
Or you can also include the IPs of the servers of external services in the IP whitelist.
And with these rules, it will be enough to secure the login and the XML-RPC file, which are the most attacked parts of a WordPress installation.
Admin Ajax is a file used for multiple services for both visitors and administrators and many of the themes and plugins use it to function properly, so we recommend that you do not activate the blocking for this option for the correct functioning of your website.
With the plugins and Themes area options, we can disable access by country to the folders on our server where our plugins and themes are located.
In the Front-end target settings section of the plugin options, you can configure the blocking of the public part of your website.
In other words, visitors from the countries on the blacklist, whether they are bots or humans, will not be able to see the content of your website.
This part of the configuration is optional and is not usually configured since we normally want everyone to be able to see the content of our website.
We simply activate it, we choose whether to use the validation rules that we created at the beginning or if we create a specific white or black list for the public part.
We can choose that our entire website is not displayed or the specific pages we want not to be seen.
And we have finished configuring the plugin, as you can see it is very complete, we can see statistics and log in the different tabs and if we want to uninstall it without leaving a trace in the database we can use the “ Remove all settings at uninstallation ” option.
You can find more information about this plugin on the Ip Geo Block website.
In addition to functioning as a CDN, Cloud Rash includes features to enhance your website security. Through the firewall, you can block and control visitors with IP addresses from certain countries.
The first thing to do is log in to your Cloudflare account. Open the Firewall application, then add a new line in the Access Rules file (access rules) and select the action to perform from the drop-down menu.
To enter the name of a country, you can use the two-letter country code function. In the image above you can, for example, see “US” for the United States.
The 4 actions available are:
Click the green Add button to confirm and add this new rule.
You can also use the .htaccess file to block users (and bots) from a certain country from accessing the site. It is a configuration file that is used by servers. It includes, for example, redirect instructions in case of errors.
Considering the importance of redirects for SEO and for traffic to your site, we always recommend that you make a backup before editing the .htaccess file.
You can use several tools to access and modify this file. You could, in fact, open it from cPanel using the file manager or an FTP client, or use a specific plugin.
It is also important to note, attackers have been using .htaccess for quite some time now. Whether the attackers want to redirect search engines or hide malware, their first choice is this file. At the same time prevention of wordpress .htaccess hacking should also be considered.
Since many of our users use Yeast SEO on their WordPress site, we will explain how to edit the .htaccess file using this plugin.
After activating the plugin, a menu called SEO is added in the WordPress admin sidebar. First, you need to make sure that you have enabled the Advanced Settings feature of the plugin.
Click on the bulletin board, then open the Feature tab. Here you can enable the Advanced Settings Pages option as you can see in the image below.
After doing this and saving the changes, the new voices Advanced e Tools will be added to the Yoast SEO menu.
Click Tools, then select Edit File. This tool allows you to edit robots.txt (which we have already told you about here) and .htaccess files.
You can use a service like Country IP Block to select the country to block and generate a list of IP addresses to block. Simply choose your country, select .htaccess Deny and copy the generated list.
Once you open the .htaccess file, you can block specific IP addresses from your WordPress site by adding these codes:
order allow, deny deny from 192.168.0.1 allow from all
You can enter the list of IP addresses to block instead of the “deny from” line. “Allow from all” means that access is granted to all IPs except those specified in the deny list.
However, this approach has some drawbacks. The deny directive instructs the server to check the full list for each individual request, which slows down server and site performance.
We suggest you use this procedure only when the number of IP addresses to be blocked is very low. Otherwise, using Cloudflare is a better solution.
Depending on your reasons for implementing geoblocking, there are usually better and more robust solutions that serve the purpose.
We do not recommend geoblocking on your WordPress site, as a rule of thumb because of several reasons. If your primary reason is to block threats, install a security plugin on your website, and avoid all this hassle.
There are two implications of not resolving IPs correctly: one, you can inadvertently block out users you want from another country; two, the block may not work completely. Either way, the solution is not perfect.
If you ban traffic from an entire country, it is like throwing the baby out with the bathwater. There may be legitimate traffic from those countries, and you will lose their visits altogether.
For instance, one user saw a lot of phishing scams on their website originating from Germany. He was tempted to block traffic from Germany too, but couldn’t. Services that his website used servers that are located in Germany, like uptime monitoring and backup services.
This is a serious entry on the list. Blocking countries by IP can affect Google rankings because blocking can inadvertently block Google bots from crawling your website. This is especially true if you want to block countries in North America and Europe, where Google bots are located. Depending on the method you use, country blocking may or may not be able to make an exception for friendly site crawler bots.
It sounds absurd but happens quite often. There have been cases where website owners have been blocked from their own websites because of the imprecise nature of geoblocking. It is then a complicated task to reverse the inadvertent block.
Blocking a country doesn’t guarantee that your website is safe from malware and phishing scams. In order to have a multi-pronged and more successful attack, malware can be stashed on devices across the world—and potentially countries that are whitelisted.
In our opinion, it is a poor substitute for a good firewall.
If your geoblocking is relying on a database for lookups, an error in the database could result in something getting blocked inadvertently, or not getting blocked when it should be.
This is especially the case because IP addresses, and by extension IP address ranges, keep changing. If you have used one of the manual methods with an ACL to block countries, you will have to periodically update the list to make sure it still works.
Savvier malicious actors will use proxies or VPNs to bypass block country rules. You may actually succeed at blocking direct traffic, but then a percentage of the bad will find a way to circumvent it.
There is some evidence that shows that Google Ads penalize sites with geoblocking. Many users have reported seeing their ads disapproved after restricting traffic from other countries.
In some case Google ads disapproved or not working due to malware attack or a malicious script injected in website code. If Google Adwords Identifies WordPress site as a carrier of Malicious or Unwanted Software they won’t let run any of your ads linked to that site, and any new ads pointing to that site will also be disapproved.
When you think of country blocking, you usually want to block traffic from a few countries. However, there are other ways of implementing blocks as well:
Block everyone, and whitelist specific ip addresses as required: This is obviously a very drastic measure, so it is highly dependent on the use case of the website. Often this method is used when the site has a miniscule and specific audience or may contain sensitive information.
Only block access to the login page: As opposed to the entire frontend of the website. This method is often suggested as a workaround to the Google Ads issue we described in the previous section.
Blocking countries is an advanced security measure that we should not implement lightly for various reasons and in most cases having the login attempts configured is more than enough to have a secure website.
If you still want to use WordPress access blocks by country, we recommend:
If you are blocking countries with the .htaccess file, update the IP addresses.
You get a lot of comments and registration requests from bots or suspicious users. By analyzing the data, you find that they all come from a specific country or have similar APs.
In these cases, you can decide to block IP addresses from a particular country. If you are in this situation, you can do this by using a service such as Cloudflare or by editing the .htaccess file.
This is quite a drastic solution, so it is necessary to weigh the benefits and risks. If the list of IPs to block is not too long, you can use the .htaccess file, otherwise, Cloudflare is a simple and easy solution to implement.
Have you ever been in such a situation? Have you ever had to block individual IP addresses or entire countries? If you think the solution to block IP addresses from a particular country in WordPress isn’t that easy then contact WP Hacked Help team.