Table of Contents [TOC]
- Block IP Address in WordPress Admin
- Why Restrict IP Addresses in WordPress?
- Identifying Problematic IP Addresses
- Restrict IP Addresses in WordPress – Manually & Plugins
- Blacklisting WordPress Commenters
- Block ip addresses Using .htaccess
- IP Blocker on Cpanel to Block IP addresses
- Block IP Addresses WordPress Plugins
- Is Your Website Secure?
- Final Thoughts
- Like this:
Ever received unwanted comments from your site’s visitors?
Want to block the IP address for username login in WordPress?
Want to Automatically blacklist range of IP addresses?
If you’ve answered yes to either of these questions, then chances are good that unauthorized users may be trying to gain access to your site.
Are you worried about the security of your WordPress site? Want to secure the WP Administrative panel?
You need to consider Blocking IP Addresses in WordPress. Restricting admin access by IP Address is an effective method to secure your WordPress admin panel
In this article, we’ll tell you how to restrict/block specific IP Addresses to Login in WordPress Dashboard, WordPress plugins for Blocking IP Addresses in WordPress
Securing your website is critical, as it holds both your personal information and any other data that users share with you. That’s why dealing with these invaders should be a top priority. One easy way to get rid of them is by blocking any IP addresses that seem malicious.
You’ll learn how to Block Specific IP addresses in WordPress and enhance your website’s security in this article. Let’s dive in. Before that, dont miss out our post on how to whitelist ip address in wordpress?
Why Restrict IP Addresses in WordPress?
Spammers or hackers may be trying to attack your website. Need to blacklist IP addresses in WordPress to prevent spam or malicious users? By blacklisting their IP addresses, you can keep them out. Here are 4 reasons why you may want to block them:
1. Too much spam
Commenters may be contributing regularly to your site’s spam. You’ll often discover some shady advertisements in your comment section. By blocking these dubious visitors, you’ll be able to:
- Allow your site to remain SEO healthy. Read – How Does WordPress Website Security Affect Your SEO Rankings?
- Save time that would’ve been used moderating comments.
- Make your site appear more professional.
- Prevent the spammers from simply creating another account.
- Prevent brute force attacks on wordpress site
- Prevent attacks such as SEO spam, spam links injection, wordpress site redirecting to another site, japanese keywords hack, SQL injection, Pharma hacking and many other types of hacks which occur due to various security vulnerabilities in a wordpress site.
2. Annoying bots
Some users may not be spamming per se but they may be interacting like bots. Their presence can present a lot of challenges, especially if you’ve set up a user forum. Restricting suspicious IPs stops these bots in their tracks.
You may be limiting your site’s access to only authorized visitors who aren’t required to create individual accounts. You can fend off unwanted users by restricting IPs to only those users in specific regions. Unfortunately though, if they’re using SSL proxies, it won’t be easy to identify them.
Also Read: How To Change Your WordPress Username
4. Hacker attacks
A staggering 90% of hacked websites are built on WordPress, a Sucuri study states. Hackers primarily use two ways to gain illegal entry to your site: DDoS and brute force. Identifying shady IPs and restricting them helps obstruct these attackers and is one of the advanced tips you can use to secure your wordpress site from hacking
Identifying Problematic IP Addresses
You can find IP addresses you want to block using these two ways:
First, you need to have an idea of which IPs are causing issues before you can blacklist them. If you discover they’re from spammy or dodgy commenters, then the blacklisting process becomes easy.
WordPress stores the address of all your site’s commenters. To get their address, visit the dashboard then navigate to the ‘’Comments’’ section.
The ‘’Author’’ section will display the IPs of every commenter, right below usernames and email addresses. Write down the IPs you want to shut out – you’ll key them into specific fields later.
Raw Access Logs
Finding IP addresses, when your site is facing DDOS attacks, can be challenging. In such cases, you can obtain IPs by looking into your access log.
You have to log in to cPanel. Click on ‘log’ and scroll to ‘’Raw Access Logs’’. Selecting this section will lead you to the access logs section. Here, you have to choose your domain name, and then download your access logs file.
Downloaded access log files are normally in .gz archive formats. To use the file, you have to extract it. Some computers don’t have the programs necessary to open such files. If this is the case, then you need to install a program that supports such files. Two popular apps for extracting folders are WinZip and 7-Zip; you can download them on any Windows device.
Your access log folder, which you’ll find inside the archive, can only be accessible via a Notepad or any similar apps. The folder gives you access to all raw data of requests sent to your site. IP addresses making these requests appear first on the line, so they’re very easy to get hold of.
If you’re not careful, you can restrict the IP addresses of search engines and other normal users. To capture the right IPs, you have to first record all IPs that seem suspicious. You can then paste them into any IP lookup tool so that you can analyze them further.
Receiving too many requests from a single address may be an obvious sign that you’re dealing with a dubious IP. Note down such addresses in a different text file, as they may be up to no good.
Restrict IP Addresses in WordPress – Manually & Plugins
You can restrict IP addresses using two methods:
- Manually block them from the “Comment Blacklist’’ section
- Using plugins
We’ll look into both methods below. These are the best way to block IP addresses in wordpress to invaders and DDoS attackers
Blacklisting WordPress Commenters
To blacklist IP addresses and prevent them from leaving comments, visit the “Settings” column. Scroll to ‘’Discussion”’ and click on “Comment Blacklist.” Paste all the IPs you want to keep out.
Block ip addresses Using .htaccess
To manually block IP addresses, you have to use the .htaccess file. When blacklisting IPs using this file, you’ll use varying methods, depending on the IP address type. These types include:
Static IP address
If you have a single PC in your home that you always use to access your site, then you have a static IP address. This blacklisting method may be perfect for you if you barely ever change your address or if your site is only run by you and maybe a few people. You’ll need to include one or multiple addresses of people who can get into your site’s login page.
The following code will help you add a few IP addresses to your safe list, so you can keep away any unauthorized IPs. Make sure you click ‘Save’ before closing the file.
Dynamic IP Addresses
If you’re regularly accessing your site from different locations, then this solution may work for you. You need to enter this code into your file:
Remove the ‘’your-site.com’’ part and insert your website’s URL, then update the path in the first and second lines. The code also comes with an error page that prevents your site from falling into the trap of a redirect loop.
Malicious users may try to gain access to your login page illegally with brute force attacks. The above code will lock these hackers out while giving access to legit visitors who come to the page using your actual site. These legit users won’t be able to tell the difference.
With a security plugin that shows you unsuccessful login attempts, you can see the difference this code makes with dynamic IP addresses.
To allow access to the WordPress admin dashboard to more than one IP address,
add the code as below,
order deny,allow # Replace the below 184.108.40.206, 220.127.116.11 with the IP addresses you want to allow # allow from 18.104.22.168 allow from 22.214.171.124 deny from all
Apart from this, you can take help from following WordPress plugins to Ban IP Addresses to Login on WordPress Dashboard.
To allow only your IP to access the dashboard.
Write the following code to your .htaccess file. If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.
order deny,allow # Replace the below 126.96.36.199 with your IP address # allow from 188.8.131.52 deny from all
Above code will allow only IP address mentioned above to access the WordPress admin dashboard.
IP Blocker on Cpanel to Block IP addresses
This method is the best way to block IP addresses of site invaders and DDoS attackers.
Firstly, login to Cpanel of your site, scroll to the “Metrics” menu and select “Raw Access”.
Each logged visit includes your site visitor’s IP addresses as well as the time and date of each visit. All you need to do is click on the link to download all the information. You can also extract the IP address using any zip folder application like Express Zip or WinZip. You can then view the information by using any modern text editors like Notepad, Notepad++.
Be sure to look up the extracted IP addresses through an IP lookup tool such as this one by mxtoolsbox. This will help you identify the IP addresses that you would want to block traffic from.
Next, scroll to “Security” section of your cpanel, and click on IP Blocker.
- Type into the text-box the IP address you wish to block. You can type in a range of IP addresses you wish to deny access to your site.
- Click Add.
These IP addresses will surely no longer be able to access your site.
Block IP Addresses WordPress Plugins
Security plugins help automate the process of restricting IPs – you don’t need to look for hackers manually. Some of the most popular blocking plugins include:
Similar to the Simple-IP ban, WP-ban users can block any specific IP or an IP range. The plugin displays a ban message to any of the banned users who try to visit your site. In addition to wildcard matching, it also allows you to set aside specific addresses to prevent them from getting a ban. Whenever these excluded addresses visit your site, Wp-ban records stats on the number of times they visit your website.
To use the plugin:
- First, install and activate it normally
- Go to ‘’Settings”
- Click the ‘’Ban” option. You’ll get a page showing banned IPs and IP ranges
- Customize the page, adding or removing certain IP addresses
- Save the changes
A free plugin, Simple IP ban does as its name suggests: blocks IP addresses through a simple process. To use the plugin, first, download it just as you would any other. Then head over to “Settings.” Click ‘’Simple IP ban” and configure the plugin.
At the ‘’Settings’’ section you’ll be able to:
- Ward off bots by blocking some User Agents
- Restrict a specific IP (you can keep out a service provider)
- Restrict an IP Range
Also, you can establish a redirect URL and prevent logged-in users from being blacklisted.
Also Read – How To Delete Invisible Admin User In WordPress?
WordPress typically allows all users to access your site, granting unlimited login attempts by leveraging special cookies. This unlimited access leaves your site open to brute-force attacks, as your passwords and hashes can easily be hacked.
Login Attempts blacklists IP addresses, preventing users from making any more login attempts after they’ve surpassed the designated number of retries allowed. In essence, the plugin makes it difficult for dubious users to execute a brute-force attack.
Some of the plugin’s features include:
- Caps on retry login attempts for every IP. You can change this limit to a number that suits your site.
- Allows you to limit attempts using auth cookies.
- Informs visitors about the remaining number of allowed retries, or how much time they have until it blocks them out.
- Allows for optional notifications
- Enables website owners to whitelist IP addresses with the help of a filter.
To use the plugin:
- First, install the plugin from the WordPress dashboard.
- Go to “Settings” and click on the plugin’s menu. This window will pop up.
- You can then set the attempts limit, the lockout time, and many other options.
Also Read – How to Monitor User Activity in WordPress?
The simple security plugin allows you to track logins and unsuccessful login attempts on your dashboard. By upgrading to its premium version, you can get features that include:
- Regular email alerts that you can configure when certain conditions are met
- Optional alerts when the plugin blocks a new IP address.
- Optional alert after every successful login attempt.
- Optional alert to your email every time a user’s login attempt fails
- Lifetime Priority Support
Here’s how you can use the plugin:
- Install the plugin, just like you would other WordPress plugins
- Go to Settings and click the plugin’s menu option.
- Make the changes to what suits you best. Choose the alert types you want to get.
This plugin enables you to block any suspicious IP addresses that visit your website. It submits your site details to their database, allowing the remaining users to view the sites that have blacklisted them and read comments. The plugin features new functionality that enables you to prevent visitors from spamming your site.
How the plugin works
- Visit “Blacklist” and scroll until you see the option to include IP addresses in the Blacklist section. You can then insert the IP you want to restrict. This procedure allows you to keep out IP addresses manually.
- You can navigate to the “Comments” section of the plugin to get rid of any spammers. You can then get the IP details of these spam commenters by visiting IP-finder.me. Visitors whose IPs have been blocked will not get access to any of your site’s content
- Going to “IP Blacklist” will allow you to remove any IP addresses from your blocked list. You’ll also be able to get your website’s link off the list of sites that have blacklisted that IP.
- You can comment on IP Cloud to inform other website owners why you’ve blacklisted the IP address.
Also Read – How to remove google blacklist warning message
Block IP range to prevent Brute Force Attack
The problem in all the above methods is that you need to find the IP address of the user. Though you can find it from the comment or server log, it is difficult for you to identify the severity of the attack. Sometimes, blocking single IP will not help since the attacker can use multiple IP addresses. In such case, you can use brute force attack plugins to block the previously identified attackers beforehand.
If you are using Jetpack plugin, enable brute force attack prevention under “Jetpack > Settings > Security” section. There are many other wordpress security plugins you can use to secure your site.
Is Your Website Secure?
Worried that your website may be open to attacks? Getting a security scan can help you identify any of your website’s malware, so you can get rid of them and get your site back in good shape. With Wp Hacked Help’s inspection, you get detailed, thorough clean-up reports on your website, informing you of any possible vulnerabilities. If you find any malicious code in your website we can fix your hacked wordpress site.
Thwarting hackers shouldn’t be as difficult as most website owners make it out to be. By blacklisting dodgy IPs using your dashboard, you can keep them out and prevent your site from falling victim to their attacks.
That said, don’t expect user IPs to remain the same. Unwanted visitors can use different IPs to access your site. Even if you block them once, they may return with new addresses. That’s why we’d recommend that you routinely stick to one of these options we’ve mentioned above and quickly block new, malicious IPs every time they pop up.