Table of Contents [TOC]
Ever received unwanted comments from your site’s visitors?
Want to block the IP address for username login in WordPress?
Want to Automatically blacklist range of IP addresses?
If you’ve answered yes to either of these questions, then chances are good that unauthorized users may be trying to gain access to your site.
Are you worried about the security of your WordPress site? Want to secure the WP Administrative panel?
You need to consider Blocking IP Addresses in WordPress. Restricting admin access by IP Address is an effective method to secure your WordPress admin panel
In this article, we’ll tell you how to restrict/block specific IP Addresses to Login in WordPress Dashboard, WordPress plugins for Blocking IP Addresses in WordPress
Securing your website is critical, as it holds both your personal information and any other data that users share with you. That’s why dealing with these invaders should be a top priority. One easy way to get rid of them is by blocking any IP addresses that seem malicious.
You’ll learn how to Block Specific IP addresses in WordPress and enhance your website’s security in this article. Let’s dive in. Before that, dont miss out our post on how to whitelist ip address in wordpress?
Spammers or hackers may be trying to attack your website. Need to blacklist IP addresses in WordPress to prevent spam or malicious users? By blacklisting their IP addresses, you can keep them out. Here are 4 reasons why you may want to block them:
Commenters may be contributing regularly to your site’s spam. You’ll often discover some shady advertisements in your comment section. By blocking these dubious visitors, you’ll be able to:
Some users may not be spamming per se but they may be interacting like bots. Their presence can present a lot of challenges, especially if you’ve set up a user forum. Restricting suspicious IPs stops these bots in their tracks.
You may be limiting your site’s access to only authorized visitors who aren’t required to create individual accounts. You can fend off unwanted users by restricting IPs to only those users in specific regions. Unfortunately though, if they’re using SSL proxies, it won’t be easy to identify them.
Also Read: How To Change Your WordPress Username
A staggering 90% of hacked websites are built on WordPress, a Sucuri study states. Hackers primarily use two ways to gain illegal entry to your site: DDoS and brute force. Identifying shady IPs and restricting them helps obstruct these attackers and is one of the advanced tips you can use to secure your wordpress site from hacking
Also Read – Website Security For Small Business – A Big Concern in 2021
You can find IP addresses you want to block using these two ways:
First, you need to have an idea of which IPs are causing issues before you can blacklist them. If you discover they’re from spammy or dodgy commenters, then the blacklisting process becomes easy.
WordPress stores the address of all your site’s commenters. To get their address, visit the dashboard then navigate to the ‘’Comments’’ section.
The ‘’Author’’ section will display the IPs of every commenter, right below usernames and email addresses. Write down the IPs you want to shut out – you’ll key them into specific fields later.
Finding IP addresses, when your site is facing DDOS attacks, can be challenging. In such cases, you can obtain IPs by looking into your access log.
You have to log in to cPanel. Click on ‘log’ and scroll to ‘’Raw Access Logs’’. Selecting this section will lead you to the access logs section. Here, you have to choose your domain name, and then download your access logs file.
Downloaded access log files are normally in .gz archive formats. To use the file, you have to extract it. Some computers don’t have the programs necessary to open such files. If this is the case, then you need to install a program that supports such files. Two popular apps for extracting folders are WinZip and 7-Zip; you can download them on any Windows device.
Your access log folder, which you’ll find inside the archive, can only be accessible via a Notepad or any similar apps. The folder gives you access to all raw data of requests sent to your site. IP addresses making these requests appear first on the line, so they’re very easy to get hold of.
If you’re not careful, you can restrict the IP addresses of search engines and other normal users. To capture the right IPs, you have to first record all IPs that seem suspicious. You can then paste them into any IP lookup tool so that you can analyze them further.
Receiving too many requests from a single address may be an obvious sign that you’re dealing with a dubious IP. Note down such addresses in a different text file, as they may be up to no good.
You can restrict IP addresses using two methods:
We’ll look into both methods below. These are the best way to block IP addresses in wordpress to invaders and DDoS attackers
To blacklist IP addresses and prevent them from leaving comments, visit the “Settings” column. Scroll to ‘’Discussion”’ and click on “Comment Blacklist.” Paste all the IPs you want to keep out.
To manually block IP addresses, you have to use the .htaccess file. When blacklisting IPs using this file, you’ll use varying methods, depending on the IP address type. These types include:
If you have a single PC in your home that you always use to access your site, then you have a static IP address. This blacklisting method may be perfect for you if you barely ever change your address or if your site is only run by you and maybe a few people. You’ll need to include one or multiple addresses of people who can get into your site’s login page.
The following code will help you add a few IP addresses to your safe list, so you can keep away any unauthorized IPs. Make sure you click ‘Save’ before closing the file.
If you’re regularly accessing your site from different locations, then this solution may work for you. You need to enter this code into your file:
Remove the ‘’your-site.com’’ part and insert your website’s URL, then update the path in the first and second lines. The code also comes with an error page that prevents your site from falling into the trap of a redirect loop.
Malicious users may try to gain access to your login page illegally with brute force attacks. The above code will lock these hackers out while giving access to legit visitors who come to the page using your actual site. These legit users won’t be able to tell the difference.
With a security plugin that shows you unsuccessful login attempts, you can see the difference this code makes with dynamic IP addresses.
add the code as below,
order deny,allow # Replace the below 117.168.1.10, 117.168.119.11 with the IP addresses you want to allow # allow from 117.168.1.10 allow from 117.168.119.11 deny from all
Apart from this, you can take help from following WordPress plugins to Ban IP Addresses to Login on WordPress Dashboard.
Write the following code to your .htaccess file. If you do not have an .htaccess file in your wp-admin directory, then simply create a new one.
order deny,allow # Replace the below 117.168.1.10 with your IP address # allow from 117.168.1.10 deny from all
Above code will allow only IP address mentioned above to access the WordPress admin dashboard.
Also Read – WordPress .htaccess hacked – Cleanup & Prevent .htaccess Attack
This method is the best way to block IP addresses of site invaders and DDoS attackers.
Firstly, login to Cpanel of your site, scroll to the “Metrics” menu and select “Raw Access”.
Each logged visit includes your site visitor’s IP addresses as well as the time and date of each visit. All you need to do is click on the link to download all the information. You can also extract the IP address using any zip folder application like Express Zip or WinZip. You can then view the information by using any modern text editors like Notepad, Notepad++.
Be sure to look up the extracted IP addresses through an IP lookup tool such as this one by mxtoolsbox. This will help you identify the IP addresses that you would want to block traffic from.
Next, scroll to “Security” section of your cpanel, and click on IP Blocker.
These IP addresses will surely no longer be able to access your site.
Security plugins help automate the process of restricting IPs – you don’t need to look for hackers manually. Some of the most popular blocking plugins include:
Similar to the Simple-IP ban, WP-ban users can block any specific IP or an IP range. The plugin displays a ban message to any of the banned users who try to visit your site. In addition to wildcard matching, it also allows you to set aside specific addresses to prevent them from getting a ban. Whenever these excluded addresses visit your site, Wp-ban records stats on the number of times they visit your website.
To use the plugin:
A free plugin, Simple IP ban does as its name suggests: blocks IP addresses through a simple process. To use the plugin, first, download it just as you would any other. Then head over to “Settings.” Click ‘’Simple IP ban” and configure the plugin.
At the ‘’Settings’’ section you’ll be able to:
Also, you can establish a redirect URL and prevent logged-in users from being blacklisted.
Also Read – How To Delete Invisible Admin User In WordPress?
WordPress typically allows all users to access your site, granting unlimited login attempts by leveraging special cookies. This unlimited access leaves your site open to brute-force attacks, as your passwords and hashes can easily be hacked.
Login Attempts blacklists IP addresses, preventing users from making any more login attempts after they’ve surpassed the designated number of retries allowed. In essence, the plugin makes it difficult for dubious users to execute a brute-force attack.
Some of the plugin’s features include:
To use the plugin:
Also Read – How to Monitor User Activity in WordPress?
The simple security plugin allows you to track logins and unsuccessful login attempts on your dashboard. By upgrading to its premium version, you can get features that include:
Here’s how you can use the plugin:
Also Read – How To Setup WordPress Login Two-Factor Authentication (2FA)
This plugin enables you to block any suspicious IP addresses that visit your website. It submits your site details to their database, allowing the remaining users to view the sites that have blacklisted them and read comments. The plugin features new functionality that enables you to prevent visitors from spamming your site.
How the plugin works
Also Read – How to remove google blacklist warning message
The problem in all the above methods is that you need to find the IP address of the user. Though you can find it from the comment or server log, it is difficult for you to identify the severity of the attack. Sometimes, blocking single IP will not help since the attacker can use multiple IP addresses. In such case, you can use brute force attack plugins to block the previously identified attackers beforehand.
If you are using Jetpack plugin, enable brute force attack prevention under “Jetpack > Settings > Security” section. There are many other wordpress security plugins you can use to secure your site.
Worried that your website may be open to attacks? Getting a security scan can help you identify any of your website’s malware, so you can get rid of them and get your site back in good shape. With Wp Hacked Help’s inspection, you get detailed, thorough clean-up reports on your website, informing you of any possible vulnerabilities. If you find any malicious code in your website we can fix your hacked wordpress site.
Thwarting hackers shouldn’t be as difficult as most website owners make it out to be. By blacklisting dodgy IPs using your dashboard, you can keep them out and prevent your site from falling victim to their attacks.
That said, don’t expect user IPs to remain the same. Unwanted visitors can use different IPs to access your site. Even if you block them once, they may return with new addresses. That’s why we’d recommend that you routinely stick to one of these options we’ve mentioned above and quickly block new, malicious IPs every time they pop up.