This guide will help anyone who wants to know how to block IP addresses in WordPress. The methods we look at include obstructing IPs from the WordPress Admin area and via cPanel. It’s also possible to block IPs with .htaccess, but that’s an approach best left to advanced users. First, let’s look at what an IP address is, and why you may want to ban some of them.
What Is a Unique IP Address?
A unique Internet Protocol—more commonly called IP—address is the virtual world’s equivalent to a real-world address. IP addresses are 32-bit binary strings presented in dotted decimal order. Every IP consist of 4 sets of numbers that range from 0–255. A period or dot separates each set of numbers. Okay, that’s enough of the tech talk for this guide.
Where Does the IP Address Come From?
It’s called an address because every IP is tied to a computer AT a physical location. Your Internet Service Provider (ISP) assigns you an IP address when you go online using an internet-connected device. The IP address from this computer is 188.8.131.52. A simple IP Lookup tool tells you the continent, country, town, or city of that IP in use.
An IP address also reveals a bunch of other data. Here’s how it looks for 184.108.40.206.
Who Sees Your IP Address?
All websites have an access log that stores an updated list of IP addresses and visitor details. Some people are uncomfortable with this legal form or data grab and choose to hide their IP. The way to conceal an IP address is to surf online using a virtual private network (VPN). Websites still get an IP address, but it’s not yours, thus hiding your personal information.
Why Webmasters Deny Some IPs
There are good reasons for WordPress webmasters to block certain IP addresses. When you block an IP, the person or bot associated with it can no longer access your site or has restricted access. First, we look at how to find the IPs of bad actors, and then we’ll get into ways to block them.
Usual reasons for site owners to block an IP address in WordPress are:
- Unwanted, repeat visits from bad actors
- Contact Us and or comment spam attacks
- Prevent hacking attacks from a known IP
- Stop Denial of Service (DDOS) attacks
The first two reasons are easier to identify, while the second two are less obvious. DDOS attacks, for example, can result in slow loading pages or periodic problems accessing the site. Blocking an IP address or range of IPs associated with bad actors can be an effective solution.
How to Identify Spam Comments
Websites save IP addresses to access logs. Fortunately, it’s easy to find these from inside your WP Dashboard. Now, let’s say you suddenly start to get a lot of spam comments. They could be blatantly obvious, but others are harder to spot for new and inexperienced webmasters.
- The spammers leave overly positive comments
- There’s no actual reference made to the topic
- They include a link or mention another website for further reading
Here’s a typical example of the kind of content that makes up a spam comment.
“Wow! Excelent article, I thoroughly enjoyed reeding it.
It’s clear to me you’re sensitive to the course and know what you’re takking about 🙂
I’ve written something similar on the subject at (link or name of site/resource).”
The example above is in sloppy English. Grammatical and spelling errors in a short comment are a typical warning sign. It’s also generic and recommends further reading elsewhere.
Use the following 4 guidelines to help identify spam comments.
- Comments are generic and could apply to any article on any topic
- The name of the commenter looks made up and fake
- Fake email addresses, e.g., [email protected]
- Commenter leaves odd-looking links or incomprehensible site URLs
New webmasters must get into the habit of reading past complimentary comments. There are some great plugin and security software options to protect against spammers and attackers. Even so, sometimes it’s better to block IPs, especially those from known blacklists.
How to Find IP Addresses for Comments
Consider blocking IPs if you’re getting bombarded with comment spam.
Click on Comments from your WP Dashboard side menu.
Below is some genuine spam. We have 4 comments from 2 spammers submitted over 3 days to the same post. Each one shows a different IP address and email. The names appear fake, the throwaway emails look suspect, 1 comment is nonsensical, and 3 are generic. These are prime examples of IPs that need blocking from the website.
It’s clear from these comments that the spammer used a VPN service and spam bot. Spambots are computer programs designed specifically to post spam on autopilot.
How to Find IP Addresses for DDOS Attacks
You need to check your access log from within cPanel if you suspect a DDOS attack. Read ‘What Is cPanel – A Quick Tour for Beginners’ if you’re new to this Linux-based control panel.
Login to your WordPress Hosting cPanel account.
Scroll down to the Metrics Section and click the Raw Access link.
Click on the domain name you want the Raw Access log for (current or archived).
You’re presented with the ‘Save As’ box. Give the zipped file a name or leave the default.
Click the Save button.
Point to note: You need to have a software program to unzip (open) .gz files. There’s a good chance you already have one, but consider installing Winzip or 7-zip if not.
Let’s look at why you may want to archive logs before you open the downloaded file.
Why archive log files
Access logs only hold onto data for several hours at a time. Therefore, you need to download them around the time you suspect the site is under attack. If you’re monitoring the situation regularly, make sure you check the Archive log files box in the Raw Access screen. You can also keep or remove archived logs from the previous month.
Now double-click to open your downloaded Access Log zip folder.
Right-click on the access log file and select View File to open it in a plain text editor.
Here’s how the raw data looks in a text editor.
It’s easy to scan as each line starts with the IP address making the request. What you’re looking for here is suspicious activity. Normal activity shows lots of different IPs connected to ports, like the one above. Any suspicious activity would show a single IP connecting to 100s or even 1000s of ports. That’s evidence of a DDOS attack, and that IP would need to go on your block list.
What to do with suspect IPs
Copy and paste any suspect IP addresses from the raw access file into a separate text editor. If there are any you’re unsure of, copy them anyway. You can then put it/them through an online IP blacklist checker to get more details.
How to Block Suspicious IPs in WordPress
It’s not difficult to block suspicious IPs from your WordPress blog or website. The easiest way is to add them to the Disallowed Comment Keys box in the WP admin area.
Go to Settings => Discussion from the Dashboard side menu.
Navigate to the ‘Disallowed Comment Keys’ section.
Paste the saved IPs into the Disallowed Comment Keys box.
Each IP must go on a separate line, as shown in the image below.
Remember to click on Save Changes when you’re done.
Spammers or spam bots from the IP list still have access to your website or blog. However, WordPress won’t allow them to publish content as they’re now on a comment blacklist. Any attempts from these addresses go straight into the trash bin.
Blocking IPs from cPanel
Blocking IPs from within cPanel is the best approach to stop DDOS attacks and hacking attempts. IPs added this way are denied access to your website.
Login to your cPanel account
Go to the Security section and click IP Blocker.
You’re now at the IP Blocker screen.
Type or paste an IP or IP range into the IP Address or Domain box, then click Add.
A success message confirms the action. Click the Go Back link to return to the IP Blocker screen.
IPs you block are added to the Currently-Blocked IP Addresses section at the bottom of the screen. These IPs can no longer access your WordPress site. If you added an IP address to the blocker in error, click the Delete link in the Actions column.
When Manual IP Blocking Fails
Hackers and hacking methods have become increasingly advanced in recent years. Such attacks don’t use a specific IP address or IP range. Instead, they attack using a huge, random pool of IPs from around the world. The IP block methods in this guide are futile against brute force attacks and sophisticated hacks. You’re unlikely to be a victim if your site is small and personal, though.
What about larger, successful projects? Websites that collect personal data from members and customers are more attractive to cybercriminals and at higher risk. Consider a Web Application Firewall (WAF) if your WordPress website falls into this category.
How web application firewalls work
A web application firewall is a step up on the security ladder from a regular firewall (FW). Any firewall is better than none, but the standard systems can only shield against so much.
A WAF figures out malicious traffic from safe traffic at higher levels. It filters, monitors, and blocks all malicious HTTP/S flood and slow loris DDoS attacks from its own servers. Thus, WAF-protection prevents suspicious IPs from ever reaching the shielded website. These systems are vital for sites that need to protect their precious web apps and data from bad actors.