The primary objective of most of the starter websites is to drive traffic from various sources. However, when the site grows in size, you need to take certain actions to restrict the traffic from comment spammers, invalid bots and human attackers. This is essential to safeguard your server resources can be used for real users and you pay for the hosting to get real visitors. In this article, we will explain 6 ways you can block IP address in WordPress.
6 Ways to Block IP Address in WordPress
- Default blocking of comment spammers
- Blocking individual IP address in cPanel
- Using plugin to block user-agent, ban users and block IP
- Geo blocking at country level
- Blocking brute force attack
- Use htaccess directive
1. Blocking Comment Spams
When people submit a comment on your WordPress site, each time it will call “comments.php” file execution and post the entered comment to backend SQL table. Receiving spam comments is a direct waste of spending your server resource and you further need to work on it. There are plugins like Akismet to identify spam comments and sent to trash directly without your intervention. However, it will not stop or block the spammer from sending spam comment. That means, it can save your time but not the resource.
When you receive spam comments from specific IP address, you can use the default function in WordPress to block the IP address.
- Login to your WordPress admin dashboard.
- Navigate to “Settings > Discussion” section.
- Scroll down to the “Comment Blacklist” section.
- Type in the IP address you want to block in the text box.
- Save your settings.
This will prevent the user from accessing “comments.php” file from the specified IP. You can also block some bad words, name, URL and email so that people cannot use them in comments.
2. Using IP Deny Manager in cPanel
The above method will only block the comment spam; however, the user can login and access your site from the same IP address. If you suspect a user is trying to do malicious activity on your site then the good idea is to block the complete access to protect your site.
- Login to your hosting account and go to the cPanel.
- Search for IP Deny Manager and open the app.
- You can block individual or range of IP address. Type in the IP address you want to block and click “Add” button.
3. Using Plugin to Block IP Address
Every time logging to cPanel for blocking IP address is a hassle. The easiest way is to have a multipurpose security plugin that helps to protect your site. All in One WP Security and Firewall is one of the popular and free plugin you can try for this purpose.
- Install and activate the plugin from your admin panel.
- Navigate to “WP Security > Blacklist Manager” section.
- Similar to cPanel, enter individual IP address or a range and block the access.
- In addition, you can also block user-agent and comment spammers with this plugin.
4. Geo Blocking
Geo blocking is the way to stop serving your site’s resources to particular country or region in the world. Generally, webmasters simply block China and Russia from where most of the hacking attacks are originating.
- All in One WP Security and Firewall plugin also offers a country blocking add. However it will cost you $29.95 for single license.
- You can try other free plugins and block the IP addresses of users from any specific country.
5. Brute Force Attack
The problem in all the above methods is that you need to find the IP address of the user. Though you can find it from the comment or server log, it is difficult for you to identify the severity of the attack. Sometimes, blocking single IP will not help since the attacker can use multiple IP addresses. In such case, you can use brute force attack plugins to block the previously identified attackers beforehand.
- The All in One WP Security plugin offers extensive support to prevent brute force attacks. You can rename the login page, set cookie based prevention and login captcha. Also you can add hidden honeypot field in the login page. This field is only visible for bots and when the form is submitted with this field the plugin will redirect the robot to localhost IP address instead of your web server.
- If you are using Jetpack plugin, enable brute force attack prevention under “Jetpack > Settings > Security” section.
6. Using .htaccess to Block IP
The last option to block IP address is to add directive in your htaccess file.
- Login to your server using FTP client like FileZilla.
- Go to the root directory and locate .htaccess file. If it is not visible, you need to enable showing hidden files on the FTP software.
- Edit the file and add the below lines at the end of the file. Ensure to replace the example IP addresses, with the one you want to block.
Order Deny,Allow Deny from 18.104.22.168 Deny from 22.214.171.124
- Save the file and upload back to the server.
Security plugins like Wordfence allows you to track the live traffic to your site. Otherwise, you can use server log or Awstats in cPanel hosting account to get more details of the visitor’s statistics. Try to find the bots and non-human traffic to your site and block them if it is not necessary. Even you need to reduce the crawling activity of real search engines like Google to save your server bandwidth. As far as for IP address, you can use one of the above-explained methods to block.