WordPress is a robust content management system for online publishers. However, WordPress sites attract huge number of security threats due to its standard setup. Recently we have noticed a sudden spike in traffic without reasons on our site. After analysis we found a specific IP address was accessing hundreds of pages at that moment. We had to track down the IP address and block the user access to reduce the spike. In this article, we will explain how to track down IP address of a malicious users and block them in WordPress.
Finding Traffic Spike
The easiest way to find real-time traffic data is to use Google Analytics. You do not need to worry about momentary traffic spikes that will eventually die out in shorter time. However, sometime you will notice the traffic spike is continuing for longer time, say for an hour. In this case, you have to take immediate action before the server crashes.
Open Google Analytics and go to your website property’s “Realtime” reports section. Here you can find the number of users currently on your website. Click on “Locations” to narrow down the traffic to a specific country and city. This will help you to find from which geographical location you are getting the traffic. In addition, you can apply filter for “Medium” and “Source” to confirm the traffic comes from directly accessing your site and not from search engines or referral source. As you can see in the below screenshot, there are 87 users online from a city “Slough” in United Kingdom.
This is unusual as these visits are showing for more than an hour with similar number of users.
Tracking IP Address
Now the problem is that Google Analytics will not record IP address of users. Do not worry, you have different methods to find and block them.
Getting Traffic Details from Server Access Log
The process of accessing server is different depending on your hosting interface. For example, SiteGround uses custom Site Tools interface and here is how you can access the log:
- Login to your account and go to “Websites” tab.
- Find the website you want to view the server log and click on “Site Tools” button.
- Go to “Statistics” section and click on “Access Log”.
- You can find the latest access log details with IP addresses. Click “Refresh” link to get the latest access details.
- Click “Copy to Clipboard” link to copy the details which you can paste on any text editors to do offline analysis.
If you are using cPanel interface like Bluehost, then here are the steps:
- After logging in to your account, navigate to “Advanced” menu to open cPanel.
- Search and open “Raw Access” app under “Metrics” section.
- Here you can select the domain and download the raw access log file to your computer.
You can get the IP address of the user or robot that accessing your site from the server log data.
Using Awstats App
Server log is a raw data, hence you may find it difficult to analyze the traffic. There are few alternatives that can show you the details with graphical presentation. Awstats is a standard app available in most of the hosting accounts. You can find the details under “Hosts (Top 25)” with IP details.
Some hosting companies offer custom apps in the account to get the latest visitors detail. For example, Bluehost offers a custom app called “Visitors” to get the latest 1000 visitors detail to your site. You can open the app from cPanel section and view the IP address along with time and referral URL. In addition to finding IP, you can easily find the referral source and block if the domain is malicious.
Getting IP Address Using a Plugin
Though server log is an easy way, many hosting companies are not providing realtime server log. If you are not able to get realtime data or having difficulty in getting the correct IP from the log file, then try using a plugin for this purpose. The best option is to use the popular Wordfence plugin for getting live traffic data on your WordPress dashboard.
- Login to your admin panel and navigate to “Plugins > Add New” section.
- Search for “activity” to find Wordfence Security – Firewall & Malware Scan plugin.
- Install and activate the plugin.
- Go to “Wordfence > Tools” menu and check under “Live Traffic” tab.
- Click on “Live Traffic Options” and enable “All Traffic” button.
- Now, you can see all traffic details with IP address, accessed URL, user agent for each visitor to your site.
- You can click on the “See Recent Traffic” button view all recently viewed pages from that IP address. The plugin will also show the visitor is a human or bot to make your task easier.
Blocking IP Addresses
Similar to tracking, you can block IP address in WordPress from hosting account or using a plugin.
Blocking IP from Hosting Account
Here is how to block IP address from SiteGround. When you are in Site Tools section of your site, go to “Security > Blocked IPs” menu. Provide single or IP range and click on the “Block” button to permanently block the IP address from accessing your website.
If you are using cPanel, here is the process with Bluehost:
- Login to you hosting account and click on “Advanced” menu to go to cPanel section.
- Scroll down and find “IP Blocker” under “Security” section. Alternatively, you can use the search box to find “IP Blocker” app.
- Click on the app and provide individual IP, range or domain name to block the access.
Using Plugins for IP Blocking
You can use the same Wordfence plugin to block the IP address of malicious visitors. The best part is that you can do the blocking on the same live traffic section as explained above. Instead of Wordfence, you can also use other plugins like All In One WP Firewall and Security to block and lockdown malicious user’s IP. However, these plugins will be heavy for your site if your purpose is only to track IP on need basis.
Check out different ways of blocking IP addresses in WordPress and choose the best one for you.
Using Cloudflare WAF
Content Delivery Network services like Cloudflare offers Web Application Firewall (WAF) to protect your site from hackers. After finding the spam IP addresses from your server log or plugin, you can setup firewall rule in Cloudflare to block them. The advantage is that Cloudflare will block access before reaching your server hence saving lot of bandwidth which can be used for real users. If you are using Cloudflare, login to your account and navigate to “Security > WAF” section. Make sure you are in “Firewall rules” tab and click on “Create firewall rule” button. On the next screen, you can provide the details and block the IP address.
As a website owner, you will be exploring different ways to get more traffic to your websites. However, there are automated bots and bad users try to spike your traffic artificially. When you notice such activities, it is necessary to block them to safeguard your server from crashing. You can use one of the above explained methods to track and block user IP address in WordPress. If you are not able to block the bad traffic, temporarily put your site under maintenance mode to cool down the spike. You can look for firewall services like Cloudflare to permanently get rid of malicious bots.