Website security should be a top priority for every WordPress user. You’ll need to find ways to keep out troublesome bots and malicious users, so they can’t target your site with spam or steal sensitive information. Sometimes, that requires learning how to block IP addresses in WordPress.
This is possible through the use of ‘blacklisting’ – a technique that restricts specific IPs from using certain features on your site, or keeps them from accessing it altogether. For example, you can use blacklisting to ban addresses that have raised specific red flags, or to keep spammers out of your comments section.
In this post, we’ll introduce you to the concept of blacklisting and talk about the situations where it can serve as a useful technique. Then we’ll show you how to block IP addresses in WordPress using two different methods. Let’s get to work!
An introduction to blacklisting
Every user who visits your WordPress site has an IP address. This number identifies a particular Internet connection (network) and remains constant even if the same user creates multiple accounts. This means you can use IP addresses to keep an eye on your visitors and spot any that appear to be malicious.
The following are examples of red flags that will indicate that the user of a specific IP address is potentially malicious:
A high number of consecutive login attempts (indicating a potential attempt to hack your site).
Lots of spam comments posted by users from the same IP address.
Access attempts on sensitive or restricted information by an unknown user, or a user without the correct permissions.
If you see a pattern of suspicious activity like this, you can ‘blacklist’ the IP addresses involved. In other words, you can ban any users originating from that address. This can either be a total ban – so they can’t access your site at all – or it can simply be a restriction from specific features or areas of your site.
How to block IP addresses in WordPress (2 methods)
As we mentioned earlier, one of the most useful aspects of blacklisting is that you can choose exactly what you want to block suspicious users from doing. Now, let’s discuss how to block IP addresses in WordPress using two different methods. The first will be a more targeted strategy, while the second keeps problematic users out of your entire site.
1. Block specific IP addresses from using your comments section
A common use for blacklisting is to prevent spammers and bots from posting unwanted messages in your comments section. If you visit the Comments tab in your WordPress dashboard, you can see the IP address each message was posted from:
When you notice multiple spam comments resulting from the same IP – even if they’re posted by different users – you can simply block that address. To do this, navigate to Settings > Discussion and look for the Comment Blacklist field:
Here, you can paste in any problematic IP addresses. Save your changes, and users from those IPs will no longer be able to post comments on your site.
If you’re worried about accidentally blacklisting legitimate users, you can instead place suspicious IPs in the Comment Moderation field just above. New comments from those addresses will then be held for your approval, so you can keep an eye on them to see if they are actually spammers.
2. Ban IP addresses from your site completely
Of course, you may also want to block users with a pattern of suspicious activity from accessing your site altogether. To do that, you can make a simple addition to one of your WordPress files. Make sure you have a recent backup in place first, as a security precaution. Then, you’ll need to log into your site directly using File Transfer Protocol (FTP).
With your FTP client open and running, look for your website’s root folder. This is often named after your domain, but might also be called www or root. With this folder highlighted, find the .htaccess file:
Right-click on this file, and select View/Edit. This will open the file in your default text editor, enabling you to make changes. On a new line at the bottom of the file, paste in
Allow from all
Deny from 111.222.333.444
You’ll want to replace the string of numbers in the final line with the first IP address you want to block. Then you can add additional Deny lines, each with a new IP. Save the file, and users from those IP addresses will no longer be able to access your site.
3. Ban IP addresses and Spam from Plugins
1. In the WordPress Admin Panel go to the “Plugins” section and press the button “Add New“.
2. Find the plugin “Spam Protection by CleanTalk” by typing the keyword “cleantalk”. Press the button “Install Now” near the plugin's name.
3. After the process of installation press “Activate“.
4. Go to “Settings —> Anti-Spam by CleanTalk“:
Hover your mouse pointer over the CleanTalk Panel on the top of the page and click the line “Settings“.
Copy the access key from your CleanTalk Control Panel and paste it in the “Access key” field, turn on the options of the plugin and press the button “Save Changes”
Do a test registration or post a test comment using the blacklisted e-mail firstname.lastname@example.org.
>> Do not perform any tests being logged in as an administrator.
To test if SpamFireWall is working just add /?sfw_test_ip=10.10.10.10 to your site name. Example www.yoursitename.domain/?sfw_test_ip=10.10.10.10 (you must see blocking screen)
Attention! You should test SFW with incognito mode switched on. To enable incognito mode press Ctrl+Shift+N for Chrome, Opera и Safari browsers; press Ctrl+Shift+P for Firefox, Internet Explorer and Microsoft Edge.
Blacklisting might initially sound like a bad thing, but it’s actually a very useful method for protecting your website. By learning how to block IP addresses in WordPress, you can keep hackers and spammers at bay without inconveniencing your legitimate users.
Once you’ve decided to implement blacklisting on your site, here are two ways you can get the job done:
Block specific IP addresses from your comments section, using default WordPress functionality.